|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! F) F/ a; c) T
" u, N5 X7 E0 Y: u+ }/ W; o
一.准备工作: A7 b p1 F! V. s# p2 x3 _
, |& Y1 Y3 Y! g; N2 N- F( ~# B
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0; q. k. X8 n7 W. L6 p( ?. K
. W( G4 P+ k! @
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ j% \5 C" V! Z: [; }
8 N. p+ l, ]' \; ^modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz6 k7 j- ? w' x, V6 r5 F. H8 r5 Y
& H- ~" o& Q/ |: p& Q$ X% BOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs) |3 n' `- ? R: Y& {3 _
$ |8 I3 h: L8 U, {" Z0 G
依赖关系:
/ ` C' `( S- D6 Stengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:2 W6 K4 J$ h* d- y+ Z& i3 R
3 ^) W' M" V& R M' N( z5 t5 T
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
1 o$ q1 @/ ]; r& w+ Z( dmodsecurty依赖的包:pcre httpd-devel libxml2 apr2 c# U4 |& Q0 W
8 D2 W9 t3 C0 f) b8 Q& {( Syum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- V/ N( w( e+ |7 _5 r7 a
二.启用standalone模块并编译
7 g) }% }9 K6 O5 y: u
G+ ~4 S$ g" \( ^! |! P/ N下载modsecurity for nginx 解压,进入解压后目录执行:
/ Y) T7 _5 O4 H+ Y* y' l, Q) G( I2 w2 S. \
./autogen.sh
6 L1 z# Z7 C. H# G./configure --enable-standalone-module --disable-mlogc
9 S2 q+ S1 ~$ ?make ) F; l; y9 p1 w9 N: C
三.nginx添加modsecurity模块 \# N4 u( ^; E: \
( U- K/ p$ [- ?" A在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
- a% q3 D' M! u2 c) X, {( B" R
9 L/ J/ {7 T5 H* B8 K8 \" {./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine+ T, y$ k& G5 H: ^# Z
make && make install
0 C$ T6 C+ o. d) i, G4 V& c! V四.添加规则+ v) b0 U" A4 k
+ J% g d( t8 F4 O8 C
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ S/ J1 w. q2 d3 E) m# i8 E0 \% O8 a. C F9 {* D
1.下载OWASP规则:
, d1 c: @# Y) N9 S! V, c9 H/ b4 g& q! }& z( a
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs S. Y6 P1 }3 N7 H& Z k
9 x, p8 N! X8 Y. A6 B
mv owasp-modsecurity-crs /opt/tengine/conf/
3 n, }, r/ o' s5 B$ \: Q
7 x. C5 g0 s- V# I$ k! u+ q( i6 T$ bcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
- `0 v6 m$ S3 g/ i. r$ B2.启用OWASP规则:7 j8 \% k. W. P; C: p
$ s' Q" T( e( s3 P3 j) J
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
9 \) ^% I6 y5 J9 a) r3 h, Y6 Q
5 j4 u7 m! Z; S4 f, \编辑modsecurity.conf 文件,将SecRuleEngine设置为 on4 A3 O% ]" n2 q/ @" H5 z
1 f) G- ^! T9 v
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
$ ~& |, _$ \! Y0 l- e% w y2 r! H# x0 f( Q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
5 c7 e/ @' q- Q! y3 B" z. jInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
9 E5 x2 {, A* b7 k0 [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf: m$ `9 T L; U9 C2 K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
|- v* M& Y& m! @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf3 X7 E5 ~$ l+ X p( c P* j6 `
