|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1 D% A4 S* {" ]) U# m# E4 a
- L3 q! b2 [5 Z% G+ G; c4 S一.准备工作
1 `/ n' W/ K7 T. O4 ^: h. W3 M# [( b$ d
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 a, I+ d- A* m! v+ \+ T; F# O& ?/ }3 n* P
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
6 X4 W) Z' v2 X7 ]) a0 v7 P9 i) M; _) s; E4 \5 H$ Z
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
0 ^1 L7 J& f0 l- f* V8 t7 [: G2 r9 P4 K1 B8 t4 U
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ ]" p1 q+ v* x4 @: t" ]+ n: d1 r/ L9 [! y; T+ ]
依赖关系:# _- e0 w8 ~' p$ z
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:6 O$ b' i; J" T, W& H6 g, O
; K4 y. @9 k2 Cyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ g: u& K, F- dmodsecurty依赖的包:pcre httpd-devel libxml2 apr
' _* S+ y1 c3 |. F# I/ }+ Y5 _/ W) ~$ m. t! u3 ~' k
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel/ P, t# ]3 T) ~( r7 R
二.启用standalone模块并编译
; M# a! m4 ]9 `# i0 z+ H3 U% ^1 v- D' P1 U
下载modsecurity for nginx 解压,进入解压后目录执行:
: q ~1 Z1 K0 C
8 [5 P7 h9 B5 u: A4 G./autogen.sh7 f% _" m8 u) i
./configure --enable-standalone-module --disable-mlogc
' c# f) K% u& z$ ~3 M) k9 ?3 X) @' ~make , ?# D# p {+ @& v3 K2 o% l
三.nginx添加modsecurity模块
/ s* W8 C# Q5 f; O* i
1 ?1 T) o! @( ~) o" O* n! u在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
$ t, T( D; p( [( [' _7 `3 `2 W7 b1 \ ?3 a0 {8 J; ~
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 j6 @* w7 }! V1 `, `
make && make install
' P8 R$ Y5 T1 V% u2 f+ x四.添加规则/ r1 c/ M: ^- G
/ s0 a M# Z) V& bmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
" _" u/ L% ^8 c. e5 \- m z0 y X
2 [/ a! B& c* q) d- D1.下载OWASP规则:# Q2 `7 M$ q9 d: [+ W% _' d
/ S& l& B/ V: r" _. Tgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ q" b. X7 e0 j& J
; y, d! {. ~$ mmv owasp-modsecurity-crs /opt/tengine/conf/9 P' P4 [+ G7 x- D/ ?5 g
d6 j8 q) X) l Lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
6 ^! \; Q+ X9 w% W+ y- E2.启用OWASP规则:
9 f- S" F, c3 E! p; J' s1 k: f/ W8 j, M
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. l& A9 n$ |6 P& Z
3 s/ {/ i/ t U0 G* d编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
( E u" ^% O1 { f% t9 z# I
$ E3 O% s6 Z) v+ y* {1 U" _owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。4 Z3 G' V* M, ^) h e ?
( p- z x% \4 K2 G: fInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' T4 s4 s0 k: ~+ |+ d! {( S0 P# I8 H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
. L! Z' K, N4 v- b" ~& N6 FInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ C5 o5 ]8 R- n, v2 JInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! E0 s7 V; G0 B" v: M/ B( G9 e9 l
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 Z: p- r2 `. N2 {' L9 ^5 MInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
- U; F, S( S9 w: w ^8 M$ _& nInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
4 I0 P0 o# h) y# j/ F2 J! Q五.配置nginx7 I0 j! {% ^3 I! k$ a4 L- E
$ {" |# B& ^( Y6 a, @( i在需要启用modsecurity的主机的location下面加入下面两行即可:7 z4 h$ |4 ]1 ^. @! U( v3 O
# b* G" w+ }' g# z7 dModSecurityEnabled on; ' z: A- Z4 [, t5 S- x4 c1 o
ModSecurityConfig modsecurity.conf;
/ }1 Y% C% R& i8 z6 C下面是两个示例配置,php虚拟主机:
7 \/ ]! {* Q& [2 h8 D8 t8 Q8 O
server {
! A$ e, y9 p, i3 f, g listen 80;
+ a' Q( F5 d3 d6 m server_name 52os.net www.52os.net;1 `0 Y( K; [ [& k/ S
! L- e! K( T7 @# w location ~ \.php$ {+ y' j$ X7 J9 z3 T9 ~5 M& N
ModSecurityEnabled on;
, ^2 a3 Q! U. j; {6 L" o ModSecurityConfig modsecurity.conf;
\0 @: t- u) t: z
# n& K9 E% q" }7 R/ M root /web/wordpress;
+ r, [: y0 ^: k3 j+ d$ |' C index index.php index.html index.htm;5 T+ d% }; n. Z+ G) F% E! A6 ]" u8 s
P. [3 I3 R; h* g* G2 B6 Q+ Q# b O/ e
fastcgi_pass 127.0.0.1:9000;% I w& d3 G5 z- W9 L' ^9 W
fastcgi_index index.php;
3 }' d+ C# f3 i: C9 h fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 I2 w8 _! L1 G6 c5 ~* f include fastcgi_params;2 H5 Y9 g9 ^! _6 } b" m0 F& e6 o4 }
}
8 D' Z; G4 I. v5 W, }/ K }
/ t# D3 C3 J7 v7 Supstream负载均衡:$ ~- @4 h; `1 n4 g( B
9 s1 k+ ^, F( A! V) ?upstream 52os.net {
