|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
+ V* j5 l ?5 C8 o5 ~: X& o5 M( ?% n( ^" U& `+ j1 f
一.准备工作9 c) H- d! T X
* h; q6 i6 ]' Y6 {, @4 g" n系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
- ]; A& n8 t; M4 U
) i$ t8 U/ `2 p# K* a- L2 `tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 g: k" v5 f! b: Q* H
8 b8 L5 ~6 `' v+ a3 t6 Nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( M- y1 f3 O* s2 U t% F3 f
% y1 K' K4 y5 ^( U( D* }2 I3 l* |OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 i+ L2 S$ g1 Z8 q6 Y/ w( V/ F$ N! a9 J$ M" x( w; E: P
依赖关系:
% V- F+ t0 S. T# dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
) [; P0 V0 O' t" D3 p" j1 `6 d8 n
) q6 O' D _ h: E0 A$ D7 Ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) o# Y4 j! l8 w5 I/ i) ~3 ?modsecurty依赖的包:pcre httpd-devel libxml2 apr3 _3 H E9 @5 E- _, E2 ^
9 S" {1 D1 m- t. x
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
, I" p( X0 V' j G二.启用standalone模块并编译" Y* O! f6 O; |( z4 Q7 g" E: b
& R7 s- `, E& s, G( J下载modsecurity for nginx 解压,进入解压后目录执行:
- ]" U6 D' O5 _5 l8 t. ~# v
0 g+ j+ w9 Q3 h./autogen.sh
, a7 x2 R: t" J8 z! [' x1 \./configure --enable-standalone-module --disable-mlogc
% l# O- a B7 X+ p7 i* h# }# [( {make
9 V% t; V& e1 `0 s2 C7 B% d三.nginx添加modsecurity模块- I- t+ X$ A. t
9 }6 J* ~; j& v. Y! Z5 d3 l在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
, s! [+ X; J! u6 u1 `6 g. ~9 `9 K3 X3 g5 a
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine5 o6 F2 K" L0 D7 ]7 A2 l. S
make && make install
$ V8 o# X* E- x8 n- C四.添加规则# C: }, z* w* r) a6 e$ b
7 s/ X+ C) }6 T, r9 k+ @modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* T% x Z) s1 h# H2 d; n" s$ d6 c" ~. g7 n: H
1.下载OWASP规则:, o/ {3 M# a$ Z
2 s0 w7 {5 }5 l Q
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs! O3 k' [; o- u# [* @+ C4 n
8 ?, b) N2 h" i4 \1 C; I4 h
mv owasp-modsecurity-crs /opt/tengine/conf/
6 h( m* j; ^; y1 |
; G% Y5 Q/ |$ ]3 M. ?/ ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# h* \0 `& u( l" x4 M2.启用OWASP规则:& [: T8 X% n1 Z7 h
2 Y* q/ \- G$ U) i5 ^/ |$ {; V
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。6 R3 K9 u" Y2 A: I2 R* I
8 n1 C6 c6 @; N0 w" r7 L9 \
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
# G0 {. z& U3 W0 x! W
3 t+ V8 T4 s7 C% t* \$ Q/ ]% c! ~owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
4 B5 h, r% Z/ q' o$ M- h$ {5 n; ]* _/ s8 {- l# u3 }3 Q9 A; i' X8 c
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
: j* C1 b4 i/ [% F/ i8 uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* k# V4 e- ^/ u8 `$ q! r9 ]) YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
5 q2 L1 E1 n9 M, wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
