|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ Y! M/ g) ?1 e/ r2 s9 d
, d8 x, R P' z* P" C! J" t一.准备工作0 C- k7 u, U/ Q/ _8 h
2 P! ` K" J1 ^$ B+ ]
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0) o% C3 k! F, S$ u" J. C- I
/ l! p/ D% V6 y; d1 Z
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' B: u4 S% }- t8 s. E
' }4 q, B8 f- F `5 `modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; W; O" c) N. L# `8 P0 J; X2 F/ _ K
! j! B- L" D0 w' ]% c, Y$ EOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs% F9 I* W# H6 e0 b; ]1 M
' u( u+ k) O8 S5 X
依赖关系:
/ ]( Z4 X- ~5 Jtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- Q R3 [& p2 d
& B6 N% M3 \: X j- ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
$ F+ ]- r+ Z7 J Mmodsecurty依赖的包:pcre httpd-devel libxml2 apr) l& \4 A1 P. C. H! Z# q8 i# K) o1 W
7 X4 N. X3 [+ e8 ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ @( H2 S& D, N+ J, H" w, j4 p1 {二.启用standalone模块并编译! m2 F: m: F$ R* ]1 @
$ H% D( m7 I" e: w b0 g" R) n
下载modsecurity for nginx 解压,进入解压后目录执行:
3 Q/ ^; i& J1 @
9 \8 w$ A# X/ d% c$ G9 t./autogen.sh* Y. E+ n8 U- K5 s
./configure --enable-standalone-module --disable-mlogc
. v; @5 T2 Q; u# Z/ Pmake
" t$ l) I z5 u, }三.nginx添加modsecurity模块. Y4 E, l ~9 I8 I
3 k4 S1 F& Z; t! _/ H. n$ W
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" C; |0 h+ O/ m+ X+ d3 b
1 z/ {; a, z, k' |# C" B1 [./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine x$ p0 U" h# a
make && make install" P: c' I# x/ v
四.添加规则
5 p: C4 M" @8 m/ r# z/ \1 w9 u& [5 X0 A
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
- V5 e9 w& [$ a) I# T
" X+ Q& m9 ~9 O* c- f1.下载OWASP规则:
6 @/ \, Z8 H- W% q% G# v. V$ V* D$ G7 g7 P
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs0 p$ w2 P% u9 E! t, g) r
# R0 v$ M7 z- U) u1 q' t
mv owasp-modsecurity-crs /opt/tengine/conf/" K2 h* e3 f2 {: I) S j
, M# \0 }) `. g7 P; X5 b& V7 [
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf9 H# Z9 x( I6 E$ ]" ~/ w+ Y* m
2.启用OWASP规则:
3 z& R$ t9 l6 S. G. H: ? g: I5 b- g$ }6 p/ r( c, H: q- l1 R" d
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ ?2 h/ e8 }5 H( n! b! l8 X# \% t$ P c3 O. _
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
# A8 |0 O5 K9 y, V% F5 S6 M: v. W( W+ g3 E0 H2 [7 i
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. ]+ h9 l6 j% I9 O; x; H
0 y9 q8 R. R; M, ^5 X
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf4 B) O8 Q' \4 o0 {! k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 q: v! C+ M- t, ]. N
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% X- [( Z0 v3 Q8 i" {( d4 WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf* ~3 D3 W% Z0 V7 l4 F/ [
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
. e9 {2 R! r% IInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf' N9 A7 E+ H# c7 g8 T" E
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
# ^/ F" C5 H1 c5 @7 i五.配置nginx
; l+ w& F5 [8 f6 A, Q# v- u8 w: J% \; y3 Q
在需要启用modsecurity的主机的location下面加入下面两行即可:( K& y) Z0 o% `" I: r; D; ~. E
# B( }+ U: T# N' j$ HModSecurityEnabled on; & ^9 ]: l+ Q! P8 b9 a( k
ModSecurityConfig modsecurity.conf;
& L) z) a) ~2 s& {* K下面是两个示例配置,php虚拟主机:: s- @: u4 s% h. u# F, U# Q, z" P
6 }; F0 h2 t. U' ]4 J5 `7 g
server {
* _; f; k. L) y Z4 P" g listen 80;
: Q, U/ @. K* T5 B server_name 52os.net www.52os.net;
3 p* X/ ?2 N6 c% S/ v ' f" _; y# D: t
location ~ \.php$ {! D4 f+ k, h- Y$ u
ModSecurityEnabled on; 6 f* B" b# L1 u' n: W- ^
ModSecurityConfig modsecurity.conf;. ^$ {$ r/ C5 @
3 Q- U S( ?* j6 v& x" w3 y
root /web/wordpress;/ _7 i/ j7 j1 R: I5 ^0 |
index index.php index.html index.htm;
5 e+ @* Y w$ s) i9 V7 N/ N
S" Z7 f% n7 A T0 a fastcgi_pass 127.0.0.1:9000;8 J2 Z/ w1 K8 ?1 Y {3 K
fastcgi_index index.php;
4 W# u. D$ n+ O! U7 `# x fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
2 R6 I. T" D! H. |1 t8 m9 K# E T& K include fastcgi_params;
. F5 |0 C* @4 c% u& l+ j& T }
8 [$ M% ?# ?0 \4 g$ }/ t }0 F; k/ ^) K1 A2 @ ^" B3 O N C3 {
upstream负载均衡:( R6 c$ J I# H: }! |$ F7 v
8 U, \+ M6 o/ Y& p1 e! ^8 [
upstream 52os.net {
, T T; ^# F1 h* Y, ?8 O- \ server 192.168.1.100:8080;6 ~; B: `5 Z0 p
