|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
! F E& x R2 w% b8 r2 T) ?, z( z4 M* R& v$ U2 x' a" h5 v
一.准备工作/ W8 _) w6 z1 ^7 _ T
1 C0 k6 D) C5 o$ f" X* z) g1 ]
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
/ M; U/ U& X5 B7 A
, t1 v) D3 Y w% rtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, Z- `; O/ ~, C% o8 u% m6 K; V/ N
; T( d; I/ E4 G( k2 A
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! m1 v2 V Q/ [& Z/ n
% Q1 V- J# f; l/ d: z+ g B, OOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs8 x8 ?) s7 ]" R8 M" }
7 T# N; i5 I3 J4 W. k8 _5 G& O依赖关系:& G2 G) ~% E' q, m* a3 b
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:: O# j2 Y5 t0 R/ i
8 C. @( C+ q* g8 ^yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
+ m8 y, A* z! @5 ^, h ]modsecurty依赖的包:pcre httpd-devel libxml2 apr
- n/ Z9 c. I* M6 q# C, d+ M3 N2 L( p @0 B- i0 R) U
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
8 F1 u( |- h8 n# ?二.启用standalone模块并编译% m- C3 Q) z% U7 t8 K) ]) g/ X
& h. Y3 @; R9 t7 L- [下载modsecurity for nginx 解压,进入解压后目录执行:
( k, L) U; _+ d3 }! B) u: w4 I7 y6 r" p
./autogen.sh
3 y/ n7 i3 m' w; E* y( C./configure --enable-standalone-module --disable-mlogc
( m8 V1 Q) R \- f; hmake 5 g- Y1 H) a* m% ]* {8 c* n
三.nginx添加modsecurity模块
& S7 x" Q" a, C/ \+ E( K6 c4 _
+ R- K3 I: j+ c. ?) Q0 j2 D在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
. l# c* J8 y! f2 C6 l
- q$ \. S$ W+ p8 x8 j6 ~ n./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
* K5 {# ?" l! R; @5 \( }make && make install
$ J p, G$ @ Y* s" X7 ?( `四.添加规则
7 d# P+ X% r8 N, e5 W2 }! a( `1 x, u3 d# {# Q0 t
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: O+ T$ ]7 x( t0 m1 i+ J4 V
3 {7 [' i- k ]9 X1 f- l
1.下载OWASP规则:
' I7 _3 c+ i/ O0 d+ D# C- v& i; ^' w$ n3 d9 R9 s# e2 e
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' j7 _/ b: k9 y6 w
M1 r7 u+ y; }' xmv owasp-modsecurity-crs /opt/tengine/conf/
3 R9 l& S. z8 e5 C% u" I( r l7 v/ T9 U7 M N
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. s* Z$ d5 u+ {/ L" N8 G, y2.启用OWASP规则:
! X: r1 `' }6 Q1 R& R7 U4 H3 }' R& S7 X
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
+ F/ F. \% X! u& _7 T1 O, ~! A) v+ T
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on1 q2 q5 `3 F2 Y' }
( e. T- r" O5 }. Z
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。6 |* r! ^$ j, Y" b' K+ I
3 n. }9 J% {: f
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf. t5 _+ A6 R, U3 u6 V9 x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& R% M* s5 |1 A3 L/ g4 z+ i9 r8 Q, zInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
/ q8 g% n7 e1 k }# |Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 M Y* M, ^$ S e5 C4 l% nInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
3 b* p3 F, o( H8 {Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf# t6 i, b0 C1 I) R) N2 u& ]3 }1 d
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- I" w1 U7 X6 ~# U! @$ p( w0 } G五.配置nginx0 ]1 \* U/ D! G, i7 U# a5 w
5 O) j! F" k' S: b3 h& k
在需要启用modsecurity的主机的location下面加入下面两行即可:# G+ R9 {" i: T/ g) q* @+ q
4 Z2 h' P/ o I! i
ModSecurityEnabled on;
2 _4 K! o- E: p1 OModSecurityConfig modsecurity.conf;
" \. g7 X h. H下面是两个示例配置,php虚拟主机:
$ c9 c4 |7 G/ f1 u7 j- k
0 w% G7 m+ b4 ?9 ?4 f2 Z: Aserver {
; G9 k$ Q3 f) i9 g9 N# T. L; B& m: I( ^ listen 80;: S1 z) ]8 ^8 \0 }* E) ]
server_name 52os.net www.52os.net;0 f+ n/ I3 l) I
4 ^! i3 D. K$ Y3 ]3 a5 T location ~ \.php$ {
& [( n. Y& L7 b; j+ k ModSecurityEnabled on; h4 x. L# E2 m: V: p* }! i: P6 g/ \
ModSecurityConfig modsecurity.conf;5 r8 l+ t3 R+ Q2 P
, ?% P" c) L6 p- I3 m% _ root /web/wordpress;
. j+ F/ Y% z4 {2 @! ? index index.php index.html index.htm;
; a a- o8 s. a- f9 H% N3 {
- {1 b; e' J3 e$ s- P6 u8 I fastcgi_pass 127.0.0.1:9000;
0 T( T1 ^, K0 B* C3 W& v q3 o fastcgi_index index.php;
3 [4 ^1 r* b% o! _' N: ] fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
6 }( D0 H" E, S include fastcgi_params;
6 m' s& m& |5 j8 l }
/ m" |9 l' d! [ }, H. I8 r7 `- H0 o9 L6 q
upstream负载均衡:! k: y1 C* A" k b$ h
* o& ]4 N6 k# N7 Cupstream 52os.net {# o) y K5 a5 H) X0 ]* u8 a
