|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。: x: N: ?6 j' o: R; d) c1 U( n
: |/ A4 u4 Z7 k1 _一.准备工作
$ }# L3 p9 U, i. e+ P, ?) f4 c7 F @# [) P8 `/ |, a$ o/ S8 o
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0' [2 d. p6 `" S: b; K5 R) y6 O' Q6 ~ |
5 Y1 Z/ h$ O! s3 x) N2 |# G
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: n% f: J; f+ Z" W4 B$ o
4 A, i; d+ x' n3 _" }/ \
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz$ y' X! g- T4 l" m- r! e r
; t U, v* e/ d9 ]
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ u3 J; I: p6 T! r0 H
7 c& }+ L7 i$ l% u) T9 R依赖关系:
' ^# |1 s/ b0 o4 J1 i( `tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
A$ x- W: E6 {7 z) ]4 p( v+ @. A3 N7 d. y/ W6 w6 h" l' o
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ R# A+ \: W1 J! Kmodsecurty依赖的包:pcre httpd-devel libxml2 apr
2 y0 \7 y$ q) R2 y4 i9 {2 T- V) p6 v9 X, \8 \" D
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel& x- p$ R3 A/ Q4 m8 h$ c. b% T
二.启用standalone模块并编译
$ m! B4 R" m( b
/ u, b% u4 l( @8 [+ Q下载modsecurity for nginx 解压,进入解压后目录执行:
- K8 `; X6 c3 \. B" Z6 B. ?, r: ]
./autogen.sh
) t- O* `. M+ W# r* U- A./configure --enable-standalone-module --disable-mlogc4 a" E/ P/ s* ^) A9 y3 S8 A- L `
make / E( H( j- @2 D: b( y2 x4 w
三.nginx添加modsecurity模块5 O2 G5 ~3 Y6 Y
4 G5 z# R, }- Z7 j8 V8 c' P在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
* E4 v% w' q& ?# g: U4 X) m+ L1 p9 x' I+ V9 I
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine. V% a% h( ~0 F0 K3 e& n
make && make install1 `$ i8 `: ?0 t; Q- t
四.添加规则- f7 j9 X. v. W9 f, P4 |
& Q; i* {$ k0 b6 i: Omodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) ?( c' v. J- U- h4 z3 a
, N6 ~: f( M* c G: c M5 d0 [
1.下载OWASP规则:" _4 h% H' U) `- h7 t' w# _
% r" `* M: S! g/ {! _% ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs: ?. B: j. C4 H& k
3 \4 i0 z* t+ z, S
mv owasp-modsecurity-crs /opt/tengine/conf/
/ r9 T1 _5 A5 e' T* p+ q
. w. @) y$ K& l2 j7 h+ W% X$ Y& Ecd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
v$ a$ X* @3 j2.启用OWASP规则:! B% q+ B, N, a: c O* O) F; t
2 D/ \5 [+ T6 G2 ]3 E8 w5 z# }1 h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
# T q V5 Q9 {! r
, _4 x6 x4 A+ _+ [4 A编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: y9 S' ~: A! V5 H
% v( [( T& a m0 [. w" V1 O* |$ bowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
! F+ z7 x {7 M+ y- A; ~ a. n, q' H8 b4 K# U& T7 O4 e1 U& c
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ ^1 ~3 Q7 }7 ]3 ~' n
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf0 W5 T" _( b, |0 m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 p$ Z0 @' h3 ?4 D$ }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf+ _( O5 o9 D M: D6 k/ i