H- Y# f2 a5 Q+ U% d( fInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 e2 p9 J( c' o2 K6 d* S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* w5 t" V i7 i/ Q9 D& h: V
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ {. y! P9 w6 X五.配置nginx( \- J: g' b/ B# ^. q: b! X
9 k: a8 @3 q$ E; ^/ ^& g: b+ _; @. P在需要启用modsecurity的主机的location下面加入下面两行即可:" c) `3 }0 k/ k
+ m; v" @+ b! S0 j& J8 B
ModSecurityEnabled on; 9 x( o2 U: l& y% L
ModSecurityConfig modsecurity.conf;& g( P* F+ i$ U8 _: \7 d: S
下面是两个示例配置,php虚拟主机:
1 L {0 A3 i. b& `/ M2 b8 \- J# N! V5 X" v
server {
( | Z4 V/ X" r+ j/ G, O1 U6 z" Z listen 80;2 n9 i, O: B9 M5 e
server_name 52os.net www.52os.net;+ y8 S4 @- \* \& j8 l' h
% a: ?% a7 r; q2 D4 J) V5 o' i
location ~ \.php$ {7 [$ [' w! i& A: _3 X
ModSecurityEnabled on; " ?) } ?5 v" }0 E8 ^
ModSecurityConfig modsecurity.conf;$ F2 Y6 T: s$ a' `, Z7 q3 }, ^; t
6 M: E3 N0 X: Y9 y root /web/wordpress;6 o* |- {( b% }+ U% f& J2 ^! l8 o9 Z& @
index index.php index.html index.htm;
8 L4 x0 `6 y( h. V $ \: s- I" L# j4 P5 Q2 v7 X/ {
fastcgi_pass 127.0.0.1:9000;
# q! `0 p m1 L' A ]0 [" b, V0 |9 _ fastcgi_index index.php;
( o& ]! F: e$ ?: }; E fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;8 j& Y0 R3 m; e/ U7 V) v" M+ h
include fastcgi_params;
! H& N) G1 M' L& _2 V9 Y }
2 V+ q: m: T& I }
2 \; T5 m$ g- n7 W7 W! [$ ^upstream负载均衡:
3 ~9 N" [6 }( o" o8 Q3 D( O4 c
$ v0 O2 F& ]7 Bupstream 52os.net {( [: d7 G ~( N- W9 y7 T
server 192.168.1.100:8080;
5 q# J7 i8 j+ y- o server 192.168.1.101:8080 backup;
" f( N* |1 X5 n}( Z/ m' K+ T+ _4 O9 M; D4 i
/ Z. I4 H" i- y1 L* `. yserver {/ p& N2 @# m. R, U4 j% u6 i/ i
listen 80;
+ }' _& U3 i8 E2 G5 Yserver_name 52os.net www.52os.net;
# t6 `* e. h* h4 d+ U
0 g. Z, j1 f. D5 M7 Mlocation / {5 Z6 G' Q6 s' _- G! C
ModSecurityEnabled on; 2 N1 V/ W$ `% u
ModSecurityConfig modsecurity.conf;
1 J1 T. A3 _$ P3 k0 ^
+ c+ C# `% e6 m9 h ` proxy_pass http://online;* b- [. l3 l5 z2 ] g% W, }6 g0 }
proxy_redirect off;
# m: T, n/ \2 Y& K5 h proxy_set_header Host $host;. Y) T W! z1 Q8 n; B; l
proxy_set_header X-Real-IP $remote_addr;
) T+ M$ e% N C7 m proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6 y. K+ M" V1 r% k, z! P" T }- N( f; q2 C8 T" K0 Y
}' \' r- @' N; J3 g$ }
六.测试. u: d2 D+ D4 x2 L5 n; c
6 l" k/ k* N0 {* s/ M9 o4 T
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, k3 q; @8 `" Z) q4 z4 d
% E, C6 F# r u8 [: T<?php
0 }, Q3 `- z$ n! h- I/ [: F phpinfo(); , m) E2 {) g, V) X" X2 K! F
?>
- O: A" j+ `( n. u! q2 v在浏览器中访问:
) b4 q% {$ B8 Q" G3 _
% e+ x) B' P7 {5 K$ ohttp://www.52os.net/phpinfo.php?id=1 正常显示。2 x! C0 i6 I2 A
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 U1 p0 j# Z: g5 Ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。( P# C D4 o2 o( }
说明sql注入和xss已经被过滤了
3 P' k* `+ ~) O3 F( `3 X
5 h' w# }* z+ a七、安装过程中排错
$ I" s" S# O4 q6 r1 j6 P! ?
