|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 L, M7 L/ q) `2 p7 G" ~; m8 ~- ~. s0 B' P
一.准备工作
7 k. m) M1 _# B5 ^8 Q' o5 r7 U, T1 g+ z. B: Y! h6 G
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0, V g8 T- v, j6 W$ I z% U/ }8 ~3 d
9 H% k# {: D0 @( b# a. [2 i* Ttengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 c, h( @0 B9 i; l1 U: F- G+ S6 B% O2 X
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. \8 F9 T& {. u* X- L7 O+ V" Y% i) g
2 v0 [0 @) {3 m; Q+ e, U4 A7 JOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; Z3 w( B) f' a, T
4 B7 H9 J1 U) s* `依赖关系:1 W: a* i* F! M+ D6 i2 H
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:8 E9 k" [; X* r, t2 R
5 C7 ]7 O+ K2 s/ U; X" R. L' Byum install zlib zlib-devel openssl openssl-devel pcre pcre-devel: ]5 t" B' [9 F
modsecurty依赖的包:pcre httpd-devel libxml2 apr0 P9 e3 Q# A& p# B
9 q- R! y) Q/ Y& X. T2 L
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel# j' J) C6 k* |" [0 S% ]7 W8 P/ y
二.启用standalone模块并编译
* y! G* r: k \1 _3 Z* H
; h" g( S; _$ I. \3 v8 }! d下载modsecurity for nginx 解压,进入解压后目录执行:7 @$ q) Q8 s, J' W- k; O
2 E5 G# P: `+ k# Y, a0 `% R& ]./autogen.sh3 {3 p3 y4 T1 S: f+ p, B' S
./configure --enable-standalone-module --disable-mlogc
e7 [# U5 G5 amake
: v8 `- j0 o. }, U三.nginx添加modsecurity模块- D1 T7 \* w- J' W# ^; J1 Q
' B9 n* K- Q8 K
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:: D% d4 s3 m* M9 i8 M9 Z+ l
! W2 J3 s9 K# R. L/ `+ \./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine# s# a, d' P2 B- R6 S+ _
make && make install
/ M: |. w8 T2 @! w) ?四.添加规则& @6 f+ [! d) q% L+ [
; U# r4 }( g; x. L" \/ x: b+ Fmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。 ~4 D) X2 k* U6 D. c' m! G
) S. S l2 w) a/ v1.下载OWASP规则:0 t( C6 i: B0 J: k
% {5 p" \' S7 B1 i) I: D# K
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs; V) \7 s& {' U- T! k1 A& x
& X }$ J) w& Cmv owasp-modsecurity-crs /opt/tengine/conf/: z4 A1 y [; L- c/ ^6 ]
8 Q3 y6 x! \8 \# z) z
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' s0 Q T% N- K6 V! ]2.启用OWASP规则:
1 L( h) e0 P* L. X2 |) g
' L* }) C' }8 \3 R$ z. C* A0 {复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 j3 M9 p6 i& {9 `: `) n! e5 X6 i, j2 k# w* ]& B+ ]
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 X4 g0 L& K8 C# M/ r( _3 l0 _8 r' j5 g
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。4 ^( `* A. T2 S6 _$ y# t/ M
7 F7 x. e6 r" C$ P ?% H
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf! e0 s$ t- u) c5 i9 J8 h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: v1 c0 s5 o3 ^! B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
! c$ v- D. [1 U+ z6 dInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf, E9 I/ F. X; K# b
