|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& o# w. Q9 I! M& e& L! a
/ `# X) I4 u7 P: D* x' h2 ~$ i一.准备工作8 K8 y( ~3 Y+ y. }( \8 z; o
" n: [' S+ {! C* D+ X系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
* ~2 F' D0 s) }. r9 E L% c- v3 I! T) n$ k2 b& p' _" U
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. K. p5 s( z2 K0 G8 q. w
7 ]6 Q( U. s+ L$ c! zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz" {8 Z) R% Y) [+ W# E1 R
! i2 x& C9 B3 a0 Z; Y
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs& M# u' y- W5 c# p$ J: o
$ ^( I, w* o9 ?: G; K' _# D依赖关系:* } ~) u, N. W8 H
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
/ }6 L+ V( P$ Q) J7 P
( R" Y) F+ Y! E$ y: q" _yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel4 k4 g8 l- k Q# l z/ ~9 _: S! W
modsecurty依赖的包:pcre httpd-devel libxml2 apr7 y% h4 y% w; l. g
% U/ Z" V& b7 m" o' n" Y) @
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
, ]) S- c1 Y8 x+ m# T% ^/ W二.启用standalone模块并编译
# w5 r7 U! [7 [, n
- E7 }' Q( ?5 S, p6 P$ J3 f+ w/ ^下载modsecurity for nginx 解压,进入解压后目录执行:, l1 V% C/ u7 T1 I' D/ J
/ `8 N M/ a1 c: l0 x
./autogen.sh
4 S! u9 |# X: A, L$ \8 K0 C+ m, f./configure --enable-standalone-module --disable-mlogc: o) ?0 r$ j: n P& K' q G
make 6 M- |+ X* Q! i
三.nginx添加modsecurity模块5 l2 W. }6 n$ w Y
" P S) J0 s+ i
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:# |9 Y; `) r, b* `, H
* p9 O( c! X7 | V4 J1 w
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
7 C, {( o; z4 J$ w8 m; rmake && make install
+ j6 p& [% k: z, s- n' M4 ~四.添加规则; R8 g5 ^: O7 {/ D& o4 n
" R5 R9 j8 l6 _% j9 r" [: |modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" s, a6 c6 w. Q% a5 c( b7 P3 Z
( G1 Y |. e* A: k: w$ g: j0 v, ~1.下载OWASP规则:
* h6 t F5 `3 V; Q m' i4 s) M9 q. u* }9 o4 `; F
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' T9 U& v8 s$ W2 P; d7 ?2 i) B8 W/ d8 R8 d% x& a) |
mv owasp-modsecurity-crs /opt/tengine/conf/
% J Z G$ a. o( d1 Z/ w0 c2 s1 J! d1 Q( X' a3 ^% G4 ^' @ Q) I
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
! B# `! O+ U p; K! o8 E2.启用OWASP规则:1 z* G9 m0 Y" J' b: k: W. y
6 S- p# C- x& d b复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' ]6 M% g! z, w) o. x) H' M, D: b8 m; P) l$ p1 O0 I2 [" u$ O
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
# S$ {" l) y- k R+ C- U1 M8 M+ W3 _5 ]8 H9 R2 x5 D5 Y
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" }) h6 x; E( e8 s
( r7 O+ V* P( f: [+ U8 F: OInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ X! h3 |. |! w$ v6 D' U: b) e
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf, f2 d) U& ]+ c8 Q. f/ \( ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 Q4 J2 k9 J k" j, a/ H: ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf8 O1 U, E8 }" ^0 E- S1 B5 K( |
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 B& @% V4 D/ D, Y! d$ S. V9 b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf& o7 g3 r4 B9 n9 N" F! [2 }, ~6 w
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
% H/ o$ X+ T; z+ Q/ d* ~0 p五.配置nginx' F7 V4 M/ m, _1 A0 p( |/ r
- c; q0 {8 i" |5 U- X
