|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- R* A0 Q6 P9 `0 C2 ]' s
0 }+ y4 u8 }/ ?
一.准备工作- B/ K7 m- H/ I* H; D
7 C( f8 i& ^' y# Q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0, s1 X+ L- k% z/ s
' V) v3 f) y' X3 U$ |* s: ]# s* ktengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' h* ^( k+ E7 A0 I
7 x& Y5 ^: F% Cmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz2 g2 _8 M7 _8 b6 M+ u
h' @% h- I* O1 p. x
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
9 Q6 `, A9 v8 v/ J6 ?: }+ ^0 X; V# Z( J1 _0 J
依赖关系:6 g# U' b; s# _* j Y
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:6 J# u! D( O# t, C+ Z0 x
3 e$ e$ U. b6 P4 g& M. K% }9 u
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
: v4 Z8 `6 G' s2 ?2 J! Vmodsecurty依赖的包:pcre httpd-devel libxml2 apr
( w( y7 R2 w' N; \6 ]& P" u7 C- m: t8 K
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" C( z7 H' h! i
二.启用standalone模块并编译' S2 ~' m5 X1 ^, P9 e' D, R4 F
. `8 O) q3 Y$ t; W0 y) o下载modsecurity for nginx 解压,进入解压后目录执行:
- ?9 E0 k1 S- N) l, H. t* V( k) N4 M: C9 }/ m
./autogen.sh
+ A1 E- k. w5 ]7 ?' a+ O./configure --enable-standalone-module --disable-mlogc
4 {/ Y1 E) b5 B) @: Q0 \+ amake
9 J; A; D5 N) ]# V三.nginx添加modsecurity模块
4 Y" N* u! ~3 O& Z @( y: `) l( Z% @; c' B. c
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
, G3 P0 n' R# A2 w& J4 ?/ }, |3 t0 [, Q5 @$ U. r( E
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
' b. P& R5 P$ t* N0 G/ x2 b, pmake && make install; e! ]3 I, l* E: o& k
四.添加规则8 n* R7 O) n/ ^, T4 P2 m3 E
# a0 ^6 O; o# ]
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。2 v5 e9 n" o/ c( ^+ J
6 i' B; r& N( d7 y8 `& j& s1.下载OWASP规则:
$ M b: ^7 P0 W, d% @# ]
) @7 ^! i' U Z; Z: Cgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 V) j) S4 c, d2 g. ]3 a4 f2 a& \% L, x" N7 F
mv owasp-modsecurity-crs /opt/tengine/conf/4 `& ^/ N" P. _4 C
6 q) G! S, ~2 M8 _7 J$ }cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ Q5 s. j& l! J2.启用OWASP规则:
% }; q. }* H1 \1 l2 s
+ O/ M6 ?& h+ N6 q/ C复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。7 h8 [% H. n# y" T! V, ]
9 _; P. B9 t2 }编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; r9 E( `: m0 a1 E3 z; Y
: W% u+ m6 ~3 M. n. U1 Eowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
7 t( f3 a8 x' g; N" B" ^% P6 O
7 T# }% n$ O4 RInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf; b0 L* ~. A$ [
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
6 q7 b& w0 v4 e7 F% GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf' _5 H- \% Z. }, k3 G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf: `6 x7 c k1 X/ S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 \4 @7 \$ U F+ gInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf" C) X% f7 x, C. Z
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf+ u% K9 a. h5 b( y
五.配置nginx
; F" S4 G9 a A: K7 D+ g# E( U& g& z6 e L2 r
在需要启用modsecurity的主机的location下面加入下面两行即可:
) q' ~. A) g# B4 e; x& f' @7 Y9 A8 d1 m4 S [2 }
ModSecurityEnabled on; 1 R2 |: T& p3 ^, \
ModSecurityConfig modsecurity.conf;- [: S3 a8 P8 i; O8 C0 i, x1 K
下面是两个示例配置,php虚拟主机:
: v6 T4 y8 ]+ |7 N4 Q& G& }3 o4 q$ y5 I7 C: {% C' a# p$ l
server {. A4 H" d4 h6 ]& u
listen 80;+ [$ E0 i1 n4 F" Y! s x& h
server_name 52os.net www.52os.net;
+ e# c5 q- v0 C( B! b $ U3 I7 {8 ~( V. o7 X0 `1 U
location ~ \.php$ {" I, u7 g. M# s* B0 c# E+ t
ModSecurityEnabled on; 0 f" d2 Y+ v* u: b9 h9 T) r
ModSecurityConfig modsecurity.conf;
$ X& x& X" X H+ s' \ R Q2 _1 u7 l7 p' E5 ^7 S& j5 [
root /web/wordpress;& e+ y) t ?( ]5 G" q0 L7 z8 S
index index.php index.html index.htm;* d5 l1 U* Z# Y3 g
8 P- g1 l1 `* d8 } fastcgi_pass 127.0.0.1:9000;3 z! J0 h1 {% ]. S% ]
fastcgi_index index.php;
8 f: k, S& G6 \+ H fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 E3 s, }& _# |" { include fastcgi_params;
1 `+ q# R: s5 q1 ~: Z w }
5 s' Q8 y( F% o9 |- D- b | }6 O- i4 P& x3 R* a: a
upstream负载均衡:
; w- Q0 c7 I$ p2 o4 o2 N9 D% Q ?
