|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
9 r& }5 e$ X2 d
4 w8 W$ N$ ^" f! R* c$ T一.准备工作$ [0 I$ u1 \1 y/ ~
2 t6 ?& X3 B4 U! ?: d; d
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 K* ^8 B6 g3 t; v
, ~8 Z6 T- l6 @! l etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz% }' N& y' E6 q" H; v5 d% r F
1 e$ }$ d4 L: O; V! hmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz* j3 ]" _! K5 W8 i) g
# I$ ~/ |- {- ROWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; b# g& w. Q% X2 j/ m3 A/ T3 U! e: v$ r0 r& y& l
依赖关系:
- O$ n# i1 _6 q( L& Z+ Z y. K' A1 _tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& ~/ ^, l$ h$ z% c
/ l# L! d5 v9 U
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel( d' K' N/ `/ A& p7 e S; v
modsecurty依赖的包:pcre httpd-devel libxml2 apr8 y0 I& _2 c0 `( a; t
. I8 W. a) t3 G5 |
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: |4 q" ]4 q; P
二.启用standalone模块并编译
3 A7 r% b) F( l* `: m9 k+ K$ \5 D9 O1 R& b% T. A9 @. J
下载modsecurity for nginx 解压,进入解压后目录执行:: _: M) Z: w6 F: d, |
/ | z7 _3 A B/ j, x' V$ H
./autogen.sh% m. t0 X0 `$ \. B9 o5 u1 A/ o
./configure --enable-standalone-module --disable-mlogc
& g5 j" ^+ j, g- nmake 6 ]3 k; I/ o2 X6 f
三.nginx添加modsecurity模块" }" u( C; r7 o9 x- c q. U& m
1 n( w' W/ l& n* P2 C+ b5 ^% g
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:% A; I, T+ c- d/ E/ [# l
" h7 F) W5 E4 U& b, B$ f
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 H; f' f+ y; K! L( o: c& F: J& Y
make && make install% L; B3 ~$ \4 M! J
四.添加规则
+ V2 N/ p3 ^$ P5 I3 i9 A4 A2 t- D8 M# P
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。$ g7 `. z; t+ g+ g, n7 m
, Z1 `4 v& b, N9 f8 r
1.下载OWASP规则:
, m/ B" @1 G) ~8 X. D! |% x; Y ^/ Q& c! ~, ~6 {3 T
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs* q2 g( u" o! t5 h/ m9 v2 }3 h7 {
" u- W0 `9 y* k: Y$ S4 x smv owasp-modsecurity-crs /opt/tengine/conf/
* r& i1 g9 q. E0 v# v! {& F( {/ N, E' U% J
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ [; j; c% Z/ G2.启用OWASP规则:
+ B4 Z5 B0 S( H0 ]2 G. i" q4 A7 o E
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 P5 L2 _0 d \- w+ j8 b$ ~/ Y
@4 ~" q! g( @; v8 F: C
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; _5 U' T; b8 S* W( e2 O, K% w
" t3 ?" u. j5 y6 R+ a j9 `* N( [
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
5 `- o) I Q: [/ h: p. o- H
6 Z0 F9 k2 T `! _/ A" U1 MInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf! x2 v# l# k% `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf2 t- {8 o/ b! f; U4 W
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% i8 r) i8 Q4 Z2 G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf4 T: y8 x- }0 }& l
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! K) m" ]/ z% {% fInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 A9 Q4 R1 V0 f4 m& @8 ]- O% z. V7 }
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf+ V' ~6 Z I: ~$ q8 Y/ ]7 S
五.配置nginx; L( u; r/ n8 y& T& q& p) K: Z
; T' A+ \0 a1 q8 @/ U7 D) R在需要启用modsecurity的主机的location下面加入下面两行即可:
# [( ?6 p+ V6 _4 u
9 w4 i ^4 ?0 x8 u/ V8 b$ EModSecurityEnabled on; . s# }+ X6 A" F) y* p4 H @) }
ModSecurityConfig modsecurity.conf;2 @0 q7 k+ `8 q) y J" V$ J
下面是两个示例配置,php虚拟主机:
! n- `/ q) r; z. `& M% V, n2 u6 t& ^$ c e1 P+ l8 f0 u/ h) M
server {
: J7 F2 J' X5 W" b% S listen 80;& T; i1 V2 R3 y3 I6 b
server_name 52os.net www.52os.net;
' c0 O* X; y% i' C. h+ J7 o. ~ 1 h0 M/ c7 {: ^! y' d: _8 ?$ m
location ~ \.php$ {
! }" v, `# {2 D- A ModSecurityEnabled on; ' O+ | f' ?# q( n
ModSecurityConfig modsecurity.conf;
_# k! ~1 s* `3 E; x: j/ y( ?5 v
! P/ }5 M* b7 f) u root /web/wordpress;9 Q& B9 m4 L) s, v8 ^& |& o
index index.php index.html index.htm;
' z! K$ ]7 w$ Z- \' k , N% x: x* F+ E: j, v0 U" {, F
fastcgi_pass 127.0.0.1:9000;
( F; [% f( [+ C$ q# m! S fastcgi_index index.php;" n1 o5 e, b2 [4 h* h
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
- Y! e8 I( K) ] include fastcgi_params;
3 H/ v1 r$ p, F& h L8 Q }
* R& _% U- {6 j8 `! I( C7 ]1 i } x: w! q8 Z+ d( j6 H% o
upstream负载均衡:. V0 [" k* {; _9 l2 S) }
1 p l. I$ P M4 Z5 W% P) X
upstream 52os.net {
4 `* t9 Y K" ~5 K/ c7 c; g server 192.168.1.100:8080;3 i; _* g" p2 r1 L
server 192.168.1.101:8080 backup;
' ?6 H1 d+ B* v% Z. l4 L! L8 T}2 s8 `# ^" R6 u1 x% U' o
; _, P: P5 G' P3 G3 w) o8 f
server {# x+ X! T7 |/ D9 V/ q2 ?' J
listen 80;
# m' v5 J; A, m4 h% [( R2 q7 R) pserver_name 52os.net www.52os.net;
: G& e u4 I8 d) k3 D
' g! i- ^: ~: M3 t4 P9 r- e$ Wlocation / { r, Y0 `7 C# V7 |' B8 @# c2 B
ModSecurityEnabled on; ; k& P% F/ K1 L4 V# [8 [
ModSecurityConfig modsecurity.conf; ' c2 m8 l! P' z6 i; m& C
% X' m* s" P! N+ X0 p proxy_pass http://online;( j7 L, u8 `/ g: B" |* `
proxy_redirect off;
* ~% s! S$ p( o7 b proxy_set_header Host $host;5 b* w8 L' a( X% @# I% \# E
proxy_set_header X-Real-IP $remote_addr;
z& r% _) C- L. w proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;6 _. T5 _8 n: s! m0 Y
}
8 s; o2 i2 M$ v; S# N. S}4 _; B7 i d8 z, Y& ?