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf. [+ V2 U# [# {4 |% z9 N ^% b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
. A" d4 r1 i; U% D" k4 C/ x* qInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- K4 Z1 Y2 L0 _2 a五.配置nginx
. B- ]6 v) U6 F( j; E) V
6 F7 T/ E7 G, G1 q! ]在需要启用modsecurity的主机的location下面加入下面两行即可:
1 E+ p- J+ O) g3 v9 g* ], C& b+ Z0 r1 E# y3 k
ModSecurityEnabled on;
% T$ a1 @5 {5 VModSecurityConfig modsecurity.conf;
4 ]: o$ Z, A6 w' l2 Q( `& E5 p1 y下面是两个示例配置,php虚拟主机:
1 U& q) V" P, I
- D! p& A$ s9 C% P7 Jserver {
6 Q( }% p$ [) t2 w5 t& E listen 80;. d# Q, V& I! \+ T% |
server_name 52os.net www.52os.net;: w, i X8 R, O3 h
3 R t i$ b3 A B) v4 v, j
location ~ \.php$ {
) V" ^/ ^/ c0 i; k/ N( \1 d/ t ModSecurityEnabled on; ' R5 W) x& q' T( `) H( l
ModSecurityConfig modsecurity.conf;8 {) M: x+ ]& D9 j3 A. U( Y
# w* y4 z8 B" Z8 a' n# n root /web/wordpress;
3 c" E- a- a0 h: X index index.php index.html index.htm;
' h6 M, t5 p. K2 B( `2 r) T: u
8 F% p, C0 b& d1 W" _! u fastcgi_pass 127.0.0.1:9000;
" ?. u+ N6 D1 o# Y$ `5 b fastcgi_index index.php;
3 n* f0 i; W n1 T fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;& ]0 L" n8 A) b
include fastcgi_params;
m7 J5 n' K! S& d! ^ }1 T1 a( U5 g2 T. Z
}
3 W1 d6 [) l, W Pupstream负载均衡:) H9 Q$ i& U4 m' S3 ]- _
}* j) p0 O; o5 A5 \9 nupstream 52os.net {
7 C9 o4 u/ T/ e, `. X server 192.168.1.100:8080;
$ \; g, k" K- p$ H2 E server 192.168.1.101:8080 backup;: B, K% t. K& J- F( l7 Z3 G
}
. W5 @# F3 k) j6 l) ?' k' o5 _, s9 @
9 K0 d4 s: Y- ?$ j0 xserver {
+ K8 ^1 n$ j6 @4 ~; `listen 80;) q& b4 @$ O+ D" f3 W( @" P
server_name 52os.net www.52os.net;
" Y! Y' P8 c! e* F, J) o
. z5 B3 ~& M. a: f) C1 Qlocation / {- k' R1 H% l3 c% n7 {
ModSecurityEnabled on;
$ ]% l7 ~4 d1 N1 h! {- M ModSecurityConfig modsecurity.conf;
3 a) B' `0 F# K' S8 i- x/ r8 }! o3 N
proxy_pass http://online;' J. ~- y& D& r; C+ s0 _
proxy_redirect off;
2 ~4 T- D$ f# g proxy_set_header Host $host;
: A7 E8 b: A8 R6 W9 E# F/ ~6 ?1 \ proxy_set_header X-Real-IP $remote_addr;* [) C/ G* j0 G, o
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;( J! s4 E! _& B% {2 K$ L! r
}
3 H* D7 _' k; Z/ D6 q- P* f( e& e}
# }% a# N% p$ c! z5 H六.测试7 m- a, y5 q0 W& p! g
" {' s1 R# \' \8 g5 t! N我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
! @! c4 J, S* t+ S U
|, H2 W5 F7 H* |<?php% @9 ]. `5 ~ F* S/ }
phpinfo(); 9 C2 X+ j$ @* @
?>
' R: ~; s/ i# k+ [" Q在浏览器中访问:) `, R* G$ R2 ~1 }
* B7 V$ k+ V0 Z& L& F9 S6 X5 x9 ahttp://www.52os.net/phpinfo.php?id=1 正常显示。: B) Y4 M) Q- P% g* n# N
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* E3 d+ M$ e$ J+ Lhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
' }( R! R9 p5 k6 r说明sql注入和xss已经被过滤了
" I; H/ t5 [1 Y% M0 e& B# h9 U
