|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。( V/ u# b* Q [# H& h8 ^# Y1 S
# F; z4 A8 P, [8 {# L, i6 P
一.准备工作6 O5 |+ _/ E1 q5 [
* o0 A2 `3 q: W
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# v) V7 n2 N& {$ p4 e
& B+ c- a$ \% g0 l& W" t) vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( ~+ W) R9 I" M5 R! q8 _
% C/ {* H. Y( V1 y# j+ ~
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz) m) a4 z% H9 I! G$ b6 A
& U* e; K* h- O( ~
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' ^5 n1 p8 g( y' ~$ [
/ K/ O. t, |& V4 r依赖关系:
5 [' X1 z5 V& Y+ n0 y" E" E/ ltengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:+ O2 {+ R, g9 N% l3 z* [, e" a+ K
) e: ~" j4 O8 Zyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
3 L5 Q2 @$ e" X# G" imodsecurty依赖的包:pcre httpd-devel libxml2 apr
& d9 @1 P ]- f4 U6 f& d$ j
0 G, R. T% {8 `4 v9 I% v& A4 {* jyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
8 Y: R7 \. R) l. H! j7 `* |# J+ p* ~$ Q二.启用standalone模块并编译
$ P/ c9 S& e9 A4 ?2 p) \# V% c, a- a) s1 J s/ C6 ^
下载modsecurity for nginx 解压,进入解压后目录执行:
# |. i' j3 H. c% \& n/ D; w; U" S+ B# H% `/ U0 ]6 V
./autogen.sh
# C7 x6 k3 j+ Q/ H./configure --enable-standalone-module --disable-mlogc
9 A2 I/ E8 z/ u3 emake & t/ s) e4 E* E
三.nginx添加modsecurity模块
- L" w9 J6 ?9 `2 z3 c4 A! f& Z' g
0 Q3 `$ U A- }# O/ c在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 P) R1 [( \, s, x, `
) M R( ]9 y) W./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine f1 f: B1 K# R) ]2 I, q2 ^
make && make install
* D7 w! E- F1 G( d6 l, X% C( \/ H四.添加规则
^8 B" n' f- I: F! e7 X! w$ N; h5 c5 c, W. t' d- G+ K7 C
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。$ S: h5 \% z! _& [0 T: o4 `& O) z
$ g5 j9 A2 v, S7 D/ {5 F
1.下载OWASP规则:
1 H. c$ _# U) T! y) W, {8 ]
' ~2 ]' l- N) `. y4 `1 @, Rgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
, d0 d# J7 ^4 x: b% y4 a
) g v' Y0 E' q( mmv owasp-modsecurity-crs /opt/tengine/conf/) e, d4 e: o9 ]7 N
0 F3 d7 e* C' V/ e( c
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf7 n' g1 f) S ]) m
2.启用OWASP规则:- ^, \5 n$ m3 X+ ?
