|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" z, b9 L( l$ t p9 \
4 ^( Y# [- z% s8 l; Q
一.准备工作
6 X; l! h, K" |6 \ _
v, I: V$ E3 x' S1 {) y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ N: [% s* E( h" }, T2 J
# i' L3 P5 Y/ p$ P1 ktengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz6 g+ |" V! T7 g& M
Z6 [) b# B, w$ j7 emodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
6 R$ a5 G3 O4 v9 U9 }* p' Z7 I8 c0 m
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs8 N' z R9 F( @4 ^% f, k1 N7 c
& h9 P, G5 o) }7 f u依赖关系:
- ]8 \' z) U. Y& {tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
V4 R0 ?, s7 j- f1 s- V; e1 g& F( W) q% ^
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel3 I( i8 C% D% M: F; M n2 R8 k5 F
modsecurty依赖的包:pcre httpd-devel libxml2 apr6 h/ K+ ?2 p+ k. Y" |) e
- A3 P3 P) h1 W( g) Uyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- i' Y' p% j$ L m% Y
二.启用standalone模块并编译
& c4 ?+ H7 O0 @: o7 m& J( x
' ?4 d: o- u( Q, x下载modsecurity for nginx 解压,进入解压后目录执行:1 P# D) [3 K) b* T
" t/ j, d/ K) T: C e/ U
./autogen.sh& P; o" F) @2 ]! a
./configure --enable-standalone-module --disable-mlogc
# N& f: F. a7 ?2 A* K, z( Gmake
8 n+ w0 t* X* ?) N$ x+ y5 I三.nginx添加modsecurity模块
. \6 T: d; v) g5 e0 o" _) ?! {
3 |. r% l: ?2 K2 o在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:; h5 p' Y& ]) H. Q* Q
7 F& w* U8 Q# y3 |0 e./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine2 f- g" R& x( [- z: w+ J
make && make install1 C6 o ]3 B6 x
四.添加规则
* o6 G) ~6 f/ O4 j( H8 y9 H" Z3 P S1 W; r0 Z( O/ M4 I7 v
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。6 t3 l* G( e* |
7 F4 Q% I; M+ a1.下载OWASP规则:
5 L5 [+ S V# U& i8 H h
8 ] w( S- Y' ?+ J& p1 G( F$ Sgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs, s+ K: H# z% A- h% Q% I
" M' ]% C6 m6 g9 A4 `# H1 W7 |mv owasp-modsecurity-crs /opt/tengine/conf/) |5 [# \8 ]7 h! }1 G
! g( m- I4 c9 ]7 w/ j7 B& |/ h. _5 Acd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
+ l# N8 h# D; P2.启用OWASP规则:; n5 _+ W+ {. d# g5 v
8 {1 n, h5 g9 K+ b8 H7 S复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。. a3 f1 _) n5 \0 K/ c- Q
" C& h0 [0 D7 k" J& E0 \9 R- m" c
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 {% E: \* X! p8 v
8 L) q9 O4 t! T# j' e$ |owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
: h7 Z s- \2 z8 Q% e# B F5 T3 O( a+ ]/ t
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
0 S( F8 d/ v$ N* F- V# uInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf" M$ t3 D2 P0 B$ J. Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf4 E. X% `5 y- N+ v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf2 h- _3 P- q, d: ?) K) ?' U+ z% u
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
& |- C8 w" ?# I' V! kInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
1 y) s& _+ @1 WInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf$ ^- y0 q3 C0 K/ t& x* H+ H1 }) b
五.配置nginx
+ h: H. D( p+ J2 r1 L- m" U
7 d) `$ B5 B9 i4 V# i在需要启用modsecurity的主机的location下面加入下面两行即可:
: o3 J) Z1 x a* x! J
" i9 S, N1 Z3 P, b p, XModSecurityEnabled on; 4 W5 _( Y0 k3 M1 V% T1 t. G
ModSecurityConfig modsecurity.conf;9 Y; l* B" j- \8 P6 {- U
下面是两个示例配置,php虚拟主机:+ [- g' G) y& J5 F7 V2 K, h, y
# V- h- z1 b& s8 x8 k5 {2 s
server {- f4 B, X$ i6 i/ K3 `
listen 80;
. _2 L0 s( ~: m server_name 52os.net www.52os.net;
9 n) M ]+ q4 D X- K4 _1 y' r
7 ^2 ^1 t) F+ b9 T% e1 e3 m location ~ \.php$ {4 |$ f& ~ n$ T& Q
ModSecurityEnabled on; + ~1 @( G7 l$ r3 }- {
ModSecurityConfig modsecurity.conf;
+ I+ K) }0 r% M2 F6 s. {+ k9 K4 r6 A$ X1 R' s |, b# P
root /web/wordpress;
! H* R+ Q2 U; { index index.php index.html index.htm;4 ~0 S9 h& s5 ]$ U2 q) ?
