|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
- t V+ f+ Q" E" o- j0 s
" S6 C$ d: o2 `0 D一.准备工作0 ^! x7 I5 t' y" O; l" N
2 x% R6 A5 j( e A2 t. E. L系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
7 U9 s9 k- }# `; \" E) k/ {, t7 w' x! {, H6 l
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
6 u! n3 t2 H; w9 D! h% ^" A
3 i7 Z/ B) _$ Y! S# H8 ?modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( g( p9 W k5 s% V8 N7 q, Q. j; O. }& \) m, E+ `5 f
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' j" a/ W7 a5 s6 u3 y4 |! s" L r1 \
, b. g, w; z i; V; d' j依赖关系:
8 L3 `! @" ]6 Ytengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:$ B5 N+ z# b8 `& \
( m* x! G: e& v# ]yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel0 ?6 a5 r. f6 H. o: ]
modsecurty依赖的包:pcre httpd-devel libxml2 apr
: v& r- s- `! y& E& f, d7 m9 M: h; X q
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ C9 m; T& n4 Q# D! f2 c1 `二.启用standalone模块并编译5 F, T5 a6 D9 L) L9 b
$ b- x7 u j+ P% i; M下载modsecurity for nginx 解压,进入解压后目录执行:7 t+ d$ X8 L! M& Y8 O# l- V
9 u8 [/ W( ?0 o8 Z# A
./autogen.sh# W8 o2 W7 h. Q
./configure --enable-standalone-module --disable-mlogc
1 U0 F" b5 Y+ a2 I; F5 Jmake
: B4 N- r7 [6 b+ m4 E* U3 i8 Z+ n三.nginx添加modsecurity模块4 c( B5 x& O# H- ]- M! x1 S- \
% ]2 |; u8 q: t5 D3 a( P6 ~在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
& J# \, m2 w& d% ?
7 J$ b$ o% J* Q3 x./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
+ }& W) K2 ?1 G) f7 i& A: Smake && make install
# L$ h0 ], x( ?+ e; M. J$ R& Q4 y四.添加规则( |! u) f4 A4 u# P; h9 R/ J
6 F9 L( D; F' a7 r- J$ K! @modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 c2 W- E9 c# M/ f3 L
! d$ A0 [+ W( U
1.下载OWASP规则:9 F3 c9 |! c! Y
) @& Q% \, U; S8 F
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
& i0 X, N) B6 B7 ^6 ~7 {2 G* N, z9 {& E/ P+ B
mv owasp-modsecurity-crs /opt/tengine/conf/
, c8 x% R2 [- F1 ^4 S# y, \ F
7 O+ }* |0 L; |$ s: l( Tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
6 \; L2 d" n! v5 W9 `! Q% o2.启用OWASP规则:
/ e0 V) e6 U0 C$ `9 X8 ?
8 U% s' R5 n6 ]3 x# a复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
* F8 N; ~$ @& _6 a$ \$ D3 l
/ S/ r; X: r+ W: J" I) b& o编辑modsecurity.conf 文件,将SecRuleEngine设置为 on7 J& a$ j p h! g3 M. u
. y5 w8 j" H4 I9 J# H0 X
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
& P% |/ K$ L8 h4 \9 @# N$ P9 I4 Q7 y, j
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' x8 C6 O& i6 SInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 d4 \) o& Y4 ?! H7 T& W0 d
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 Y! u' ?. ^4 i) l
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf4 z1 e4 Z0 V/ u) z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf( G1 {3 c X! C- ]7 F: w4 k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. W7 u/ E* C& b5 F0 i# M
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; D: p3 {" l6 ?" j+ X
五.配置nginx7 |; o+ N; l! O: s$ X4 n
3 R' I0 M! z1 v6 j) q! J
在需要启用modsecurity的主机的location下面加入下面两行即可:8 a3 g- u8 c% m/ h
+ w1 r: v. ^& J# K- m
ModSecurityEnabled on; 6 ^' [/ B0 ~7 ?$ x9 @
ModSecurityConfig modsecurity.conf;
' ]+ l' U4 }6 J5 A下面是两个示例配置,php虚拟主机:& N4 _8 \1 d/ s& [4 i% Q: G
: _/ ?8 Q, z# }3 ]. }! s0 ?