' U1 P% t* `/ g# R7 W1 A1.缺少APXS会报错$ r8 B% \! y7 @# g2 \( `
* w- U' ]; {; i4 e* D7 Nconfigure: looking for Apache module support via DSO through APXS7 X6 z' f# J, x2 V7 y9 J' v* X8 I
configure: error: couldn't find APXS$ Z1 K/ v R, B' c% O, ]
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。8 M/ D1 R! w2 R% g4 ~1 Q5 B
解决方法:2 y* x1 s3 r) j3 X; Z$ |* C
! j* H/ x" g3 q9 p& F
yum install httpd-devel
# c% b$ [2 z J% L0 B8 j! h2.没有pcre% z6 [2 E. s0 N/ D6 k2 W, p
8 A: S* I8 X& I2 q: Jconfigure: *** pcre library not found.7 Y: M0 v* G2 h) r# u/ w
configure: error: pcre library is required" F; Z! d, r% N. m
解决方法:
7 ^4 G* g% K" d7 g) r/ I
2 v* n! |* t8 X& ~; J# M$ d% g ]yum install pcre pcre-devel0 w* T' w$ T; k1 |+ l0 P, t. C
3.没有libxml2
! `; r) w4 U8 ?/ Q- R& A: R) v
( J2 k; T0 O b5 ~2 D- H2 k9 r% S0 T% [" q
configure: *** xml library not found.
- m0 z& `* F* w; e" X0 a7 I; W! S% [configure: error: libxml2 is required
' x) U4 G! {' u解决方法:* V3 R9 j9 q; g6 P, y/ k9 ?
. o4 z) y j- J0 Z7 }yum install libxml2 libxml2-devel
! B2 ~0 g, X4 C1 ^0 B* ?6 ]4.执行 /opt/tengine/sbin/nginx -m 时有警告
6 C o- t8 M* o- X ~& N, p; K( {" j9 s$ a- `
Tengine version: Tengine/2.1.0 (nginx/1.6.2); j) ~1 J7 f" i% Q( h6 w1 W
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 x! c5 e$ T" e' m! i0 ]
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" X) N+ b! s% R3 p5 [$ G4 E. R% a) x) S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* R- H) J9 d) b1 B8 B: w) ?: ?7 Y& S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"1 e. m/ ?; H/ m$ O
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
% P. U7 j2 Y' \+ e6 o* \, `' E0 v9 e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"0 s! M8 P4 p4 Y& D
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"& L, ?6 E2 {) j7 Q+ @4 P q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.; ?7 {5 w. f/ M) N3 E
解决方法,移除低版本的APR (1.3.9)
) L2 }0 Q$ J6 r7 o
* r: b3 y0 y; d3 b7 [# lyum remove apr5 j$ X8 f4 @8 n l
5.Error.log中有: Audit log: Failed to lock global mutex2 c( d, L7 S% u( f" q0 b, _/ D
% g; ?/ [4 s8 Z. Q1 ]/ N
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ! A: H, P/ |# W& L: \3 i+ w& u/ w
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
. \0 j; R! q& X解决方法:
( t5 f$ `3 R; w; T0 l W% ~编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" V! W/ z3 E5 ?7 ]
0 h' ]2 j0 F6 {) t# A/ o' NSecAuditLogDirMode 0777
- [7 P; H3 Y4 ^0 y; KSecAuditLogFileMode 05504 h& U0 ^5 Q8 _! H9 E0 x
SecAuditLogStorageDir /var/log/modsecurity" q& C) C0 k: E/ I1 V4 G
SecAuditLogType Concurrent
% f& j) V/ p6 A) P d0 n% M参考文章:8 a' l& ]0 U+ }4 x
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, d# @9 w1 [& h5 Chttp://drops.wooyun.org/tips/2614 |
|