|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。, D8 ~/ B. `* p+ I3 ]
l. P) M# j1 l B+ p
一.准备工作
t4 R4 q1 g. R/ S( p5 z
: O2 Z5 p" B8 H3 i( h5 X系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0 g% {. ?5 m1 n8 I
: S# i8 H0 L, M8 m) s, \2 a5 atengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz1 g7 B. U& I. Y
: Q# h/ Y% P$ w7 a! {6 y
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz. s- R. f) b4 D' d
# P3 H2 k. C: r* X: A
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs" D' p8 G7 M0 q7 Q& I+ \8 r7 w
# o5 U% D2 l- ?0 h) w2 ]7 \依赖关系:
. r8 C9 ]- y2 m( e. Ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& o P( t: J7 }9 i" n) d+ |
- q1 n0 T; v. r) a0 g4 T
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 M% K0 ^7 C# ~, \7 b$ u0 Y4 @modsecurty依赖的包:pcre httpd-devel libxml2 apr
3 T$ w2 p& i( ]4 ~) ^( p5 I+ n7 y, ?0 m4 Q* @2 u7 P" n1 i+ y7 F
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ ]9 J, o! J7 E) [/ v
二.启用standalone模块并编译+ o$ N5 t, Q- ]/ P
" V8 C% S9 w- W' x下载modsecurity for nginx 解压,进入解压后目录执行:" h" n% p J2 ^9 |& H8 L2 z0 f4 N
6 D, S9 h" H8 r7 p# X
./autogen.sh
" [, i% J" ` P" @' x5 X e. I./configure --enable-standalone-module --disable-mlogc5 @: e. a- K9 d% C
make
$ F3 Y# q/ y' r8 A' o' x8 D三.nginx添加modsecurity模块! k; B& ~# u& c" M Z/ S/ B
" |9 D! A8 S- k+ x6 F' q在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
+ h0 \' u5 r6 _. R
9 A. e$ j$ N0 v/ V7 O: V1 [1 R* k- Q./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# K7 t6 x: s6 m9 N: z2 amake && make install
7 M- \' J1 g& _+ |9 E四.添加规则
, v0 r, s/ j9 ?9 d7 v5 ^' C
# a& [! |) x0 |/ ^2 V9 h0 dmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。1 [ B. o" o$ z$ {. p t" B
/ C+ L/ r' w+ Z! ^1.下载OWASP规则:; Q: G* q/ _3 h. u/ I1 q
6 P ]% O# p6 I m# ~! @, R; c8 P
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
- l& d+ R6 k+ }; f) f2 _3 I
8 Q. Z( h/ Q- x5 ^mv owasp-modsecurity-crs /opt/tengine/conf/
0 x/ x/ I3 W5 U5 a
2 T* g6 G; w; N- e A Q: \9 @cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 ?6 U# D8 C& R: U2.启用OWASP规则:
$ Q. O/ ^5 Q( @0 d( A% m |+ z; n- B+ v$ g
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。, e5 M; W/ |3 A9 p
2 x3 q e; u5 R# m
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
- g& |, B; B7 r9 Q
" K3 w8 Y `" P6 h" R& [1 V, Dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 p5 ]7 X0 f+ P( q; @) w: @# J+ E! A) p; {. L* R
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf D ~7 b; n$ B( E# _
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf' _& q( p6 p. e; v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 Z( D1 |2 c; C/ l# l; E: X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
