|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
8 I/ C: E# {: U9 ^/ K" v5 S+ r/ h/ @2 T% a
一.准备工作+ u$ h2 w; D- F; A* I
* E2 U; P3 J& j+ Y4 g' {+ ?% `
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0& t; x# N% D- B6 b7 v
! ^1 V8 }* ~0 s# V2 `
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz; U/ C; N8 h) C5 x* e
' F. ^5 S; A7 s0 Z
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz7 s* d0 U8 ]: P$ s6 {- R: @/ V& K( O4 m
. l, X) x3 H* o, f/ {6 }OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
! C* _5 d4 \* k3 }! }5 I5 q2 N0 C! ]3 V" c2 s
依赖关系:7 @+ {2 u% [$ }$ c& l9 Z8 ?* _0 E
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% L* R) w2 H! N: {; L& _
7 i) P0 e* L& i, H0 q* G3 D6 X# j
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
7 l) n; B2 S* `: F+ q7 kmodsecurty依赖的包:pcre httpd-devel libxml2 apr
" S# K8 u( B5 l# o9 a9 G
' C- f. s! [( K7 s# pyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel; {6 U2 @# R- y5 B6 {
二.启用standalone模块并编译
% e8 {* w& o! Z2 M! g0 ~& R" i+ x
下载modsecurity for nginx 解压,进入解压后目录执行:' l& P& O2 p: m, p/ e. ?6 C
# [$ O. K. e5 V2 `. F! p% ]# w! t4 A
./autogen.sh: l. a: Z: q: }4 h+ i
./configure --enable-standalone-module --disable-mlogc
6 J3 G" E, N1 Z' {) O: C. V* Omake
+ S0 W0 F: C$ H7 q4 q1 N# T三.nginx添加modsecurity模块8 w- t# J% W+ h& g7 V
6 `- o& {! I: R6 O- b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
& R( v& Q. _% B' B2 K
; a% F- R( [, Y./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine. c3 i* _. p/ W, }
make && make install( `* X# I7 Z/ S# [# }$ x% _
四.添加规则6 Q- {+ M0 F5 G0 d
" ? \7 {4 B7 ^% v8 X* Qmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ q) I5 \ E3 ?6 c( m1 i# `% x0 m- M
1.下载OWASP规则:9 _; x0 M( W( H, t9 { T' p
) l) }: N7 ?& _! P wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs4 P! N! v2 W9 v) `. y
1 O! ~" B% [. R5 [! W- ~! [# lmv owasp-modsecurity-crs /opt/tengine/conf/+ W' \1 O, j' B0 q/ x1 u
. q F Z y/ acd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# q. v& Y `( l! O8 [
2.启用OWASP规则:
0 V) l9 r* N X! K- A) U& o8 y( l5 b6 c* J! ?, h& ~- s) H' g) ^
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
* u# U# j' J# _9 \5 d$ o
* w K) E9 F! ~: R- A6 X$ a编辑modsecurity.conf 文件,将SecRuleEngine设置为 on# @1 |- r8 }' N+ Y3 l/ f1 p' [& `
& }5 T$ O; x! r7 W7 c M }owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ t. d% t2 f6 a1 X, f }
0 p r6 d4 m, |1 A w! v* ]0 j }Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf# _: U; M1 l# @' c" K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
) ]0 Z( O. B% cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf) C7 C) \3 F9 b' c$ t3 `) K2 ~3 a
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
1 }% t6 ^7 B- {# i2 F& k+ [Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf+ [. v/ V1 j) z* G2 T
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 `3 ?' x" ]0 ] J. o; V
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
' ]+ L+ k7 u& o五.配置nginx2 w8 I$ I! u& R' @1 P
% u# p' m4 [" E! K5 R$ k