upstream 52os.net {! _1 W/ E, ~: v
server 192.168.1.100:8080;
+ y7 ?0 T/ T! s8 I' l server 192.168.1.101:8080 backup;
4 L! u# F) v/ P}
# n; R. i( F4 r
7 S5 a1 _& X* `! F* |$ {0 ~. sserver {
, W7 Y/ J" H& T# ]. r# L% }7 ^listen 80;
, ^1 _6 ^# f2 N3 W X9 Tserver_name 52os.net www.52os.net;9 t! k- F( s# p
_- X. D/ K; G) n7 X. k
location / {3 V, s6 D( X3 X; A+ e
ModSecurityEnabled on;
7 a6 g9 H& u0 j6 [6 D( Q( D" T9 W ModSecurityConfig modsecurity.conf;
' Y) A6 @4 H7 W
: c" y, ^; j% J' |# g( [ proxy_pass http://online;
, V2 m$ X# t- r. [ proxy_redirect off;" K" m" X$ a$ f
proxy_set_header Host $host;# u7 K; I# `. v$ A. }
proxy_set_header X-Real-IP $remote_addr;
" C6 ^4 a1 b. J; ~0 t+ E! b proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;( S& t+ ^/ p0 a
}+ J5 t5 p; a# \7 g0 g( j
}
! ]$ a7 [, ^) A5 C六.测试
) R7 W( g$ s2 }" X2 [* M# s
, F% Z: X, n9 P1 K5 h& |我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
]2 O' i3 ?0 O. K$ H9 K2 w* l4 V' L$ d; m+ z4 ]7 u
<?php; z# q6 \7 g. {) N
phpinfo(); A- g) R1 m# F; a1 D j
?>' a' U9 ^9 R! O5 i) T
在浏览器中访问:) u B0 m. ^% g, j
0 ~3 o) l( R x3 Q7 p1 P9 R3 lhttp://www.52os.net/phpinfo.php?id=1 正常显示。
& L7 V. E/ E2 Z, Y( }http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。 V% U A9 ~8 s8 ^
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, K. X. [: f5 e, Z4 S }" Y
说明sql注入和xss已经被过滤了) b+ W7 F4 \( y t
6 a; L3 `& c1 y/ t" }: z6 W, c L七、安装过程中排错
+ K8 L3 D2 h% [' W/ r& ~ _6 y/ z' ? I* M, X4 u
1.缺少APXS会报错
+ q3 x b4 B# {2 U: |9 A' H3 H, t( ~
) J. v( ]$ F @& R. @3 H. Lconfigure: looking for Apache module support via DSO through APXS
0 u) k, {9 C2 G3 ]$ X ?2 e% xconfigure: error: couldn't find APXS- p+ ]* B- X2 c2 ?2 A- a
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
: p" v% {' `; {2 k9 S0 i- ], Q解决方法:
4 M; r1 e( Y( h: y ^, e" e1 r1 \$ p, l5 w* m( M" c) @
yum install httpd-devel; W0 q0 |9 U- d. S# L
2.没有pcre
" H P& r- l. m5 ]0 I; J6 Z/ Q4 ^( a7 I! d
configure: *** pcre library not found.
" P& B4 ?+ b( Aconfigure: error: pcre library is required
5 ]# Y" W( t9 v, g0 v" s解决方法:
& Z$ ~- r, y: Z$ h! A0 c
% h+ e& w/ z5 r; g4 }9 lyum install pcre pcre-devel
1 L0 d4 [6 L+ r* c. c/ a* Y l3.没有libxml2 p# P4 `* ~" f+ x
* R' p* A; Z/ ^
. U* M8 A' T( Z* ]configure: *** xml library not found./ ? e$ V0 t# c# b; [
configure: error: libxml2 is required
( S( Q( i( t+ }2 U解决方法:
# Z- c# ~0 Y* N2 l- m, G {, }1 V, k+ M5 V) D% o
yum install libxml2 libxml2-devel. I, q* V/ X$ n
4.执行 /opt/tengine/sbin/nginx -m 时有警告
. M+ h6 l2 }* Q' Z4 j4 L* J$ }
; V6 V, R$ K, Q! {2 G- G. TTengine version: Tengine/2.1.0 (nginx/1.6.2)
8 v, a4 u) X$ I# D" j( [nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 Q# k, b" H3 F% A- j( T- P) N原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log$ z# I! m! p$ N* ?) j
/ n( e: n8 x/ o3 z/ _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
. M0 P: J( X: ?0 ]4 d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( \5 R; D8 [% J! }; }# w& b9 B
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
5 b$ ^1 D. v6 b6 I2 Q5 b1 q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
5 `6 i7 P. d! P0 m) }5 p8 }! \/ \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ X! P. c, M6 X
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
4 Y5 o8 M8 R4 N0 e$ n5 u) U( t; H解决方法,移除低版本的APR (1.3.9)
3 s+ f. \0 D/ K( O3 Y* w6 f
/ b2 j! t( s @3 Z1 H9 ]. dyum remove apr
, h0 n: g; S% q! u5.Error.log中有: Audit log: Failed to lock global mutex
4 U9 C) h: y) d% `# t4 g7 M; Y# I# m/ }9 W2 b7 Y
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ; k0 L: Y2 ^; A7 Z" ]8 w' {
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 ^; O8 i& A$ z解决方法:
/ }# ^, f B( L& c, c编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( C0 S# Q9 n$ k1 J$ X* M
( B2 N8 c) _. uSecAuditLogDirMode 0777
, S* K( W. `4 BSecAuditLogFileMode 0550& ^, b/ C' w [" {" J2 c5 F
SecAuditLogStorageDir /var/log/modsecurity
" P5 J0 r0 ~( S [* o" k3 E+ QSecAuditLogType Concurrent
/ u. y$ U: t# I# p4 ]参考文章:
/ |, W& M, H0 T9 h* G8 ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' C y( Y8 j' T. Q$ H9 I
http://drops.wooyun.org/tips/2614 |
|