3 `* ~% H+ s A; n2 V6 b3 ?Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 ~* }: g! [( |! `- Z1 UInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf A! L! @! h5 Z+ C
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! Y* C4 l. z5 \) N* p& @
五.配置nginx
. K, e4 R+ s' o* R U) s' ^2 |+ K4 o8 Y
在需要启用modsecurity的主机的location下面加入下面两行即可:
' i5 D! r% X% |( Z8 o; b7 _* X; k4 M' e2 y5 e @
ModSecurityEnabled on;
0 \7 T( @+ o$ q9 i$ C! n9 uModSecurityConfig modsecurity.conf;7 U8 C" n* \- ^ j! c% _2 O, _' g
下面是两个示例配置,php虚拟主机:
+ m0 r9 G i* ~9 ?; N! @8 k9 T* s
5 o! G) ?# @$ Z$ E* l. rserver {
! X5 ]1 ]- q; I5 z; y& O' G. a g6 V M listen 80;# E7 e& u$ M1 J2 c' o
server_name 52os.net www.52os.net;) d' C+ Z" k1 h, S$ Y' }
6 V j% ~2 V% Z' U( z
location ~ \.php$ {
$ d, b8 T5 n4 Z1 d3 a+ i. K, D ModSecurityEnabled on; 1 ?' p! T' B# u* ^
ModSecurityConfig modsecurity.conf;1 m% z5 W- T1 }
+ m7 Z& d! u$ I3 ?1 S2 o
root /web/wordpress;2 |5 V* ^) h R9 g: D6 H
index index.php index.html index.htm;* H0 i) g. a$ g- g0 t$ H
/ K6 D3 ~1 I; ~/ U h
fastcgi_pass 127.0.0.1:9000;
/ D/ r: u" Q6 r2 t) g' a- [5 ]: t fastcgi_index index.php;$ s; D- _0 C1 S; K8 x2 N) M4 ]
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
/ ?% {8 B% G6 h( S3 @) O: |; _( ` include fastcgi_params;% W8 ], ~, Z, _
}+ ~! A. s' w" v: Q' d! F
}
! u& {( Q, `, f, m0 N" y7 Supstream负载均衡:
+ B& L6 C4 b1 ~9 e
; [0 }7 P/ Z' f. x- R6 Tupstream 52os.net {9 y9 N% f5 g2 E% O6 Q
server 192.168.1.100:8080;* o* x" F7 b" ` B
server 192.168.1.101:8080 backup;
- L% m/ y; O. E9 N# s% J6 D6 `$ j}+ D: u/ Y$ I4 [7 y* \
4 L* |, S4 N& S a; c1 X
server {! j0 ^ a3 \2 H' ?+ m4 \& a
listen 80;. M0 `# H5 ^# f( L
server_name 52os.net www.52os.net;# e ]) C* C. [7 e, }7 d
; B/ B& [) c! p; `location / {6 q# i* A" J0 b7 ~
ModSecurityEnabled on; . v3 [6 [( K% f( f' o" c
ModSecurityConfig modsecurity.conf; 1 _+ n; l/ ~7 ^
6 H# }6 h" @; t. r proxy_pass http://online;
! e* Y1 _3 w0 d2 u" } proxy_redirect off;- U' Z6 n9 ^# M
proxy_set_header Host $host;
9 `/ n4 D. c& p proxy_set_header X-Real-IP $remote_addr;# O0 T% }" {- G i! e
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8 G% h: M5 u' a. g% E) U) x }
5 D/ J8 t( V% a1 p& G}5 N0 b7 q2 Y' }" g
六.测试8 t [- r9 ]: N/ ^4 ?; K
% X3 U/ N* }- g+ V% Q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, S2 V' O6 P( ^$ Q; [+ c: A
3 T! R$ M3 h$ g; }% m<?php
?2 y' `& ^8 k b. }. S9 w- ^ phpinfo(); 8 ?+ p! M( `' ~; S& {# X
?>9 J( R7 N; A+ f% a$ H5 f0 a! M9 M0 M
在浏览器中访问:
9 x" c1 ]7 w: ?8 s8 h$ r D( e
9 y8 N* a# i3 o' I9 K" fhttp://www.52os.net/phpinfo.php?id=1 正常显示。
4 o# Y& Y, I' s! q. l1 u7 Uhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
4 R. {0 }5 m; K0 b$ o% uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
' t7 w/ S3 F, S; E2 C说明sql注入和xss已经被过滤了; |2 k: {3 g0 U/ P