在需要启用modsecurity的主机的location下面加入下面两行即可:$ D3 ^' a. W$ g, e$ |+ A6 w
+ ~2 f: j O. j: tModSecurityEnabled on; ' ?5 G* }/ ?+ q- x7 L1 t
ModSecurityConfig modsecurity.conf;
- u' j2 u" C5 Y0 M% X' H3 B下面是两个示例配置,php虚拟主机:# Q' W* A5 h9 Z* b! _5 \% X
$ E: S8 [9 U3 A) yserver {
+ T1 N: B! H; a5 X9 t listen 80;3 q$ B0 H+ Z& y. M( q
server_name 52os.net www.52os.net;
" a6 G1 f/ @% H* Q : U4 b) ^/ x' H6 X9 T
location ~ \.php$ {
}4 R* m& b. F/ Q ModSecurityEnabled on; 1 z- m6 z6 Z7 \; ~
ModSecurityConfig modsecurity.conf;& C6 G7 O0 y( C4 Z5 C- T
8 y+ d9 x1 B2 e( n root /web/wordpress;$ \0 y5 y4 {' }$ A9 h8 \
index index.php index.html index.htm;
: o& p* m8 Y& c4 ~% \
4 w- ~ [; [) `5 y fastcgi_pass 127.0.0.1:9000;- ?+ G8 U% w N, ]1 F) d5 `
fastcgi_index index.php;
( u z# A p9 B ^3 Y8 `1 c fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
9 s& J, i6 K! d- ~ include fastcgi_params;
: H6 J% T- e% C6 B, Z7 V }/ Z) a! [( R3 z1 @
}
# P9 G2 c3 G- t; w n% i4 V% p/ @- u+ Mupstream负载均衡:
5 x4 W7 e! Q; @7 @
7 j$ P0 k' m( P5 U8 c* @+ gupstream 52os.net {
& J, F% ]9 H$ b. r server 192.168.1.100:8080;
6 t8 S. E% z; W, O9 |2 j# a j( X server 192.168.1.101:8080 backup;
# [# t1 N# @6 z* I( x}- U/ t4 T4 |+ w% J
" c. }7 y5 ~$ _6 Hserver {/ z1 {, O1 X# |6 l
listen 80;% p8 ?) _ E. J- K
server_name 52os.net www.52os.net;% E k9 m; \4 p2 W( }+ H- C" s
( i; }# N" n" J8 N5 }location / {2 g/ a \1 I% y! i2 J1 T
ModSecurityEnabled on;
- {2 Z# d+ n+ z2 G ModSecurityConfig modsecurity.conf; " A( C9 b# }8 `8 e3 S/ E6 w
5 p+ Z0 J3 d; a# Y
proxy_pass http://online;
% \) M- u3 b/ ^ proxy_redirect off;" {6 d' {3 H e% q" y( t1 R
proxy_set_header Host $host;
; I, }" ^" ~7 s- N3 _ proxy_set_header X-Real-IP $remote_addr;
: g6 t" U3 x) A3 I' M( P% x$ t' T3 h proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- x) [! } ~6 y: X) a: E5 B1 H }
7 t6 ?7 h$ N+ o4 n2 n7 y# F; W: ~}
9 a1 y9 C0 t8 K3 R7 v6 J/ t六.测试
8 ^/ R9 |: `) |4 r) D# j. S3 @- |- S! q/ T
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ k: X' ^' N* m8 o1 r o- g3 _; {
/ h7 T2 P5 e) p/ t; L$ h3 b
<?php& B0 z5 _6 X1 a
phpinfo(); 6 \/ Z& N# \4 v
?>
* M% h6 T! Y/ R/ | f5 c. a2 _# @! S在浏览器中访问:
* B) w! h$ U$ q$ |7 X, h% y* s2 T8 c- i4 j
http://www.52os.net/phpinfo.php?id=1 正常显示。% Y3 A; w% S4 I; s
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
& d# l5 _7 U$ Dhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。# Z+ Y9 _- `* K f- |
说明sql注入和xss已经被过滤了
6 x. S/ t& y7 L1 V& ?$ w. [/ v) V. v! H; U7 r
七、安装过程中排错! K1 T9 c% E% m( \6 C4 Q% j5 i
( z, u# Q% Y8 v( c. b; A! n$ R# v7 D1.缺少APXS会报错
3 o6 |1 ~; e) W: o% P
! s/ p( K5 U$ G1 p; ` S& `configure: looking for Apache module support via DSO through APXS2 J6 I' W* n# s% U
configure: error: couldn't find APXS
5 O; ? {) V j6 a& I- vapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。5 w6 {% h" q$ a) p7 N
解决方法:
" C- z$ Q& C( V: p6 X4 |4 V1 [( ^+ V, k& x4 Y! {
yum install httpd-devel
! i3 k: Q. P# H2 ~8 T3 X2.没有pcre
k9 [7 Q1 R" A0 L7 g3 R! E4 q7 j$ v& i$ C, a
configure: *** pcre library not found.