在需要启用modsecurity的主机的location下面加入下面两行即可:. D* } e3 f G* N7 j: k, k( `! @
7 J4 ?, V2 M$ f7 o2 e) P% x9 s1 CModSecurityEnabled on;
; U" e- V1 X' zModSecurityConfig modsecurity.conf;4 K2 U' q: t2 ~) G7 j( X
下面是两个示例配置,php虚拟主机:
2 v: J2 e, Z5 J' [0 b& P# o; o* i8 Q
server {) H. y/ Z* a- Z; ^5 n* F% @
listen 80;2 y+ A& g. _ }( C! T& L
server_name 52os.net www.52os.net;
3 X/ x! Y: \; k2 \( ^% ~6 g X& W
, ?5 b/ Q: v3 T3 U location ~ \.php$ {
4 ~( T% }7 D( t) ~* n# o5 ]/ b ModSecurityEnabled on; : a: F" ]) x3 S) `/ i$ }2 N
ModSecurityConfig modsecurity.conf;
7 Z. l$ Z" k6 ?/ i% k4 o4 ?, l8 q) e) ~/ ^7 u! `
root /web/wordpress;
0 a. _6 |9 C% n+ } index index.php index.html index.htm;0 ^# A' L: Y2 \8 w
1 j0 x2 w# J% t5 G! l
fastcgi_pass 127.0.0.1:9000;0 N4 V7 } u% l3 w1 G! O3 c3 L
fastcgi_index index.php;
! X5 Z4 Y4 z, I2 Q* h fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;9 \$ z! p `6 O+ N6 u: p! G$ t
include fastcgi_params;
+ t; W6 y5 ?7 C0 d1 z U$ G/ ] }/ N: q; a$ @; G1 X5 C( P
}% G: A4 i( l( P0 h3 l
upstream负载均衡:' [! J( i. r7 N+ b* h# S
* E) V2 v: B# o6 S! F& {
upstream 52os.net {7 g4 w. K# h6 V! z2 x
server 192.168.1.100:8080;5 R" E! ?3 d' k2 ~
server 192.168.1.101:8080 backup;
) p2 B f: h. A) |( } N0 ?}
$ T5 I& Q1 h6 j
, C0 u9 g# r; z" T/ r1 J, Fserver {0 ~+ v5 ` e0 w& K" X
listen 80;$ q2 f; X) F0 M6 G
server_name 52os.net www.52os.net;
, S; v- B' m% J6 G/ _9 a* |( g9 U" f* w
0 z8 K; N( ]' _4 }7 Tlocation / {
( l1 p3 {# c2 ~2 i, Q3 H ModSecurityEnabled on; $ L8 F3 l$ V" d L3 z9 A
ModSecurityConfig modsecurity.conf;
6 P0 t6 d/ V% _* z4 `% E" U6 y# f3 E+ @2 _9 T0 R4 H7 j
proxy_pass http://online;
) A& F! z4 T" O/ R' O& A- U, d proxy_redirect off;
9 |7 t- M# O) e proxy_set_header Host $host;6 J( l6 T! Q' c( Z+ i
proxy_set_header X-Real-IP $remote_addr;* j4 L2 q) v& J- r r
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;7 V+ C, V# r9 @
}3 n; Q& v6 f, H3 i
}
6 Q$ g% y$ h% E9 W六.测试
7 P3 c/ E, U' e8 @0 e: G' V
+ n" `6 u! @+ N! {/ a1 |% e9 u我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:5 W3 |$ l# F8 }# A/ g/ w
7 V: x4 L( B4 u4 C6 {. P
<?php
6 I* |; J. A; H" M* b phpinfo();
5 [1 z! {* `$ h5 D q- ??>! o4 \ V% G, F2 D3 B
在浏览器中访问:" Y& _0 v' c. \. u/ L% {
* A- a5 q! E1 M9 Z" N# J( @http://www.52os.net/phpinfo.php?id=1 正常显示。; P6 c: R; n- |& G$ O+ d
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
9 Z9 k& q" x }3 |- phttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。% o9 ]: N K! Q6 }8 V0 M
说明sql注入和xss已经被过滤了& v& o |8 z4 m4 t- C l
+ O7 O' W6 x9 ]9 ]2 |七、安装过程中排错5 V6 X- w, h5 C) ^3 n
: t3 J3 k% ?' \' I3 L3 b8 }1.缺少APXS会报错
8 v- M' }1 b0 j% R5 R& D0 }$ ]/ k, l8 k* F! a3 J
configure: looking for Apache module support via DSO through APXS
9 r3 `( k9 @8 [, kconfigure: error: couldn't find APXS
( v/ u, \/ F* Z% h# B; q6 ~: Vapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
4 ]2 ]/ d* @2 q( q3 A/ O, h9 Q* `解决方法:
+ I, C/ C. m& h! D. ?3 x
: I h6 L3 p4 |! i1 jyum install httpd-devel+ f9 Y8 h9 p8 i7 U& j+ h3 E( y1 L
2.没有pcre
% x/ d) K/ }$ Q# _5 Q) y. A0 j/ o }: p! [
configure: *** pcre library not found.
