|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
% }- J* v0 Q( A; L
0 {" P& k. z# r. H( `% ?5 y一.准备工作
/ H- a8 S0 Y* B& v( c+ i/ F) p6 c' \5 }2 z0 J3 J0 z$ D
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
1 ]1 }1 t; X: ]# z, A/ O7 e& ^( T5 o( t6 a) @
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
/ ]( }& }% h U! p6 k1 l' C$ p
7 O$ G0 S% x( H0 J6 w8 Y5 C- H* H' imodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
* l* T" e2 A) \5 ?$ Q; I# y- v1 S+ B
1 `% y# P ^" n, Y1 D% [2 s4 {( M. j aOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs) h/ G r7 Q; F+ J: t8 M: L
1 B" m& B, x" w1 C( \1 V% M7 q依赖关系:
! ]. u1 t7 E5 J6 |, btengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
& r7 b5 r$ u% Z# e j
& z1 o1 v% V9 Y5 J }1 b2 Iyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' i) a5 d$ I8 L/ t$ m5 C+ v
modsecurty依赖的包:pcre httpd-devel libxml2 apr6 W( z7 E p' `9 ^6 v3 g* L5 H, @% P) P: ^
5 r* g' r: R, |) A# i
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel3 f, _, d! v2 G3 f; I6 ~# D
二.启用standalone模块并编译
- j& b9 p8 A4 ? x2 V7 s8 t) b+ x A( i: s. P! e8 c, s
下载modsecurity for nginx 解压,进入解压后目录执行:
2 P; `" W# Q. j. L1 e) K0 o, I; C i5 ]+ ?+ r2 Q* t
./autogen.sh! H0 }% i: C+ U6 u" w
./configure --enable-standalone-module --disable-mlogc. m' Q1 `/ ~" D, r. d# T- [
make
6 A# B3 H- n5 ~1 s$ A三.nginx添加modsecurity模块: ?; J" M* c0 Q; t
8 x! T) I! n: g% }$ p在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
" z; ^4 v2 q/ Z" {" i% ^& B! t3 j5 u8 X
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
1 o* J6 d' h6 s% Z; g* Umake && make install
5 F. n) Y6 Q6 C. O0 [四.添加规则
$ X0 Y1 g+ V) n1 A, M" s5 ] P. L6 a! k
/ p2 _6 a5 U% }& C& B; }9 Rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 m" M) B% Y4 V- s% P4 N
% A" v8 E+ Q$ T3 `; u& e, w5 |
1.下载OWASP规则:' S1 Y$ v( V7 [4 W5 V: T2 G
3 y6 ]" ^+ u) I+ c7 \4 ^2 n& Ogit clone https://github.com/SpiderLabs/owasp-modsecurity-crs d" H3 j2 B+ h' z
& y6 I# h* E' Umv owasp-modsecurity-crs /opt/tengine/conf/
* F, h8 H0 r: [% @" z
; P" \' L; K5 X0 mcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf2 H( X- {+ O' H; G; q( }
2.启用OWASP规则:
# Y* |3 h2 Q f4 _4 r
M' B& ~3 [. B6 O9 Z1 N复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 [) P- x& I0 }" T# k8 n0 M3 P3 C" u5 G
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; a" |$ q/ S; `
& O& ]1 V0 G8 R0 J9 lowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
# N; y* K: l* V6 C) ]
: c) G* S& f: o3 D4 A! W7 |# eInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf7 E1 Z. m a# _: q, z
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf- J3 D7 o6 x/ _& H& d6 R$ X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
6 X+ b n9 v! q9 gInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