% G1 C, ^% H# r9 d( @, t七、安装过程中排错
& J- M9 @ Z( c; Q, Q+ a6 ~8 Q; k; b5 {
1.缺少APXS会报错
' Q0 H9 A7 M+ m. T9 D4 b$ ? p2 ^) n) Z1 z x
configure: looking for Apache module support via DSO through APXS9 p0 G, H' E, V, g9 I7 G
configure: error: couldn't find APXS
5 W9 ]$ P/ i" p7 {8 q6 [8 Hapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。, P! o5 t$ o5 E/ K
解决方法:
6 c% ^8 u+ {9 Z+ \; u: S0 z7 y0 h7 H5 R9 O j, N
yum install httpd-devel
1 t8 }) {+ Q3 a% P- {2 f+ z3 z2.没有pcre
5 b" L! |! F, B' a- S% d0 Q- c, d, c; s; i2 d# t+ Q
configure: *** pcre library not found.; u& j+ r2 b) m# q3 t
configure: error: pcre library is required. M# }6 {: U% {! S/ b& }9 _ \+ }
解决方法:
; | v5 ?4 @% X! A0 g+ P6 k8 x; K) H* b9 o/ n
yum install pcre pcre-devel3 a' ]2 r" d6 u: G) \1 R5 o# j/ s
3.没有libxml2! g/ R0 Z p; J- B+ z1 x
( b1 O% p* `6 i Y& k
$ G' l1 Q% q) ?) }; W
configure: *** xml library not found.# x/ t4 z3 s( j! O$ n8 i
configure: error: libxml2 is required
, t( k0 p, L0 G( K解决方法:8 \( `4 j7 n) i( g
/ _8 Z' a& V; O1 ~/ J) Nyum install libxml2 libxml2-devel4 p- N0 G# h, D8 F+ J
4.执行 /opt/tengine/sbin/nginx -m 时有警告
9 O" g a% R y3 k
( q, |4 q1 k' [/ c' @Tengine version: Tengine/2.1.0 (nginx/1.6.2)
' }3 K# h3 A6 k. Vnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
- x- P- `1 B+ c3 `0 H0 G2 b原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log/ k. v& K3 _+ K) d+ u
: }- r/ y9 p, T* C3 o9 n- v6 \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
q# g- m# a1 h, F7 P/ H2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"- j3 ?& D, D0 F- T1 ]
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 U* r1 T2 l9 e1 N$ p. @8 ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 k- V3 e8 C# q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 `1 L* m5 [5 e6 V4 o. v2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
( q8 T H4 U( N$ O. j6 S解决方法,移除低版本的APR (1.3.9)( y9 H; e3 s1 [/ \/ R' Q
# ]- i+ r! S9 G( v [) lyum remove apr" s8 f1 ^7 E6 Y, ]) T
5.Error.log中有: Audit log: Failed to lock global mutex" ` N, D4 R& C1 U
8 @1 ^% N4 \! o! L
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
1 G" e3 x0 R1 ?% L* G# c2 ~global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 ~! q+ D+ R G* ]+ @/ U解决方法:
/ X- z, M, s( O- j# v7 c8 O编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
8 a. X* A% V/ k4 ~1 V3 l
2 G( \3 ]- j) y$ c( p$ }1 P- _SecAuditLogDirMode 07776 w' O' j" W8 ?# U! `3 f- z
SecAuditLogFileMode 05501 v0 Z9 B$ T v7 s$ r
SecAuditLogStorageDir /var/log/modsecurity
8 D& p4 K3 T& U& H0 F. c; LSecAuditLogType Concurrent* W. z3 [" S" Z0 ~0 M! b8 o* o
参考文章:
. D, l; Z/ s9 R9 X- }https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
1 \1 T' e/ Q. @http://drops.wooyun.org/tips/2614 |
|