server 192.168.1.101:8080 backup;
0 @. e0 u: g, O: N}
6 n; G( b$ o$ G# n4 M$ i% x: `. ]) D' j. u y
server {; X9 x; u0 l8 L" [0 f: S
listen 80;
0 H3 O8 ~: t( ?: ~& wserver_name 52os.net www.52os.net;
) m' s* q5 r! t, r/ z# X5 {- y, T# L
location / {3 {) Y/ E% _" u# Y+ G
ModSecurityEnabled on; f+ U( w& N- v7 z
ModSecurityConfig modsecurity.conf; 0 X6 o" S( z* y) M
5 u, u; W/ n8 V
proxy_pass http://online;
4 Y9 o) O$ B+ S1 F o7 Q' b proxy_redirect off;
+ \" @1 D7 r$ f B0 r proxy_set_header Host $host;
7 I6 ]3 d) J* r* q proxy_set_header X-Real-IP $remote_addr;
, N2 @0 F* e g$ `# h' _( t proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ N* |# o, u- i4 ^! t
}9 H R7 ]/ X* f2 k# L
}
9 C x: _2 m8 t/ ^2 J7 V六.测试
5 r1 U$ W0 K, ?+ v6 Y( h
5 J2 C" k" S8 u7 y& D( E: c8 W: @我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
Y# p' u& r* r" O. x
6 k' l# E# ^, j' d! t# a& Z' R; W<?php
* p& d9 c; q" Y4 n; P: b phpinfo(); % U, y( ?$ }4 i/ V; z4 B5 d8 G
?>
1 n+ ~" w# w% s0 ~+ W+ \( G在浏览器中访问:5 s: O, S! k- |2 t/ l
& o( i0 W3 b% F& [. N; D/ w
http://www.52os.net/phpinfo.php?id=1 正常显示。; q! \ @8 e; v+ I8 ]& H. x6 e
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
! o! }% }+ @# U2 ~3 y+ ^" n* X/ yhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。3 A l) t I, c
说明sql注入和xss已经被过滤了
( X- @( V A( B
7 p$ y. p% ]. w6 R( L七、安装过程中排错
3 X# J0 V5 o) e" p, v- l( A
; T" j( l+ R6 N0 X. p1.缺少APXS会报错/ Z \* U' h9 P
- |. J, O- c8 S* \* o+ P H
configure: looking for Apache module support via DSO through APXS
" [& i/ ^. Q" b X# {configure: error: couldn't find APXS! P- O% t( F; k/ n
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 c8 r" e) l9 G% i4 g
解决方法:, w" X6 a4 A1 H) [* S9 O$ s) d
& S ~/ r0 e% f: M0 @9 P' y y5 a
yum install httpd-devel
. | T0 D/ ]- [& X6 p# q, r7 P/ J- a2.没有pcre0 k k& L) L0 ?, s U. v- T' `
/ @1 x; W& o( {4 p3 |8 A. nconfigure: *** pcre library not found.. |7 V9 }2 ~% N# ? a# _$ L% h
configure: error: pcre library is required
" ?+ E# z3 P- e; [' Y. {( v+ S解决方法:7 G. B4 ]8 ?' P" D5 ^( g
; _0 [. @7 P1 l( _- J+ O9 O( L
yum install pcre pcre-devel
& z% a v6 t8 z3.没有libxml22 f; F8 c& T( i3 c
. { M: D5 U6 y3 Q2 y6 l2 U
. Z$ ]# x/ W4 X! o9 d8 mconfigure: *** xml library not found.+ f. u9 U* J6 k5 a* W
configure: error: libxml2 is required
2 ?& O @- l1 _5 @* o$ u解决方法:# M3 E1 y' S( M E( Q
3 ^. P" s! L# W! U L! m) v! m
yum install libxml2 libxml2-devel
* E" }3 q1 I/ h3 {9 I4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ n) V) t- r9 E5 h2 ~3 \, C+ A% @, ^0 Q9 B4 B% y% Q
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
9 U4 ]2 X* G0 N/ ]6 dnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
- \: s R3 T/ N9 N* q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log5 k# ?8 V. D' Q8 C: I% {
# X& G! t( W* z' L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
+ o3 f& T |/ |7 K' i( \5 ^: z8 F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 h+ D. B) j9 H* g- h3 `4 y" m: u2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!! H! K3 G/ E/ }0 G; t6 [. P J- h {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", L; b J& E- W
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
+ |9 a A. S5 p$ t2 T5 b' G8 m2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 G+ Y: g; D6 Z: z% n% O
解决方法,移除低版本的APR (1.3.9)2 ^1 }6 f' D) h# f5 o2 @7 l
0 g5 ^ P5 b8 ~
yum remove apr
5 F. Q; H P' {$ e5.Error.log中有: Audit log: Failed to lock global mutex
3 ]) [4 K4 ] I6 L7 ]7 a" D1 P* U; J
6 `* T' c; M. d2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 5 [6 {+ I, ?8 E
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]& a: P9 F) J+ Q, }7 E! q3 Q" a+ c
解决方法:6 P* @, u" P5 u
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: s! b' Q+ K- d
7 |( R( {' d2 R7 O9 R. M+ F" @SecAuditLogDirMode 0777: u3 S: _+ W, O* f' {0 D- y1 h9 I
SecAuditLogFileMode 0550
. \% K) w E r- _8 zSecAuditLogStorageDir /var/log/modsecurity
/ e6 x- z& Z( I4 s# V2 T) ?, }SecAuditLogType Concurrent. ]4 q1 u! V# P: C
参考文章:
+ B* v4 `+ m' K4 _https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ c9 i) ^4 e8 d2 P6 p
http://drops.wooyun.org/tips/2614 |
|