+ c- F$ X6 a$ ^* O8 cconfigure: error: pcre library is required
$ m( m" a# r% w+ h3 ?$ h解决方法:. ]4 ^! b/ C; z6 F6 }# }
8 K) p; Z* a# n7 g
yum install pcre pcre-devel
6 t0 y8 P1 M* T: v4 D7 v( `+ I3.没有libxml23 f8 D, _5 p$ h% q. C) O. H
) J9 Z$ [& q2 O
z7 E. ]- `, L$ |2 T/ g7 Gconfigure: *** xml library not found.
- G; J, W" R/ _6 Iconfigure: error: libxml2 is required
+ Y' d9 H( r% |% l5 P解决方法:. A* @; Z2 s) e+ L5 T
% Q1 |0 B: l ?6 @. [) v4 V$ Ryum install libxml2 libxml2-devel" E" i$ e1 R: | \0 `
4.执行 /opt/tengine/sbin/nginx -m 时有警告6 r: D& G6 c' e. ~5 z$ R
* m4 I x8 v( J: b) p
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
+ p/ J6 @3 _$ [! [) Znginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 c# P+ Q) O2 w9 D2 r x4 k1 P8 D原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. j% J4 G, m4 Q% T% M- m3 ~
3 B! S1 @* E& H- e1 k$ U. r2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! H" c& R7 ?6 z- m" }6 u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"- p# \# s7 I3 A; T2 ~( t5 C8 F
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
/ f' Q8 L' o0 W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
- W% q( `1 h% o: x- u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"' j9 }8 @* ~$ K) {$ h# ]2 X2 |/ T
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.. B7 ^8 E8 z/ [" @: C" Y2 V
解决方法,移除低版本的APR (1.3.9)
+ [+ S6 b6 i& Y3 B4 x' Z, K* e) H- |6 x+ Y g" {1 M4 j% O4 W
yum remove apr
* h6 u. `) h5 M7 N2 H5.Error.log中有: Audit log: Failed to lock global mutex b* V" T2 l$ D0 V3 y3 K1 F
0 z) ^, e U( v- @3 ]8 ]5 p
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock . n, {( U3 M8 O) O0 v5 k
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 S. O0 B5 o* c; r; p解决方法:
. }* |$ G$ C6 g编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
, u5 Q3 ~9 k5 t; I) O* r
! ^# |2 Q5 w1 L& \9 pSecAuditLogDirMode 0777 w3 E* p( T, F( M7 g- i. f! H H8 Y
SecAuditLogFileMode 0550
7 F \+ A& t aSecAuditLogStorageDir /var/log/modsecurity
: s- P1 l+ v. }( a% ^! vSecAuditLogType Concurrent) w' }$ ^3 _6 J; z6 }7 G
参考文章:: d# i7 G, T% f+ J* O% p- B6 D
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
3 G7 V, ], `7 }8 V' Q. g" V" Shttp://drops.wooyun.org/tips/2614 |
|