; a; W, M! u; `: x% u server 192.168.1.100:8080;! v0 H; J' h0 [) Z" |- M3 _
server 192.168.1.101:8080 backup;
- x" D. l% s: Q ?; C}
! o4 n& e6 r( |; ^1 l* l6 t! o
' W0 w& v0 ~1 P4 W& e4 V. [/ }- @server {
+ q( _7 e" d8 T, \; s1 T- {listen 80;* Z. u- y8 Y1 U( A
server_name 52os.net www.52os.net;
( A8 a- P6 K. I! K
. _, i3 J9 r9 d3 O( hlocation / {
8 x3 l8 L) s4 d& y) v ModSecurityEnabled on;
0 V" b1 O7 I0 _" @" l# ]! J ModSecurityConfig modsecurity.conf;
# T1 ~, I f4 u" I- Y3 W1 I) l- e! F6 Q: m" c" k& Z
proxy_pass http://online;
) C( U% d5 u7 q proxy_redirect off;# `; v1 P t- ?8 W2 ]. [" o1 k
proxy_set_header Host $host;
/ s; I' T5 Q" G. h w$ i2 h proxy_set_header X-Real-IP $remote_addr;
' ^8 `! t: m; Q8 ]5 z proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 G' V3 ~7 z; c4 ^
}
( V) m: `3 z5 U! s}
/ T7 ~+ m" L& b4 g六.测试
3 B2 L0 ?0 B' [) c5 @
# O6 G$ L; l0 A% P2 q" ]9 E( Q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:% g& ^( @$ x4 @
3 g0 @ b7 s. k ]+ |( ^
<?php
$ p+ A# {% s, \' u' Z phpinfo();
1 L# K7 p# H! Z9 B. i9 H8 p?>
# Q0 e) \: \# R在浏览器中访问:
6 C2 K: [. G% X8 S
( J. ~, b3 M, Y7 {* W2 h1 {( |1 chttp://www.52os.net/phpinfo.php?id=1 正常显示。: m+ U, O! w. W! m6 m, N' L, W7 g/ O
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。0 {8 M' s. K7 v) g8 F) M+ g
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
7 [3 f4 S. u6 C/ @说明sql注入和xss已经被过滤了; z U/ L. s7 l$ S0 ^
# _% i4 Z2 ^, W: J七、安装过程中排错# A. z5 [# P6 ~. l" b, V0 g
5 W8 ^ [+ d5 O/ c5 U4 r1.缺少APXS会报错/ c& R: M! {1 a
6 j5 _8 g! Q. O% J
configure: looking for Apache module support via DSO through APXS
4 W- ]3 @$ ~; B* s0 B; xconfigure: error: couldn't find APXS
0 F7 o; n8 o4 h; B2 ~2 Rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
0 P# w I. u4 w解决方法:
- U- G) Q7 _8 N/ y' q4 ?' p! O D
yum install httpd-devel+ B% n8 }, ^; k! ^3 e$ d
2.没有pcre% E1 ? I w! a. U" f( p
" [5 w7 u" {% s* s; v4 Q7 Tconfigure: *** pcre library not found.# r* |) C2 P! k% Q7 ?
configure: error: pcre library is required
4 c) E. J+ ~* P解决方法:
# x3 m; {( l. P, w! R, [% A, M7 O4 e/ H9 ]& y% B
yum install pcre pcre-devel
! }4 s0 `, e+ [% Q0 k3.没有libxml2) l7 @+ }* m, o) Q7 r0 L7 k* g& e; g
# [# X$ ]; J1 O- ~+ E' x
/ {# L3 ~2 ]" ~6 V: [) [, @configure: *** xml library not found.* _; Q0 W8 A% |* J" C
configure: error: libxml2 is required0 t. r: ~1 \5 j. u5 ~
解决方法:; a* H- K4 F N% B: a
. e& D1 E/ H' m& O2 Y, S- ^yum install libxml2 libxml2-devel( v# |, h1 Q+ Y+ t
4.执行 /opt/tengine/sbin/nginx -m 时有警告- R2 n8 ]+ y1 {
3 e& B: ?8 B x: @8 z, z. m" iTengine version: Tengine/2.1.0 (nginx/1.6.2)
' t2 |: G5 V* N- q# d$ p I& s$ unginx: [warn] ModSecurity: Loaded APR do not match with compiled!3 v5 N/ T; V2 N3 a3 w
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
5 W1 G0 H$ ^* j: R x0 X" l% U# q) @) h& B" o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured. [5 e& H2 z* t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
$ g3 I. i2 F% k2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( o8 g9 w- K% U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"3 v7 V6 b# d: ?1 {1 n, H* |' z, c3 r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"; Q6 t/ ]0 G6 k# _/ D l
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 [& A. u2 P' n; L6 i4 |
解决方法,移除低版本的APR (1.3.9)8 Q3 q' G* K; U/ u
4 S! i! G5 V. N; C0 G4 F
yum remove apr
* b' `( Y. i; \5.Error.log中有: Audit log: Failed to lock global mutex9 i5 |; D" @4 J4 W- j
) f* z' O6 h9 B R# R/ J7 _$ n0 X2 P2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
( o5 P' }, |& G. X- ]# aglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
0 r# b N9 Q5 |( X解决方法:1 Y2 [0 _5 b3 p& d& w: a5 q; k
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 e! ^. s: c/ {
/ a# E. t' M/ a/ T b" u. A. pSecAuditLogDirMode 0777% X$ a' Q$ I# E: n' T
SecAuditLogFileMode 0550
% N4 a& J' y- F2 V1 ASecAuditLogStorageDir /var/log/modsecurity
$ V+ t( p- w8 t9 ?- V/ @! \" T( r; RSecAuditLogType Concurrent! a6 F6 V( V& f% s/ h w
参考文章:; \8 \- d; P8 ^+ ^5 k" m$ v
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' ~7 W% l( ^7 H' J9 o- I2 u B
http://drops.wooyun.org/tips/2614 |
|