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 L8 `! T$ P9 ZInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
9 R2 G/ a$ s7 e' C4 h& eInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
8 [8 M Z% D8 D o$ v9 J3 Z) r五.配置nginx4 S9 S: [' W a+ \: W5 i' r. C0 P; o
& |( \# J+ Y' E6 T
在需要启用modsecurity的主机的location下面加入下面两行即可:
. p0 ?, ]! C0 g/ g- @9 S0 {" S" k, D. S u& ]
ModSecurityEnabled on; & w4 p. P& i" t4 Y* c, N4 A. ~
ModSecurityConfig modsecurity.conf;
* B, y+ t9 i8 u* e2 [6 `/ r& Y4 L下面是两个示例配置,php虚拟主机:
( f* {9 p, c Z1 }( M& A% e1 ?2 p% b8 s6 o6 d+ o3 |* s
server {% B: l, t+ T2 M
listen 80;) F8 |! }, d3 A. t3 d5 P$ ^% C0 \6 e# n
server_name 52os.net www.52os.net;
+ @( A5 K! M0 i8 e+ {6 G0 ^ Y' w0 F: x& T ) S Y1 r3 _1 y% [* W
location ~ \.php$ {, a k8 Q; E \& w7 W% g3 ]" t
ModSecurityEnabled on;
. w$ F9 x! Y+ ?5 `: J ModSecurityConfig modsecurity.conf;
s, F" w- z" H1 {- a. J4 \7 b, {. I, X! q# Z9 F7 i$ z% G+ m3 k
root /web/wordpress;
. ?3 }6 j6 u0 P' d) ~5 ~ [ index index.php index.html index.htm;& l& Z+ @) q0 b f
+ V3 Z/ k6 j0 Q fastcgi_pass 127.0.0.1:9000;
) f3 s& g3 ?! t8 S/ ^ fastcgi_index index.php;
& \" \. [9 O' c. I% f fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
/ m N8 }2 P8 E1 j: Q% p/ C include fastcgi_params;
) s3 ]$ o4 F4 e j! ~0 u3 d }
; p* j8 W8 y; s( w' v6 r3 x) _ }# o" v {/ K0 Z! b7 ]
upstream负载均衡:
& a/ Z' Z7 i! _% F+ H/ k5 N9 q }
8 `* c- C+ P) z4 Fupstream 52os.net {5 Y& r' ]' d) ^
server 192.168.1.100:8080;
9 u3 Y, n" e, ~6 Q7 A q0 j2 v' C# [ server 192.168.1.101:8080 backup;
. Q' g9 Z, z1 R* D$ @4 E$ u4 U# w} C7 Y8 Y& g6 S- b% ^. ` w
& _8 Q1 N E$ jserver {
' c2 c5 W6 p3 Y, j" W3 Llisten 80;3 A0 i4 j% c- ~5 N2 p& _% ~" U# Y; }
server_name 52os.net www.52os.net;) n1 Z5 y% ~' _4 c7 ?8 v$ f& _0 F
) y" n$ N' e" j2 k( olocation / {/ D" {+ B& F v" X ], I
ModSecurityEnabled on;
4 Q- J0 Y7 `1 `5 {) y7 A, K, L$ g ModSecurityConfig modsecurity.conf; : y! A% @/ l" d. A
, Y- a* F& }0 f* f. P# u
proxy_pass http://online;
; e) V' w6 o; v0 r proxy_redirect off;. O6 H' H2 ~3 O9 l- Q
proxy_set_header Host $host;
* ^2 w/ X8 G- i; S proxy_set_header X-Real-IP $remote_addr;
" t8 y" L A% k4 b8 s8 b0 q$ ] proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8 d% L* Z+ C: p+ b- B1 S$ h. b }
4 N7 N9 s E* A) T t}7 H" i- Y0 c. { t! @% z% }8 [ V
六.测试! @# F9 M: ^. J0 E
" l H5 q7 `0 Y# X
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: l! r* w) P. s/ J3 L/ ~/ y$ Z7 X* a+ g2 [5 V3 `6 v; c
<?php/ J4 B2 `5 D V. w8 \* F
phpinfo(); 2 O- {7 M3 A! F) w
?>3 Q& q. e. o ^7 j( f E
在浏览器中访问:, r; j; u F) L" h" w. s
4 {: Z$ g* R9 V. |& xhttp://www.52os.net/phpinfo.php?id=1 正常显示。5 y p: _, Y. B3 c
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
9 e6 i: ^( ]% u- T ~; uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