$ S1 u3 X/ P- S1 e2 |4 D) r fastcgi_pass 127.0.0.1:9000;. O; F7 N: W5 I5 D1 c- h/ S, J
fastcgi_index index.php;7 [6 U+ I6 S2 l9 z$ }
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;1 Q9 G) i$ b/ |5 C
include fastcgi_params;
& {( r2 P" r" U& S; ` }
8 Z! i: w6 f H5 w2 g' O }
3 G( W. R3 [' ?- Hupstream负载均衡:
0 x) |9 n. v' v9 O7 Y6 L W, F; u8 p
upstream 52os.net {
8 ~: A$ J* j h3 o. w server 192.168.1.100:8080;' h+ x9 v; z. d
server 192.168.1.101:8080 backup;) a$ ~) V! |' r3 ~5 ]. N6 X
}# M$ x. X8 x- j8 l/ B: `2 v2 X; y
6 N* _0 N( j, D, Q; [% J |* Z
server {
7 r g7 S* r. q! l& \2 flisten 80;
8 m- d& K* W/ r* qserver_name 52os.net www.52os.net;
; b3 q) u8 H- l6 H. M. y& k: O8 j. y7 C4 ]/ B" s* C9 Z
location / {
k. c( s* U% h6 \ ModSecurityEnabled on; 4 w7 Y5 V/ z$ Y m% S
ModSecurityConfig modsecurity.conf;
7 @ D \" t/ V. c
$ X$ N; [( d3 g8 z2 I E% X proxy_pass http://online;" c$ h. Y1 N2 N& F4 ~
proxy_redirect off;
4 ?2 A7 T' P# P. p( D4 g' W proxy_set_header Host $host;
# g7 l/ B) }9 Q proxy_set_header X-Real-IP $remote_addr;: @' n. e( E+ P9 a( c4 O
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;. {+ t4 P* H) Z; ~0 P& Z j
}% H, r( ?$ |, O/ d+ Q$ v' @. g5 N
}
2 K/ ]" W) @0 W) N六.测试 N2 b5 Z$ }: W
6 W* ^( Z+ X( ~( F我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ O7 h, B6 c- Z$ i
w9 d; E5 q- j6 g2 x+ K% o<?php
* ^9 G! T8 G2 W7 c8 | phpinfo(); 2 v0 G! ?, P( O& U% \6 c
?>9 h1 M1 C% \, ?, a
在浏览器中访问:
7 _# a4 o# j: I, V# H d \& G" n2 x; W" m: o9 k2 ?
http://www.52os.net/phpinfo.php?id=1 正常显示。% e0 N& J1 e5 _* O- w
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。& p. ? K# i, ~
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。8 ?5 g3 v8 i# \7 F
说明sql注入和xss已经被过滤了
4 l; o6 c( a0 d; v' d* A5 p0 G1 R; p- F$ w
七、安装过程中排错
g% l9 x: t4 e+ {/ a0 m4 ?1 \
/ f4 Y; y3 w$ A% ^& d9 \$ }1.缺少APXS会报错3 H3 T5 F$ k ]# m
! Q% u& s ?2 M+ A4 [/ [ I7 z+ s% X
configure: looking for Apache module support via DSO through APXS% G' t" E: _3 E4 v$ x- r( x: o
configure: error: couldn't find APXS
+ U& p+ A/ n1 v4 a# Hapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" v& y: w i2 D9 {' q5 Z解决方法:* X* U& o& B4 _4 \) g- [4 v4 p8 O
' I8 V& J7 P% w* z5 a Nyum install httpd-devel
8 y/ Z L/ v# M5 q; u2.没有pcre4 @2 X; R) a$ b: ^3 u
8 \7 c7 q6 {( t$ xconfigure: *** pcre library not found.
- p; J2 ~* C* u- Nconfigure: error: pcre library is required
2 W1 a$ Z* h. I3 m3 v2 d解决方法:; @7 S9 w# |8 A) f: J1 d
9 f0 r4 c% n& {yum install pcre pcre-devel
+ i) n; K: {) ]% A; G, v3.没有libxml2+ s+ n7 S" P2 l2 X& `7 ~
4 L' J4 z4 V1 |7 U" z
; C- A# U* r, ]) Xconfigure: *** xml library not found.4 U* l' {( U, ?: {
configure: error: libxml2 is required& p, P( [ ^3 N ?' q
解决方法:
8 g; L9 K6 z+ I; z" `* b6 V3 ?! Y$ [( N5 g
yum install libxml2 libxml2-devel
' Z2 s7 u5 {: G( P z4.执行 /opt/tengine/sbin/nginx -m 时有警告) J# j: U# M1 p/ h( A, ?
/ r2 K" D. E4 u! W0 P
Tengine version: Tengine/2.1.0 (nginx/1.6.2)" b6 c7 C: t/ ^
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!. ^9 T6 `- c+ M3 C. d
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log/ s& k7 [6 A( T; k$ ]/ m* L- B* |
9 E* \$ ?/ o8 K e2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 s# B3 a; Z# v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9". Z, D8 b. j& ?1 [9 n2 `* m. E0 U
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 x: F, R6 u' i% r7 y7 Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" @; r; L, Q' O4 @2 Z7 y2 Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"4 U6 y- i5 ^4 w; L# g+ q( @6 O
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.3 S9 ^: \* W- ~9 j, o7 C
解决方法,移除低版本的APR (1.3.9)
" N0 B) T9 ~: J0 b. l% w$ g2 E) r& v8 U( c, a0 Y6 p9 ~( g; i# w
yum remove apr- K7 }( T6 d# Z7 Z$ q. u3 k
5.Error.log中有: Audit log: Failed to lock global mutex4 E9 X3 P* e) y/ Y$ N
& Z s4 d" P/ @2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock * S: M: d Y9 X& U
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
0 c' V. \* |6 o( B) Y6 a- D解决方法:- K$ J6 T) _% \2 g
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
2 S* G. q2 v8 }8 T: c' r, j
8 x3 _. ~4 X! _6 T) P: N) sSecAuditLogDirMode 0777
& a4 ?* n9 f5 e/ H3 ^: _SecAuditLogFileMode 05504 D4 w2 Y; ]6 z. n% Q7 X* `6 c
SecAuditLogStorageDir /var/log/modsecurity7 |; {) @3 F% Y. \, { b m; _
SecAuditLogType Concurrent
- |2 E7 m- D1 e+ y$ \2 i/ t# L参考文章:
6 f3 p3 e3 J* d- T. Y. p6 dhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
2 T/ v0 d# V6 N jhttp://drops.wooyun.org/tips/2614 |
|