|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
! ^7 t" V, Q2 h
8 D, S* N. K0 t" s) |一.准备工作3 j3 t4 R' W2 X2 o9 d0 x
, a3 y# M; b1 z3 F系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 }8 \9 c* W2 a1 y& ^4 E
$ ^1 ?0 L" ^" P0 k2 v$ I7 b1 wtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz7 f p- q: P- w0 p
8 `# i8 N3 J% o- G+ |modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz. B/ a5 h( u) o: {+ P& I! V6 H" O4 B
8 F( Y% J) O& A0 J# COWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
5 c1 ?2 g: T" g( Z' x
3 c1 p y5 k( [5 {2 s8 M/ q* ^依赖关系:
: v5 `: g; ~) f: S1 U5 W" D' _8 A3 Mtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' d; j. O, F- G6 F$ a
. C2 f7 Z( q3 W7 e. |& a% [yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
+ u9 ?9 }6 a" O8 Y8 ?& zmodsecurty依赖的包:pcre httpd-devel libxml2 apr
% b! a0 |' l; u
# }9 ~, t) h' R7 z! x$ l( X& i2 @yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, z2 J6 b s6 t8 U
二.启用standalone模块并编译3 A( B, O$ h4 v2 W
9 F/ X0 ?4 T+ F
下载modsecurity for nginx 解压,进入解压后目录执行:( s- u, ]6 k8 H3 E2 n6 e+ c7 C
H3 T- F5 b& c
./autogen.sh
% u3 p5 @+ k( N9 [6 w./configure --enable-standalone-module --disable-mlogc/ q8 e6 `" z$ h0 i
make 5 `" z0 M3 S) t) n7 P
三.nginx添加modsecurity模块
0 R$ ^' @' _; x: |& \( a% A* l
' z. Z2 O+ l. V9 X" l3 l在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
0 ]0 m# |: a- o
4 x& F2 Y# _4 [ L5 L./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine: T2 a& T% m9 e4 w1 `
make && make install
1 U7 d5 k0 K3 @6 f. E4 ]四.添加规则
9 l' Y ~6 w4 ^" G' ^ [
) H( a* u( f) B9 ]: e$ m" C1 G/ fmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。; X# ]1 U- k; ]- t% z. A9 h
X+ ^$ r1 C& [6 s1.下载OWASP规则:
7 Z* o+ U' x3 Z" D6 p7 A5 v' O! q
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs9 J: d. g, K5 X6 W& D0 w
2 h, y% J; I, g% ]mv owasp-modsecurity-crs /opt/tengine/conf/4 ^6 h, Z5 |% C
1 Z" O [& h+ A5 x8 N) W" gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf% k0 j5 a5 U& r8 @
2.启用OWASP规则:0 G" p* `6 z! G% ^1 D- t8 G
+ P& f) N$ V8 l; g' n
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。+ ^" Z6 O* `# R* f- U; O3 I
# P( Y8 f, Q* V7 c' `+ `- A, X编辑modsecurity.conf 文件,将SecRuleEngine设置为 on$ `4 {: E. I7 j+ s! L
9 A+ ]$ x+ u2 u2 F) h k2 B
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: t3 m9 H$ v& I! {
- C* V w9 [% p/ w: w% ?