; F# i \6 W6 CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 t0 l9 v! ?* O4 Z* |2 B! x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ E" i8 \; O f4 Z, o+ pInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( k; _8 y% e8 F: G; n8 A1 q五.配置nginx5 j: b0 a6 l( s* H: A% t2 Z
1 [# n) D) [# l) {1 |! M4 W& h
在需要启用modsecurity的主机的location下面加入下面两行即可:
( H4 g1 f8 {5 v1 p; O
" j& T, y2 C! j0 NModSecurityEnabled on; # W" E4 x' v/ y; |" {& r# d. I' E9 w
ModSecurityConfig modsecurity.conf;
7 S) g- }9 Y( c' s/ ]: f" ^下面是两个示例配置,php虚拟主机:
. c" Q- z8 ?& A, l$ h- x
% o b$ w1 Q: S+ q( V' N( M# userver {. E! I4 N) Q( h& p: O" r4 r* l/ F
listen 80;* X( e5 q3 }1 t) s+ [
server_name 52os.net www.52os.net;
; {! I$ B2 K9 l+ Z. c0 P+ O8 G( T * K" t h: O# W+ n* E& m" `4 h2 _5 a
location ~ \.php$ {
: a# }* K4 f; A7 d" G }$ R ModSecurityEnabled on; 1 r1 A+ Y4 C( k# ?+ Z0 z
ModSecurityConfig modsecurity.conf;
9 z! ~* P- ~ o, }
) O2 ~8 q$ z1 S2 @ root /web/wordpress;
' X8 m% j; W1 R! ^* n+ _ index index.php index.html index.htm;0 I( f5 r' \( V: w) I$ Y
5 c- Z/ I0 Q, R3 y: y; }
fastcgi_pass 127.0.0.1:9000;' T2 t( Q6 h' r3 P Y
fastcgi_index index.php;) i$ h& f" u. S" t9 X" k# _) ?
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 g6 e" P4 E1 S7 E
include fastcgi_params;
( |+ q4 R/ i7 y3 v }* {9 ?2 n4 l, @
}
5 G V8 T) ?" S A) F9 c1 y1 jupstream负载均衡:( K$ k( m2 g. w4 p
# a( M* D% b/ n
upstream 52os.net {
) G0 U" v, i. C3 f6 b* q server 192.168.1.100:8080;
$ M; F9 M! y O7 g4 j server 192.168.1.101:8080 backup;
9 E8 o2 a1 c0 j5 V5 q, F; t}
- w5 R+ ]* U3 R; r& w1 a5 P5 J! I |# Z- Y" c% n" O
server {
( |8 ?+ D. F* f5 ?listen 80;
9 U# Q, h3 i5 ], c- ]) }server_name 52os.net www.52os.net;- f# C" y& h3 |. G0 Q5 x3 t
5 ^! s# D9 D/ b& a
location / {
0 \( C2 [! T+ t. u ModSecurityEnabled on; " m. K; a7 C: \3 I4 B
ModSecurityConfig modsecurity.conf;
* @+ |4 T' M4 @: s% [9 R Z
+ c- c8 Y* P5 ` proxy_pass http://online;2 O8 y4 c9 F% j& g
proxy_redirect off;& x. n C6 ^/ M: \( T7 X
proxy_set_header Host $host;
; ~+ ~# D$ H* M proxy_set_header X-Real-IP $remote_addr;
- a: j% w: ?6 @6 w, D proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
?" e9 X1 \ T' L& a: N }! k2 t0 w9 O/ @" ^5 ^, N, m
}
) m F0 R8 @, P9 G1 C9 i六.测试" F; v7 X& U5 ?- w: c7 b# H
1 M* t2 m- k7 I5 S# C我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
" ~5 Q3 c+ X! L3 ?, {" P, _# s: x/ r m% q$ n' a
<?php6 r6 B+ v4 [" ?8 D% A% x0 C. |
phpinfo();
9 H0 S9 s: P! ?6 d9 d?>( }8 [ D; r( d
在浏览器中访问:
2 v7 m# ]" T# V E+ q, a3 ]) ]- \" R$ V% Q
http://www.52os.net/phpinfo.php?id=1 正常显示。6 ] P# Z3 y6 @, \
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" L7 u; C. l7 V# } A
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。" O' X4 M, s! B; v. M, i& S7 S. ?