6 ?9 d2 e1 \/ L$ g4 Q9 S8 ?4 j' J d
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 X( v! L; H9 o+ g* H/ t, i8 }4 T, k) n2 E) T3 f: K
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
- I: ?9 v5 P( X J' Y8 [1 e! Y" o% ^( \* S7 T
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。' V% q6 W/ V! p" {4 q
F- \( o9 _& o; q
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf) b! J1 M! b& h z) J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf1 P, ?. h* ~ _* ?* W$ f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
. y( G9 s& h9 z( O6 w+ z+ ]# eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf2 B+ \" v) E3 s0 R9 W: O. B
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 ^' C/ T: o) U& JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 ]; E5 S8 {0 ?; N# J2 u" wInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 X$ S+ b. u" }
五.配置nginx
, F! C% `: Z+ q$ V; }8 ^8 ~+ E. ?! O$ M- y
在需要启用modsecurity的主机的location下面加入下面两行即可:- Z8 T6 K. j$ X5 W/ D; }, U9 C" M% c
6 _3 x" r2 |* O6 A; O& s5 j0 k
ModSecurityEnabled on; / V* ~ f! H2 Q5 k0 E
ModSecurityConfig modsecurity.conf;
, _+ r3 b/ ^8 Z/ y3 T下面是两个示例配置,php虚拟主机:- P; I# m, W+ v2 v
1 _' w# R, I0 \) T2 w' O
server {( P! o% s- V8 A7 K" j# C+ s
listen 80;
! j1 w" N% F) }. x6 a" l! i server_name 52os.net www.52os.net;3 k$ o& ^8 _' i9 \+ B
. |: e% k: r3 |4 l8 R! ^7 U location ~ \.php$ {- u6 Q6 \! B% s. t1 E
ModSecurityEnabled on;
" d& s: f1 T8 q ModSecurityConfig modsecurity.conf;+ {7 L) s7 a- X8 ~
8 L1 z, M9 @: Y9 A' k% V root /web/wordpress;- y/ p. L5 s9 q4 h8 l7 g
index index.php index.html index.htm;
/ L* _. u" t7 W# H% l6 Q0 K , W" x) q6 C2 N1 O+ M( H0 W7 Y
fastcgi_pass 127.0.0.1:9000;
$ Z3 B2 Q" V: b% x3 g h+ K. `" P fastcgi_index index.php;
9 [8 x$ ?; H, W) k fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;) H2 v+ ~& e; c0 V9 s# a
include fastcgi_params;
& f% C+ t( u7 _ }# l. n6 D4 [+ M. A
}
: l; P G0 @4 T: Q9 wupstream负载均衡:2 I+ ~$ `4 N* U5 ^/ B
# C% |. w+ d r9 \- c6 h' U
upstream 52os.net {0 Q, L* \+ ^9 I" D: o
server 192.168.1.100:8080;
+ j: B. o" j2 a( Q: ^' G. e server 192.168.1.101:8080 backup;
+ \: d: N) n" V}
: A6 n& d; X* r7 |3 R+ Z: S
! g5 w" V3 O) @% Q- `) d0 qserver {
- Y7 q2 b! f9 z' a2 qlisten 80;) S5 B6 \* G' C& U( W, m" w
server_name 52os.net www.52os.net;: w3 N0 @. X+ x% n3 w
" V# S1 d0 ?* Llocation / {1 f% W! i. E: T( @/ K3 U+ ~8 E3 O
ModSecurityEnabled on;
]7 v, W$ ^$ a& t3 X+ }/ P% S+ E ModSecurityConfig modsecurity.conf;
8 C7 O( }( E% o) l4 d+ L' F, ]; n: T# ~4 T% ?. B/ T$ m3 n* q
proxy_pass http://online;/ E; B- r1 Q2 d- X q6 G+ y" e
proxy_redirect off;
2 W. _! M6 @8 `9 {) u4 S# n# |2 W proxy_set_header Host $host;
6 y7 L* J$ N+ T proxy_set_header X-Real-IP $remote_addr;
7 {7 e0 h- E2 A% D J; p proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; X$ D3 ?8 n3 w K8 F2 G# M( X- l% U
}; P2 I+ o8 ]& J/ P0 X
}
8 a+ h( ]) A: Y9 N2 F六.测试
R( U7 _- c5 L7 Z C2 H+ G: M+ j: d' ~$ {" H
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
" H, P6 S; |# \. c: _' R! ~, _- ?1 g% V- g& T
<?php
/ z& \# }- `1 r6 u2 p8 U phpinfo();
9 d8 V, u# ]4 I1 c?>
) ] N) O( g1 p# z在浏览器中访问:
0 M8 |( l! D# w% M2 t4 q2 r7 c( Q: v9 i) E: j! \
http://www.52os.net/phpinfo.php?id=1 正常显示。
2 R: P: ^( H8 V) Xhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
4 J0 I @7 s- I7 `7 E$ chttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, Q/ v+ ^+ U" `" N+ D; X" G& T+ E
说明sql注入和xss已经被过滤了/ E+ K( ` ^8 ?- v
# x( ]0 W6 \+ o/ I" A0 G M) h. F
七、安装过程中排错
8 t2 y8 C4 t+ p. [5 E" t% T; E# h. N8 s* K: y
1.缺少APXS会报错
# c: R& d: f/ x. h9 ^! g" l2 n- e0 f$ l- a) b7 y# Q
configure: looking for Apache module support via DSO through APXS Z( j5 m* g) W1 D6 _: u/ R
configure: error: couldn't find APXS4 R5 |& ]! a9 L+ b
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
6 [+ c( L/ n, h5 T; P: x解决方法:# P4 _* G0 w( W& n* `
) V* r; D$ b0 D. u) w% I% F6 j
yum install httpd-devel' _2 `2 h! V4 u! l h! m3 |
2.没有pcre) ~" y& P: D# e7 Q0 t
; T, Z: L9 [' `2 u/ qconfigure: *** pcre library not found.