六.测试- x- C% T- P2 _. `# I" m
2 l4 S2 F$ m4 G7 }4 ^9 E% E我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
( A5 @. F/ {/ Q: Z6 p4 Y
5 F$ J; c9 |9 ~<?php
' w9 u8 ?; s6 t, E phpinfo(); 3 z: O2 y& F5 {3 j
?>. {& N3 k" P/ t/ @1 [+ d5 U
在浏览器中访问:
& @# u# L; M$ b* s: { T1 H; W
# A0 ]4 Q, j9 Y& N, E( K( p) Zhttp://www.52os.net/phpinfo.php?id=1 正常显示。% w; s0 u7 M8 T$ m
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。3 G$ k/ t/ H3 W, @
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。# @/ x. m! G3 v) [3 d
说明sql注入和xss已经被过滤了: t: M& R1 M S0 Q' ]( {# i
: @ \$ Z/ X3 \7 ]7 f1 C8 g
七、安装过程中排错 |8 U! X; ~5 [; g- z
" k; S. ?1 b. H5 n- t" w1.缺少APXS会报错, ~! q) X8 |* P5 v2 R/ L
3 h2 ^- T r$ a/ u( L
configure: looking for Apache module support via DSO through APXS! n5 u7 q+ k* Q* z3 ]; q7 u; s& t! [
configure: error: couldn't find APXS, [, W. X; z3 g, w8 K4 {
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
, g! x' y1 O$ v8 J1 I* G* I解决方法:
1 i+ o1 f/ I8 f4 S1 } L5 C1 b% S4 V& `# k0 n: Y% z- |
yum install httpd-devel
! h8 t( `+ L/ [, X( d2.没有pcre, n6 `( e( d% G% J
! _+ l. D+ R6 B- d( P
configure: *** pcre library not found.
9 R7 E2 C1 c$ Q9 Jconfigure: error: pcre library is required8 S; e- y3 d+ P# `* q8 q- Z
解决方法:
. u5 Y" @/ @: r% I! S% u& u' f Z' V
yum install pcre pcre-devel& ?# j6 ] c j$ u* J( l; J
3.没有libxml2& b5 \; _1 q, W. c
1 z$ d L- `. V; R7 p
* j5 L9 N, q) b2 P$ \/ n. y- Aconfigure: *** xml library not found.
$ s' c G. e6 K2 y3 C3 u1 uconfigure: error: libxml2 is required
- U7 G6 {6 U( w J' A6 X解决方法:7 ]0 ?2 O: r1 o. N& t3 ~
6 ^$ l* ]: F V# Hyum install libxml2 libxml2-devel V8 q& H7 Q$ @, u
4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 a4 [& H5 Z+ G/ Y0 J
6 G3 U1 U3 I5 O8 w8 JTengine version: Tengine/2.1.0 (nginx/1.6.2)
9 ]! B- d1 U; n: S2 ]nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
0 C! r# h g4 [' M原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 R# C4 ~) H d1 o
* m3 x* k% ~7 W7 U1 O# `1 {0 L/ y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
& K/ B! A9 h; q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
- f/ o" ~, r; `! y1 ]/ \1 _2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
/ w+ _& F/ A1 y% {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
( X0 G8 ` d) c" O) s4 F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 ^9 o' [# v s S( {' Q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.* t) ?& w$ x) i
解决方法,移除低版本的APR (1.3.9)
- y A+ y% T) C4 |& c
% `$ i7 s; p. L5 k( }" M7 f' nyum remove apr
( U9 J8 R* d& k, w& ~% D2 `( V# ]5.Error.log中有: Audit log: Failed to lock global mutex. n# Y8 @3 e, Q! H
6 K( J: x7 w. v3 E( S
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 0 a: I$ m5 v. h2 }3 B* l
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]1 f3 v4 L7 f+ Q7 J
解决方法:* o! @7 t/ n( }$ Z2 [! C6 m- [
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 n- I& H C8 e0 C! n
' s; M: h# V6 q! B" P8 ^
SecAuditLogDirMode 0777 U$ D0 A8 R3 r/ E3 ^3 d
SecAuditLogFileMode 05509 v1 c! k( F- G
SecAuditLogStorageDir /var/log/modsecurity- _8 {5 A3 H& `$ q9 U
SecAuditLogType Concurrent/ T: j* j6 G' n) D' Q
参考文章:
+ q: u0 V0 I% `* N5 V9 chttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 o( I( u; U$ x4 V: V, u
http://drops.wooyun.org/tips/2614 |
|