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf& ~3 A0 q- P! T3 f8 q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf% g+ \ d5 z( t7 ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% d; u6 r: Q1 g1 J- ?1 _* C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf$ P& I$ P0 ]( q7 M( c
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 K( [; N3 K: h% J7 v5 n
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf' N5 g3 q2 q9 G: Z3 T& K8 h2 P
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* W: a$ l! g( e i' Z
五.配置nginx
4 M, N9 e& V! v. U# }- j* L. g$ {( y" W- j/ f, L7 n
在需要启用modsecurity的主机的location下面加入下面两行即可:
( B7 m9 ~- u7 d9 }, G% Y$ c, X. A; ~4 N: S1 F0 b5 v$ A
ModSecurityEnabled on; 3 O4 B( N* F( a( N( O+ Y2 g9 h
ModSecurityConfig modsecurity.conf;+ t: I2 Y4 o* R! b0 h! S) m* C
下面是两个示例配置,php虚拟主机:: S8 T8 q6 F' A
$ B& z5 t$ ]- E: R
server {& N9 {. y+ x1 }# c5 m8 E% q
listen 80;$ }. } R6 v- z3 O3 ]1 O
server_name 52os.net www.52os.net;
' B& f4 n7 Q, F5 L- }
* H9 S. Y* l, U' ~( V4 {: o) D location ~ \.php$ {& Z/ @) y8 ^! y2 J1 w" E( L1 I
ModSecurityEnabled on;
9 E+ b2 z% A! i: Y6 a$ h ModSecurityConfig modsecurity.conf;1 x8 ?0 o. {! s# D) Q
! \5 l% A! |3 h* @
root /web/wordpress;
0 j2 n: W. f$ ~ | index index.php index.html index.htm;* @+ @, l- ?. h# o$ v8 O
/ L+ ^& k6 W2 n N8 A" J3 |* V
fastcgi_pass 127.0.0.1:9000;
! m1 Y6 M& x4 K+ ?! F fastcgi_index index.php;/ S# j! `( h# V2 {4 s4 Z- W
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;1 n2 B# }' i& K- l' G( {
include fastcgi_params;. k8 _" j0 A& G0 `% Q/ X
}
5 x2 ?0 p l( e" h3 g, d; {0 P, t6 c }
' O9 { a) z* l, ` ]6 rupstream负载均衡:; ?& ^8 A( l7 H0 @! R) }0 F
; m/ x" w* v3 ?! \4 R$ Nupstream 52os.net {/ k% L4 O% T$ s+ A9 \4 `: k- v$ ]
server 192.168.1.100:8080;
, P/ g% E) b: O3 n server 192.168.1.101:8080 backup;
1 B1 o; V- ~+ f* g- k" V+ }+ V, ?% {% {}; W- x! p% r1 T+ ]9 S% u7 \
5 k- g* m1 Y/ U3 c; T: k! c# n/ Oserver {
* p. u# g4 D d3 p; I! H7 nlisten 80;
% }9 b' T7 [2 U2 L- Bserver_name 52os.net www.52os.net;0 }, A9 @- j7 o! {) h
y8 T. B( j( ~$ y3 B% t4 ulocation / {
3 ~4 `' H; ^, N ModSecurityEnabled on;
: y: |# }6 [; M ModSecurityConfig modsecurity.conf;
! M2 q1 ^3 Z( J% Y5 D# P
2 g5 ]. W& l7 F. ~2 T1 [4 c+ a% g proxy_pass http://online;1 K" |/ R9 x5 y' \) g/ Z% C7 t" _. c
proxy_redirect off;0 x) {6 j- b u8 ^! \
proxy_set_header Host $host;
8 s5 r9 y5 p, U proxy_set_header X-Real-IP $remote_addr;
2 l1 B$ ^, a* y% T1 l$ y proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 P' u- C+ u: y$ l- H/ o. U7 ^ }
, M8 T' Z; Z+ @}
2 Q4 X: m3 B" F @! Y, G5 A, `六.测试
! a }$ w$ j% p+ G4 w# }2 g) k% F% o; q' V; M) `
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:4 f3 P' I& D0 M$ a. W- z. ]
p# E& {7 T o- r( s<?php
& V8 v/ k$ G) E+ L1 J7 C phpinfo();
8 F5 v4 ?$ B9 S( N( r, u?>
) R F( J/ Z! \; Z! h3 P在浏览器中访问:
7 D0 R% V9 m* ~2 q4 {- _0 O/ f, i8 Q/ }5 V1 |/ @
http://www.52os.net/phpinfo.php?id=1 正常显示。6 g) L. h M- J) v+ G; J
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。: U/ ^7 ]* t, T2 T$ i! p1 k( `
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% ?3 P+ X. p. m; C) z0 P* o说明sql注入和xss已经被过滤了
& c( U0 o8 n5 X, I/ j- {7 k1 }% w$ D @/ f# G, }6 c+ M
七、安装过程中排错
! d; f4 T4 l- `- U4 v# \& K. _4 v/ f$ [7 l* S
1.缺少APXS会报错* T3 F* E; Q+ O( m
+ Q! C9 Q- ^ t9 ~: x& |configure: looking for Apache module support via DSO through APXS
$ ]# _# a3 N- h3 L t$ _6 [9 kconfigure: error: couldn't find APXS
- o0 \) f! _6 L# p% hapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
4 c0 B5 b0 S6 c9 V解决方法:
& y' F s! Y9 \; f1 C5 ` n" h y, e' U, v& _: T
yum install httpd-devel, S: p. o, ]3 U) @5 A$ d/ i
2.没有pcre
+ C! K" Z. X5 }( ^. ^
) {6 t% J2 n% R# sconfigure: *** pcre library not found.