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf, f2 t y0 w; P" E! J2 X: J' i
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
3 y6 h; A0 O5 P五.配置nginx% f1 O2 i M' a. M7 x/ p
+ M! Z" n+ V% t5 b# b0 s
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 m. j! l6 u. D* f2 P" Z: y( B$ Z% a) R5 B
ModSecurityEnabled on;
4 H# A5 K0 s9 YModSecurityConfig modsecurity.conf;
) P' Y' A. O, E# |) b下面是两个示例配置,php虚拟主机:' X4 g, z f: Z; V4 a5 A
_! K& T! ?9 }4 F" t; e, Tserver {
4 n) ~0 a0 e8 k) e1 [$ Q listen 80;6 N/ B7 C: G7 X1 c3 D# B( U; X
server_name 52os.net www.52os.net;5 T$ J, m9 u$ ^" x; D7 S* t0 s+ M
7 |% I9 t6 m8 `$ t S8 F6 p. N
location ~ \.php$ {9 F* `4 S1 H( p2 s, @& M0 [
ModSecurityEnabled on; - e' ?6 P$ n7 G' Y# k1 f# N4 E
ModSecurityConfig modsecurity.conf;
% l3 p; [' z7 H5 @: y8 W& ?1 J' s- B5 H0 D' @7 u
root /web/wordpress;
. J$ k9 E; @9 y/ U& y index index.php index.html index.htm;
3 U9 y& L4 v1 `* V4 n ; s# j# [) b/ }+ w% ^
fastcgi_pass 127.0.0.1:9000;3 N8 R0 t# ^1 y! X" `$ v
fastcgi_index index.php;
+ M* f$ W- [' }5 H% D" i fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
L- f& B3 h+ x( x! h5 M9 n/ [ include fastcgi_params;
) Y+ e6 C3 t4 Z1 o }& a1 L% R1 {! R$ Z
}
, d; m$ `( W; X0 Y6 u- U5 V/ mupstream负载均衡:& Y- U" m; Y- ~. }8 b0 c; s: T* }+ C
+ J3 _ z) s: m' E! E7 k
upstream 52os.net {
' ?; q7 L( [' k3 R1 w server 192.168.1.100:8080;
! y: B% k- i4 o server 192.168.1.101:8080 backup;% N/ G! S- F' p5 @, ?( o
}9 z! y8 u: O1 V. E
: x1 y: L8 r" Q) g8 w, i9 oserver {
, q# e) Z9 s: I: [listen 80;
9 d1 \5 _6 C2 w- M5 \. rserver_name 52os.net www.52os.net;
+ A w! x' r& j+ ?
+ |, S0 G+ F P! Y; \location / {# u W( r# q1 L# g9 Y
ModSecurityEnabled on;
C% y0 B! e/ d ModSecurityConfig modsecurity.conf; 8 B1 n4 V7 T: b# q" O
' Y; q0 }. L9 a! D6 P8 x
proxy_pass http://online;+ ^9 s! A7 E1 h# Y: P, e) A7 \) E
proxy_redirect off;5 j; Q- d& N. C( _. x2 R
proxy_set_header Host $host;
! ^& j$ _" U6 X5 A proxy_set_header X-Real-IP $remote_addr;
Q% C; J$ _* D9 [! y( S- ~, { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;1 F, F7 ?# c9 H' q8 m' U1 ~
}
) M1 t9 a5 X0 E" X S. ]% [6 D}
% m g, s7 k) q2 A六.测试) v! i. ~3 S" W Q9 X0 L2 u7 B
# N- c' Z4 @7 F& t n" Q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! s) J; h' c6 d* v% F! @% }2 P& S% f5 s3 ], f4 k( R, M
<?php
; M: A% |$ E+ b8 R phpinfo(); 4 _3 M' d) M" A: B P
?>
/ t6 C8 ]0 V8 }7 j在浏览器中访问:
$ g$ O5 |* l& a! }3 s
$ T4 m/ @& R K2 ~. ]3 x+ Uhttp://www.52os.net/phpinfo.php?id=1 正常显示。
' S! Z, H4 i$ L$ Q ~- Ihttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, C# \9 F% l) M' O7 [http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。: a4 p9 V3 A3 W- [
说明sql注入和xss已经被过滤了
, s) P& I/ J2 F8 _& _
" h0 s) @2 x) S4 @4 @- }七、安装过程中排错