server 192.168.1.100:8080;
+ S. Z# o6 ?. M9 R+ Y+ m9 }7 v% _ server 192.168.1.101:8080 backup;9 l# K7 ` S, v0 ^& M" s% |
}
' X& Z3 R% v* w* k1 `9 @% z% w# I& N# \# o
server {
0 h2 s2 J" V+ N! U3 ]3 Alisten 80;
. J7 g9 x+ e1 i ]; |; Pserver_name 52os.net www.52os.net;9 ?: A: h! ^9 C1 B
) k/ Q5 [4 `1 Q1 b) W1 F2 U
location / {
. D; F+ r: P( U8 F ModSecurityEnabled on; + E6 R7 D* W) f h( @0 ~, _
ModSecurityConfig modsecurity.conf; ; y" ~9 n1 T$ P# z* I
+ {1 @/ M" D* N0 B; C proxy_pass http://online;
! J& u6 } K, U3 J' x# D proxy_redirect off;
- d2 Z5 j4 j* l+ D8 T7 P1 u' U) y3 K proxy_set_header Host $host;
8 a- @9 B( u s- G/ z proxy_set_header X-Real-IP $remote_addr;
; \- w( ~6 F& s! k' P proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
" p% z# k9 `% u) {$ @$ t% V, u% h+ n }5 j# K1 y r8 z" b( q3 o. t
}
+ h* N& s8 }& K' k六.测试 s# {! b) c. ?( }$ x
5 O- P2 v9 ^' N" B I' u4 _. d/ C我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 c" i1 t3 i+ U. U, v3 N: M1 |9 l/ F5 B
<?php
: D5 o: t6 o1 \ phpinfo();
! a% {" b Z' b+ F?>7 f H/ h$ H+ y$ [& w
在浏览器中访问:3 F, ?9 k- v$ ?1 M$ n: A* U. `
0 I- ?8 w% F4 g' H' Zhttp://www.52os.net/phpinfo.php?id=1 正常显示。
+ ^$ M8 y+ i7 qhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. g" q! M) c) H6 T, ? W: Ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- N6 ?2 A$ a, T" \7 G. E; u
说明sql注入和xss已经被过滤了
4 e9 f3 h- W: u1 o& r9 Y% Q% Z, t9 H
七、安装过程中排错; [1 |' l6 F( i/ ?, T8 B4 b
, R6 v, ]. i4 z7 E$ s) _% w% T
1.缺少APXS会报错
: ~' S1 O* F3 v1 T( }7 P1 N
) s7 |: g! N; N: Nconfigure: looking for Apache module support via DSO through APXS- {0 G: R* O# h: A5 P" q
configure: error: couldn't find APXS
7 f; b- Z- W- Eapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
9 B0 t% P$ g) `解决方法:
3 G \& ?+ P. W: ^% @: x6 d' V1 J/ f( q2 C5 b" {3 u
yum install httpd-devel
. y# z$ Z+ ^) N5 t3 O' L B( z% u1 I( ^2.没有pcre+ ^( ~( I4 }. E# S" u( ^
6 g: C' T: R1 B# f L2 q2 L xconfigure: *** pcre library not found.
s% H6 ^ N$ s& bconfigure: error: pcre library is required
% s) |4 J5 F/ U解决方法:! c( b! ]* `2 j; A. P$ k- G
1 m4 t5 v5 p F. A+ Q; Myum install pcre pcre-devel
# t0 M) [2 H2 l( u. u8 l3.没有libxml2
}. L+ Z+ K( x: r0 h4 j% s+ T% K7 `1 q: z D6 I X3 H
; d' P5 X( T( o0 o% ^configure: *** xml library not found.7 v' b' E, F+ J9 k2 r' l
configure: error: libxml2 is required
3 ]% w0 Q; W, J& R' E0 D解决方法:
: ~& q- \2 W7 x8 s3 t( m4 ~0 d$ Z
yum install libxml2 libxml2-devel) M! O8 M4 L3 ^7 L# Y$ ?" @/ @
4.执行 /opt/tengine/sbin/nginx -m 时有警告" `2 Y" m) X7 u; z; B
! F$ h9 G# `5 z$ S E
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
4 n% s$ B9 ]" U% S* `" ~nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
( D# E# H8 i% u' {原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log4 n( r* L# l1 X6 Y) b
$ M3 U/ U' L1 M2 @% I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
' K' K( a' w K/ k4 \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" \& y1 q, {5 }0 t8 g2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 N+ {, W: d P4 B2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"/ ?$ H7 B' ^, E2 u$ `0 r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 r: K) Z& P i" b2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
0 |7 F4 C! M: K F$ H解决方法,移除低版本的APR (1.3.9)
6 f s' M* V( R* E$ H$ P8 e0 j. ~. V9 p4 v
yum remove apr
+ I6 J7 f3 O; s, l# h& H5.Error.log中有: Audit log: Failed to lock global mutex
1 p. s5 a7 t1 A) p7 c8 v/ y: P
+ T2 {. u s$ p! j6 E& X+ k7 B2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock + X& Y: Q7 o4 O2 F1 ?
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
0 A/ ~7 l: N9 @2 J0 o/ U4 U解决方法:% ]/ j) S0 c& B# N4 h
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:* \; K7 A: E: G( B' d
8 `) ?' y. d/ k c! }
SecAuditLogDirMode 0777
3 F5 k$ E* }5 |SecAuditLogFileMode 0550
5 J1 j+ ?" h9 E8 m/ B0 KSecAuditLogStorageDir /var/log/modsecurity
$ H9 E: o! N( C6 |4 cSecAuditLogType Concurrent
, |# F4 j2 W/ e Q4 `参考文章:8 p* I: w: Y1 r$ z# S3 E) D
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 Z# k6 T& y! f
http://drops.wooyun.org/tips/2614 |
|