说明sql注入和xss已经被过滤了5 W% R4 {# r) j" _: p
0 b7 t: a- S+ o
七、安装过程中排错
& E5 c1 N( b; E" i& p O. m9 ^* B
1.缺少APXS会报错% L" z+ s. L; Z/ V, O
- @2 o/ }7 E6 T2 f; \
configure: looking for Apache module support via DSO through APXS& q! U. B4 t- n. Z- \2 n
configure: error: couldn't find APXS
2 Q% Q6 u$ Y' E3 A1 }apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
9 ~ F, o! U7 N! a( B+ u2 r解决方法:
I( A0 i, I! [' }) u
9 M7 z( P2 E$ _* q3 nyum install httpd-devel
7 L9 I1 j }7 o8 ~) F9 q# j2.没有pcre! Y* O4 @: k) G1 O
% F/ H$ j" J/ [5 Nconfigure: *** pcre library not found.# L, H9 o5 j5 @& k& |5 `" \4 |
configure: error: pcre library is required# C8 M! v0 ]& T. Z5 v+ i
解决方法:
Y2 n0 t, ~- s5 U" D% X9 K' g3 o; q+ ^0 J# n5 a( O$ [2 ~1 h
yum install pcre pcre-devel1 W1 p2 w2 l" |" m( z
3.没有libxml2. I2 X( Y( h; N
7 b3 ^3 Q: A# U) Z, B
6 u6 `( J- g2 }% z$ pconfigure: *** xml library not found.
6 Q# x* a9 o4 Y! r T# ]. f* nconfigure: error: libxml2 is required( E$ F7 g+ P$ S5 b9 n4 C2 @
解决方法:8 X& A+ R1 n$ m4 P+ l
; H( A' u% T+ Y9 q- h
yum install libxml2 libxml2-devel3 p5 F# z$ ?* h) `" U
4.执行 /opt/tengine/sbin/nginx -m 时有警告' u/ ?' ?. C* W
. C4 G) c1 L A
Tengine version: Tengine/2.1.0 (nginx/1.6.2)* q/ |/ f/ U2 U' p+ F- ^. w' S" `
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!3 | |, e5 R6 d2 o7 T- ^
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
+ K7 @4 E# {1 O) f2 P4 ]0 [' h) `) a2 o2 b u& O' t; H: h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
# C" o" S. i6 A5 R/ @( R& ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
* H5 P2 V; l; P! G& X: P2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!& D4 j- `( d5 o4 Y$ `" e* E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"; S4 E+ p" \5 H5 k: [- \. [3 s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 ?) d1 K# \5 U# ]0 x
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 ^( o1 D v8 r; ^解决方法,移除低版本的APR (1.3.9)
# A& R; A2 Z, f' \/ `
* w6 K' m" d; }6 @yum remove apr/ ^. Q3 O, D$ m" O) D0 z
5.Error.log中有: Audit log: Failed to lock global mutex; {& j8 \8 C) f- D- N
( J- U* _- o" J' Z# C+ g, J! b2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock : O; S1 c9 j" O1 D5 y
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
' T7 N2 o3 H3 j* V( A解决方法:
9 @; a4 _! y4 @6 _/ r编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
) u$ p. ~, t9 h0 |* g) @3 @' }% [2 a8 C
SecAuditLogDirMode 0777
8 g3 N( h0 G9 B$ z. [* CSecAuditLogFileMode 0550
( Q& V* {3 W2 N- e" K" \SecAuditLogStorageDir /var/log/modsecurity
" J* D/ j6 h* ]. ] e7 y* mSecAuditLogType Concurrent5 o, X5 L7 i/ E" q4 n
参考文章:
& y. U; q9 K6 P* s! G6 Ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX8 V2 F* l1 o5 R) c* R
http://drops.wooyun.org/tips/2614 |
|