% G/ `3 a$ \8 ^! H( Lconfigure: error: pcre library is required
7 N0 x8 w+ B; Z4 D# K' E) s j解决方法:# ]. j/ W2 ^- q4 r; n
1 m0 G8 v2 f7 J c& D/ g/ [ O( Iyum install pcre pcre-devel/ K. J t5 r! f1 C* E' k
3.没有libxml2* g k4 [0 P: ~ y2 ]. }# c+ P
! f0 w2 v0 v9 F- o" D& D4 B/ y. P! U' Q3 D( S! `
configure: *** xml library not found.- S* A6 C X$ [' h: S7 a
configure: error: libxml2 is required6 T( E' s {) J
解决方法:
- U& d9 E' E5 V+ R' ` U. X$ N" \7 {% w1 _0 W" ~- l# P, i4 j4 b, P
yum install libxml2 libxml2-devel& f! b; Q8 u- f- |& b) N+ y
4.执行 /opt/tengine/sbin/nginx -m 时有警告
1 ?7 ~9 M6 R, Q/ f& k7 S8 k" x; A- V- n. n7 s
Tengine version: Tengine/2.1.0 (nginx/1.6.2)$ q) ^5 q! z& M4 l% ]& ~
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!" r$ T2 V- q& H* G! X
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
8 z( E* ~. `' G# b: h1 Q
) b' E$ d+ C* k, q/ H% y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured. P5 m* l$ V4 ?1 h u5 A5 L- `4 [
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"6 \6 t# Y0 C, x \0 D
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ ?6 m! u: V5 S' X7 L2 I' K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
) N+ p1 P. l% {: a0 \- _* y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 D3 a3 k4 U; `/ C- G9 z# F' T0 X5 j
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
( @0 G0 p3 C9 `: b解决方法,移除低版本的APR (1.3.9)
; L+ T. ^% P4 @) c* f, Y( x5 H3 I; e, X+ E
yum remove apr
! r5 Y0 K* k4 l# [7 j. N9 n' h$ `- `5.Error.log中有: Audit log: Failed to lock global mutex
* k5 d1 ~* V: F m
, l8 K- h. C7 e& n$ w2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock " n3 \1 P9 @( ?) d2 ?
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
q3 a" d: G7 }( |, ~9 Z4 R0 G解决方法:
" ^9 A* Q/ B, A8 W( J; Q编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:. }3 U) @, }' c
0 G' J& x8 \. o; R1 k
SecAuditLogDirMode 0777
/ v; o! W) z n$ ?- k& \SecAuditLogFileMode 05507 y: w! P: N+ L* l6 O- `) q
SecAuditLogStorageDir /var/log/modsecurity- }- i4 U' z( Y ~5 ^5 J4 @
SecAuditLogType Concurrent
; K& n/ `' q2 Y/ ~% F参考文章:
c6 w1 R; `* ohttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, ~9 V% A% _* z: b: b/ \http://drops.wooyun.org/tips/2614 |
|