server {& M P& R) E/ r7 b+ [$ o& |# C$ @
listen 80;4 k. g" W$ w( j2 J9 a
server_name 52os.net www.52os.net;
2 I1 Y& X% @' ? . }. F2 j. O9 o* I1 G, ^
location ~ \.php$ {
3 l% q5 D% L" ?! R. B2 N ModSecurityEnabled on; * X5 j- K2 S# k0 ]2 Y7 f5 F
ModSecurityConfig modsecurity.conf;
: J4 Q5 D4 Y1 b2 \9 w
! N% X# E, W, ` root /web/wordpress; J9 i* k- w. M; C% c9 i8 T
index index.php index.html index.htm;5 T0 R8 w2 F5 B$ A6 T4 U. j
5 _; u$ v+ [. C- p3 u; G6 T
fastcgi_pass 127.0.0.1:9000;
2 U+ }' U3 d* Q+ {% q3 p fastcgi_index index.php;/ |6 F) t/ U5 o( O
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
9 j7 q% h! L( }: _ _3 M6 v include fastcgi_params;/ _$ a& A2 ^. ^1 D1 g
}
$ T! I3 C# p( K }
- E! n% r/ z+ \3 N; Qupstream负载均衡:" B5 y9 ~( o( f* f3 T1 o) s0 a
" l q9 S" m% ^
upstream 52os.net {, d0 b _3 B# Y" z
server 192.168.1.100:8080;$ p p* |: w( k4 v1 P
server 192.168.1.101:8080 backup;4 @+ b. l# s( [: |) H% X; t
}
( f. Y, o9 k9 V/ T* x
0 S* H3 Q3 ?9 D: V* a4 Dserver {! X; G0 M F# q
listen 80; J5 `1 X7 [3 O c/ q9 R
server_name 52os.net www.52os.net;
& |+ }) U$ O) G8 w4 H5 d2 @# W0 z$ i" T9 A
location / {$ U3 m$ X& f$ K8 h8 z
ModSecurityEnabled on; " Z2 V- _7 W+ c. t
ModSecurityConfig modsecurity.conf;
8 ~5 w4 b2 `- a: M4 ~$ b1 V0 l, u. i2 e; u- ^
proxy_pass http://online;
K) s% |1 h3 i! |, O proxy_redirect off;9 z/ s2 d0 a* f" w4 L
proxy_set_header Host $host;
, @ d8 Y- |6 H! n! Y proxy_set_header X-Real-IP $remote_addr;
, A0 v1 q4 i- o8 p4 v+ A proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
5 h) z# x% R! D8 p8 p }1 \$ T4 u5 F- p# L/ m
}- O: A* s/ c$ w4 v4 s3 ^
六.测试
# O7 e- a1 Y$ z' |3 w; p
6 O6 ~- e% A+ Q3 K' A我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
~- G/ ^6 \7 u0 s- U- y. v7 b. \6 _5 i; D2 q& B
<?php% O! R# ?$ K0 \6 i2 S
phpinfo();
! w/ ^6 {4 y7 i7 i. n5 F?>- k/ F7 Y% G7 t. V
在浏览器中访问:
/ A' f4 X& ^9 Z6 y% R. F! d7 Z7 L* \1 U% |/ b& j0 \: E! P
http://www.52os.net/phpinfo.php?id=1 正常显示。+ F- s0 H/ E" i. k b, H& b' ~
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。9 X2 O$ V {- D5 \1 c3 V; L
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
* g* L( m* t( J; ]说明sql注入和xss已经被过滤了
! b6 A0 q- N, H/ P0 [4 `0 I, W5 a; a8 y& u0 }
七、安装过程中排错! P( Y) d( L Z$ `
! Y! C; _3 z9 S& b' ^
1.缺少APXS会报错- X5 M: r2 ^- ^& Q- K1 R
7 F1 |1 ^0 H+ F% r1 qconfigure: looking for Apache module support via DSO through APXS: d* b8 B/ I: o
configure: error: couldn't find APXS( \; i: W8 J; ~7 i6 S) Z7 y
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。; I2 K; m( |0 n9 e% N' Z% e4 V% E
解决方法:
: ]7 D: @1 |* a n4 m+ y
0 D5 ? p3 d4 yyum install httpd-devel. _) O7 @" f% F8 u
2.没有pcre! E8 Z. W+ H3 ^2 }7 T+ N& x$ k; f
. E# f' w) c6 e( v2 v% U$ tconfigure: *** pcre library not found.