1 e ~, u3 \2 J f+ Q说明sql注入和xss已经被过滤了# I" Z; L7 }( `6 U
8 y5 S; \% T7 l9 f% x# |
七、安装过程中排错' u+ l& J# Y1 c3 C- Z
3 p' ~( Y% }$ E( y1 O1.缺少APXS会报错
% Y0 X$ }4 z) j+ F7 B
& C2 `; \6 j- W% F0 \; aconfigure: looking for Apache module support via DSO through APXS
* k- s1 L( B7 xconfigure: error: couldn't find APXS
6 p5 B" ^ G+ s# S" ^: U( {- X2 r( Kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# f+ `) ?" {" O; ~; a( N4 A+ `解决方法:# Z/ Q8 j/ c2 R( G" k% b
# \/ |5 c: N9 C2 P4 nyum install httpd-devel r0 D1 ?' V& \
2.没有pcre
' f+ J" e# o- M# v6 q) Z1 D I" N" M! {) d+ Y; M
configure: *** pcre library not found.6 J& d8 r8 y- d! G: w
configure: error: pcre library is required
/ i% N* `$ H# R2 N) R解决方法:( ^$ q! Y+ P) o# \0 y+ [
& g7 K, G$ T) a' V$ m9 Ayum install pcre pcre-devel- n$ P- h; ]# }; F/ _" G
3.没有libxml2
. _4 B; P$ v& y) w4 u! r
) s# U7 R0 i8 }5 {
: D8 h( Z# S. ]% Aconfigure: *** xml library not found.
6 Z5 h3 e7 b4 O2 V" Iconfigure: error: libxml2 is required
0 ~/ X+ Z M0 S解决方法:. l. S. e U: k0 g: A; c
( W0 s) _" V; Lyum install libxml2 libxml2-devel
7 W2 e- h' C, P& ]# ^4 ~4.执行 /opt/tengine/sbin/nginx -m 时有警告9 E1 n r, R* V; e3 x4 W$ Q$ E- M
' Q0 |4 o' v l% D# A2 b8 C2 Y ETengine version: Tengine/2.1.0 (nginx/1.6.2)$ e4 [" U5 Z. b, Z# e+ K
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!3 Q; f$ b3 \9 _& e; b F8 S& o
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log/ D0 R$ p7 k' _. X: [( _! N
/ V4 m& ?6 ]/ {, Q4 p* {) k; m& i2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
; c" X3 u1 z; J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 H) l$ C$ ^: z8 Z; a0 j% O2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 y, Y% A$ G3 p# l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
2 z. j% i6 m" Q" R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 z7 x7 Z) C, i/ y: ~/ n" b+ o, d2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
* E( }( X) f$ B0 B解决方法,移除低版本的APR (1.3.9)
5 _; x- b, }' g
( Z1 u( e1 T7 qyum remove apr
; ~0 W0 y' S: }0 d$ n5.Error.log中有: Audit log: Failed to lock global mutex
: [+ _+ G: Q2 \- p+ ^8 O1 ~3 K, G! K9 h# U2 b7 q
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
O9 b4 w( j, `2 bglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"], j) n4 s) E% D9 _
解决方法:
) s$ E4 T& Z6 F h! H编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
U# q) {, T& X( C( b( o6 g1 V" N$ f; j! v& p' V
SecAuditLogDirMode 07770 Y0 [; M+ z% {% a; K
SecAuditLogFileMode 0550; }8 ?& S+ h( H7 x" N
SecAuditLogStorageDir /var/log/modsecurity- r2 I: n% h; n
SecAuditLogType Concurrent
! C$ U$ c E) C9 N# M参考文章:
' u4 \" H( ~/ E3 ^https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# V+ h1 j1 ]/ n2 K
http://drops.wooyun.org/tips/2614 |
|