: G' e1 n1 _1 A& s
6 l1 F4 }5 K! Y1.缺少APXS会报错+ z6 r# w* t; v! E ~
! [, W j1 e% M7 V R, C# Econfigure: looking for Apache module support via DSO through APXS
, h: {1 x& A2 Kconfigure: error: couldn't find APXS
& n2 O' M: |+ t' S. ^apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。 H R0 Y" z- x+ c9 a* A; v3 [3 y/ W
解决方法:
2 i; v4 U% h5 q5 m7 r. q1 G" E6 V9 t/ j$ v( j T' Y# M5 w
yum install httpd-devel
/ H4 \0 W/ w3 w4 L+ A: D! s8 P0 D( v2.没有pcre
5 Q0 V) A; J+ d b- ~) \
9 t/ A% r; f! z; cconfigure: *** pcre library not found.5 Z9 @, F& K Y6 c- ]$ Y
configure: error: pcre library is required
9 s* x% l w" A5 V: l解决方法:
$ I- }/ ]' B( r/ ?$ x; \" r1 y- t! {0 o: Y
yum install pcre pcre-devel
' i! ?9 @) s$ `( Z, j3.没有libxml2
8 T) X4 M1 L$ y3 K Z G' j; X4 Q
# b9 s3 \( U2 ~
configure: *** xml library not found.4 H: Y7 V( m+ p' r
configure: error: libxml2 is required
/ D( s! k& V7 q: C: Y' B解决方法:
) R* b. F) n) j$ O8 g1 a- H, t
1 l6 p; H/ ]. }9 Byum install libxml2 libxml2-devel8 H2 H; Q2 C) C4 H4 G8 U2 x
4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 _: b2 H: ]5 |4 X/ x
( {" l- q6 h' ^8 ~/ BTengine version: Tengine/2.1.0 (nginx/1.6.2)$ s5 [8 N5 a- b. S
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!3 `0 d4 Q) R5 Y5 i, [* W- W& D, C
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log$ d L" e# i! _
/ F9 A+ Y/ {7 ~1 q, q M; e, T2 o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 W% V* \( Q, s% i! [2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"" u3 s$ I7 n( W, L3 \, r; H. E+ ?
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!5 l6 H1 X3 u5 B _* G$ f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' S! k+ U9 c |' t$ D+ d7 [1 ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"1 i5 k: R5 h0 a2 k! Q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.6 x$ l; L! Q5 J
解决方法,移除低版本的APR (1.3.9)
, J& ~- o% Q6 |) I* ~
& U2 j1 }/ y3 q- J, S! G$ Gyum remove apr
! @0 a0 z: v* }% C$ v/ j5.Error.log中有: Audit log: Failed to lock global mutex
8 ^) ], J' a; G8 `0 D8 D
7 }8 y" l3 }' s% `/ e2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
# u" s. `4 R( F8 N4 _+ ?0 R9 Sglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"] x9 n& z. t( X" Y x M/ T
解决方法:/ @- z1 g. U; }, s0 J5 u
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
1 l$ p G* R$ g4 X: A+ Z6 r; a, x1 p ^2 a* ?
SecAuditLogDirMode 07773 ]9 C- Y7 o H5 _- Z( L8 T4 ?+ `, ~
SecAuditLogFileMode 0550
& E% @( F& p; C3 G7 b# l2 h6 VSecAuditLogStorageDir /var/log/modsecurity
; U! M* w" s7 q! s% g8 zSecAuditLogType Concurrent) c9 R* G; m* F3 `& e( C
参考文章:
# s% s- S' D/ r9 M3 f0 ?https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
$ t3 `' `5 T2 s) a: O4 fhttp://drops.wooyun.org/tips/2614 |
|