) O6 U U- J( u5 O2 `( D. econfigure: error: pcre library is required3 b1 r/ x1 w) ^) l6 N. V! X3 V8 T8 u
解决方法: ^( g8 d# e- B& w& r: z8 w
" P2 @& | |) b n: G- x5 | w
yum install pcre pcre-devel" s. V0 O" I0 I
3.没有libxml2
' S0 t, y2 `0 g
5 p& m- K0 L- Y R
2 o; `9 ~+ F# e# n; {* hconfigure: *** xml library not found./ j2 W4 I) M; ]' l9 ?8 ]5 H, H$ x h
configure: error: libxml2 is required
* `. P. {+ ]1 g# \# V' J解决方法:! A ?1 F9 R0 L* z! t
( e7 ^# _5 h1 a" f3 v& k( W9 r
yum install libxml2 libxml2-devel, R) c% \, F8 [/ [/ e5 }
4.执行 /opt/tengine/sbin/nginx -m 时有警告
! d4 |+ d' F; c" r ?& ~3 M6 ^6 G7 _, P
Tengine version: Tengine/2.1.0 (nginx/1.6.2), S; L; I7 V8 b0 F2 j) R
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
6 r0 `7 c5 ^" L8 T原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, t) N" M5 }2 ~, S2 s
a7 n6 L* m8 N: k' R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.$ g9 ~- L) I, N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"5 U. z. N9 Q7 l) V( e$ n' b
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!* \( H0 @) S6 b9 l& m7 V* s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
1 `$ Y+ B# p# g. _! g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"+ [4 g- O7 i& c1 B: P9 O# y7 u
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.3 \. E* t5 x3 K" [
解决方法,移除低版本的APR (1.3.9)
* l% H9 C! g$ H% o1 V. F: ?8 `$ x5 G- @: U/ u. {! {3 g
yum remove apr4 q0 M/ C) ^ O8 o
5.Error.log中有: Audit log: Failed to lock global mutex& W7 ?- O1 U) \/ G& f4 ^) }
: p5 _1 q, N4 p& G3 [ o6 t5 y2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock - F. L" F* X3 E9 k# w* P. o0 R
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ r8 q2 Y) U+ r$ g3 i
解决方法:
* G! a2 k$ p# e4 W' t, ~" r编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
% { |) e( U, l h8 b! Y( }( E* Z3 y* O# _; o% S
SecAuditLogDirMode 0777
+ I- ?: K! Y+ Q* {SecAuditLogFileMode 0550# P) h+ x8 ]0 P: I
SecAuditLogStorageDir /var/log/modsecurity
% A( z5 }! ?4 |; k8 eSecAuditLogType Concurrent4 ~9 z# d' W) |- x4 P! W
参考文章:& c& c; X) E& h, l F
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+ D' j2 [: p) B5 T5 X1 C; ~5 D7 Shttp://drops.wooyun.org/tips/2614 |
|