/ A ]; b" o+ v; A. M! C; vconfigure: error: pcre library is required
3 F, a3 H7 j6 y1 q* }9 r3 @2 F解决方法:
& o# e/ |0 K4 z' ?7 D) x3 A9 H7 _% P9 ^9 ]9 s% C
yum install pcre pcre-devel" }) Q) v- d% G6 F0 `) C
3.没有libxml28 o: e. ~2 C1 \$ ^4 z9 ]0 l2 ?' I/ Z5 n
! q+ r/ N: l! D& y" @, X9 ~* k. g( ?* {( `8 m
configure: *** xml library not found.
2 Y6 m7 `6 Z4 L1 Sconfigure: error: libxml2 is required
3 g# W# d1 N0 N( B! i8 D解决方法:8 F, i: X7 T4 A1 l
b" q0 k2 e; L! F8 g0 m' \yum install libxml2 libxml2-devel {" `. m4 H. }' D0 i) I
4.执行 /opt/tengine/sbin/nginx -m 时有警告
" B3 Z( U5 i# ^8 r {; d6 t8 u- l/ n1 `
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
% ~( ?* { u0 h1 Q0 `( lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
) N7 \3 d( X. D6 e4 [2 A6 u% q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 k+ W6 d) o, }) V- ^: i
- W# F& a& N5 ^7 j$ T. C# ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.8 _9 b1 ?& ?8 L! o$ |* F9 ?$ t; ~
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": n6 A! m8 O9 q* A" }; }- O+ S
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!" D2 Z* Q' J- R' X. x" a7 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"/ `8 d$ f* Y0 G! q3 d2 D; m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": E% ~$ O/ Z7 f# }8 z) _( v- o* }! A% D
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.6 ?3 Q5 m7 {' A/ d4 ]2 X/ z. o
解决方法,移除低版本的APR (1.3.9)) X5 a, V- W8 ~5 w: u6 [
% j4 W" O" x e: W1 Oyum remove apr/ e V+ y+ Q6 _0 K* S+ z/ H; s
5.Error.log中有: Audit log: Failed to lock global mutex
# L% B) K, K0 i" f
# q/ |5 j2 O1 w) L+ S) H2 B- @& n2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 8 ~; _2 b o# K3 {
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 C5 [1 m. o" h" a解决方法:
' b$ c+ ?3 A3 W0 }+ M" n编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 E y) L1 ?0 ^ T/ X3 { f: }/ H
( W! T( w, X; ~0 ]) P! j3 GSecAuditLogDirMode 0777
5 `/ z7 V8 H1 {* T) `- L& k. Q2 `SecAuditLogFileMode 0550
7 o, n! M. K5 W2 {9 a) {$ sSecAuditLogStorageDir /var/log/modsecurity/ @9 {8 c/ u) B6 s- ?$ ]6 p
SecAuditLogType Concurrent9 B+ G+ C3 @4 {5 ]+ w. {% `
参考文章:9 M( m5 @ b2 ^" I6 M
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX- m! Z ]6 }0 P4 K
http://drops.wooyun.org/tips/2614 |
|