0 D+ }0 ~/ Q# _# t7 e# V" t d6 \
七、安装过程中排错+ A$ ? t- |& i, L: Q4 F6 ]; t5 X
& Q4 N/ g/ `- n) N; d+ [0 g1.缺少APXS会报错0 f3 W6 n8 C6 a. [4 G
& p0 V7 N. {) F# C/ [ qconfigure: looking for Apache module support via DSO through APXS
: {8 x6 W& O' {configure: error: couldn't find APXS
3 q7 J5 M1 M2 ?apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
' N8 W+ w/ z( z7 X. u解决方法:' N5 `& ~0 i- R% u
0 Z- ^7 B, W) d( o( v
yum install httpd-devel5 f- Q1 ]2 A% K& j5 w" Y& o+ e
2.没有pcre1 s) f, h Q# l t
$ ?0 S s2 d rconfigure: *** pcre library not found.- k- g, r5 e( B) Q/ c9 e
configure: error: pcre library is required4 q/ T M* f* S. |+ _
解决方法:: i9 V& n" k* }' i! h1 F
/ l; I2 B: _5 ?! O- L9 Pyum install pcre pcre-devel# q: D I5 s3 C/ v4 N- W
3.没有libxml2
5 ?( A5 U! W( r6 L: Y' s( g
p# @! I. z8 Y' D/ B
( h& u! g6 @% Q/ P4 ?; Z+ Dconfigure: *** xml library not found.: ?0 K2 ?- B. E* k1 b: L2 g- [. |
configure: error: libxml2 is required6 I# J, c9 l/ F
解决方法:
" @* `# H; r1 I* Q% s M) X
! O1 q* D1 m# K) Myum install libxml2 libxml2-devel
, q$ c1 d5 e8 o. l3 A" f! m) ~0 B4.执行 /opt/tengine/sbin/nginx -m 时有警告
7 E% O3 o5 W8 N9 [' {5 i
: l* w3 }5 r O- `. E& lTengine version: Tengine/2.1.0 (nginx/1.6.2)5 }5 N6 v- P7 K6 F
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& T' U# |1 Q3 b0 L( L原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' B5 W6 E# ^" F: ~4 I- u
$ G! R4 g4 P* G$ s% a
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.+ X( B& z6 X& x2 V! l4 B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
- k2 h$ X! H) B" G. a% }2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!; Z" S9 ?8 _+ `/ r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
& O5 `, T) z/ A, ^$ d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( b4 s, |; U8 Z- H
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) U9 t- a: C' w4 o w! z- M7 u% i/ z
解决方法,移除低版本的APR (1.3.9)
1 F% q. P+ E+ N3 _0 o! o. K D
9 q3 w/ |; g6 s9 i) w& dyum remove apr
* Y- k8 S/ A2 k/ S! C$ w' g; x: w5.Error.log中有: Audit log: Failed to lock global mutex; Y* d8 s, s7 S3 |! u
7 f5 h9 y$ i7 _! E
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 5 g( h2 ]" d& o! ^) O% Z/ e& d
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- ]% z, C: V( ~' M3 A3 C解决方法:. z' a. K' q1 j6 Q+ h% h2 V( d! i
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& k! j7 E* @# }! X t0 h- W L
/ w( `& q+ {8 K2 X5 ?
SecAuditLogDirMode 0777! M7 ~( q; I# ^4 ~
SecAuditLogFileMode 0550
1 e% g( m# g7 V% _5 TSecAuditLogStorageDir /var/log/modsecurity1 X7 U: e2 f2 M) [7 ?
SecAuditLogType Concurrent
+ |- G& Z9 q2 S* _参考文章:1 W5 \2 l& L, T% ?3 z$ \/ q
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; W" \8 `' X% ` e
http://drops.wooyun.org/tips/2614 |
|