; X9 M: J2 O; m5 Kconfigure: error: pcre library is required5 a9 [- Q" X, d) x, C+ E
解决方法:
2 y7 v/ C+ K- h$ ]! b4 f. M, m' b2 W: ^# z" P& [$ _$ c: V
yum install pcre pcre-devel
}+ A; _3 N# v) _/ h7 Y4 y% F3.没有libxml2
4 W/ N" C" K9 T0 Y: i6 q' l
3 f P) S: J0 U; Q8 ]0 X, [' W
$ e# Z6 S$ H, \- Jconfigure: *** xml library not found.$ O9 {. F1 p7 A2 a
configure: error: libxml2 is required
/ q- c+ s! m3 H7 V t2 }5 \解决方法:
6 S l- V* T* S" K/ W8 ]' I4 N' I3 y% a
yum install libxml2 libxml2-devel
4 }" P& V5 b k z5 J4.执行 /opt/tengine/sbin/nginx -m 时有警告
x6 K/ Y: X% B. L0 w& n% k. H. ~( H; l* n
Tengine version: Tengine/2.1.0 (nginx/1.6.2)& `. f% k' C& K& Z* F2 S( Y& l
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!5 F; p$ s4 C9 D+ w, G* r+ A
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log$ F& _/ ]- Q3 ?
1 W0 G2 F! ? l! A) Y3 A8 B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.% A5 X0 e) Y; q# i4 V0 _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, D, x5 v& Z; u2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!. o+ P$ e5 G" l* Z9 Z3 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"3 S9 v0 ]: ] X; h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
7 b( I; x: V3 j2 E: c2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% B- I( A4 p. H, d
解决方法,移除低版本的APR (1.3.9)1 N5 U$ B6 O* h: l( K- s2 d
0 Q! t. X# K; ]7 Gyum remove apr
. r6 T; D1 }8 l1 |+ x0 j9 J4 C5.Error.log中有: Audit log: Failed to lock global mutex
& ]# t F- ?6 q+ x8 Y1 c
- p2 |( Y! R( D2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 y/ `+ c2 \! `! R# tglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
+ m0 s4 S1 L) t/ u1 H0 m解决方法:
2 D& p; h' U/ D$ t& R' W2 g, _4 ]编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:1 X" [" ?& k" k# R9 P( i
" z+ C5 R8 ]) I. V( uSecAuditLogDirMode 07774 j3 }; o7 w6 J3 C! p4 C r, d
SecAuditLogFileMode 05501 H" x- I1 d" p3 Q3 W
SecAuditLogStorageDir /var/log/modsecurity
/ d) `$ z# f6 C6 pSecAuditLogType Concurrent* }1 k" H7 d; ^' c$ }
参考文章:
. E$ {6 o: m# C7 x& @5 Khttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
/ S- `2 r0 v! J9 uhttp://drops.wooyun.org/tips/2614 |
|