|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
* x e, w6 f& `. F2 Y" n$ | c% c% p: x3 r0 H
一.准备工作. u+ ?* h" {7 l: `7 L- T
' L/ L5 [. y7 w# ]* C# c( q
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% K+ D- L$ n- Y, G; h$ }8 {$ p; N
1 s/ `( B4 m; Btengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz! ]- d# U* B+ ?: v( w+ K/ i. \0 ]8 u
% G8 U) g) M$ Q! B: j7 V: F
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
7 P) i+ P% i6 q* l |0 m' {
: z5 j) A6 @& k& V1 }) |6 C7 AOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
4 V0 A6 A {9 ]8 w3 D5 [ O
1 ]) ^ |- X! Z' d依赖关系:
( R* Z3 v: }+ s3 Atengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
* q& v0 ]9 }- A/ B; X# l% Q& F4 j2 X/ L
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
. `; T5 z6 p7 ]+ s% f9 E, w8 c+ J1 @modsecurty依赖的包:pcre httpd-devel libxml2 apr. M4 E4 Z* }' ?2 X% M* E# m+ K
; \1 M. N9 f8 g! ?( W3 R
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
# r$ [& [' L8 K+ P二.启用standalone模块并编译1 d2 r/ u( d+ u2 C6 h$ V
' I+ M& T, s% T5 z$ {2 [8 a& u
下载modsecurity for nginx 解压,进入解压后目录执行:7 g r! i. p; _9 H0 d; n) j
& ~) J+ V6 i$ I! E& c7 j
./autogen.sh8 B( \+ C( a5 k. L5 T" K/ t
./configure --enable-standalone-module --disable-mlogc
5 b# L* \$ s, l) `/ F9 xmake ) b6 J7 Z, \1 C! c
三.nginx添加modsecurity模块
, b# b3 ]4 ^7 C3 H1 u" j+ z
$ |( E3 h# Z. f$ [- N在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
$ v4 x8 }! a/ {0 k( v% |/ U2 T
) o5 d1 s$ T/ `3 y- N+ N5 W" ?./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine: s6 [' X. z# |$ o+ A
make && make install
" l6 k; q, x9 K& w% y& B四.添加规则
' s v/ x- J, F2 C* \# ?1 o/ S
: ]) J! y- Z0 s8 L$ X3 omodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。4 ]/ B/ L- x% t$ {9 P
) R G+ a) `; I4 ]) x1.下载OWASP规则:
|$ i% F* t8 n) e0 V) x
7 P! b8 y4 t( y) }* p! ~! [git clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 {6 n: `3 f, S! b
. s. P+ ]" @6 e& `# B- I6 N9 j
mv owasp-modsecurity-crs /opt/tengine/conf/5 |% y( \+ A8 E' H: U8 [# W( ]
5 t5 ?3 h" J% \1 E2 J3 k
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
1 R. a' Q8 Q+ d" m2.启用OWASP规则:
: Z& ^- z# _. I/ x1 \: L0 D0 d3 p# i, |& \) U( O
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。" n: |5 t/ t3 c8 L" J! t# m; O
/ K$ C# ?. o2 j) ^, k' W( ]编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 f8 A' e& z" T' W/ \# r+ b
1 R& N. ^8 ] f) L4 @' y- ~5 K9 qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; r% j1 a, s6 }2 H; t
! Z# d" V7 `* a0 N( G3 G1 a! d
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf# {, o5 |! K6 k, S) ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf$ h2 ~% \1 W! q' \3 B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 R( I$ O f3 U
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" h8 R/ p0 t$ a& _
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf% _$ j# ^$ {5 v$ D3 w
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf: g3 x; W* v9 R3 r* a. m# r
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf4 d7 u1 N' e" d" t( l$ N& q
五.配置nginx
5 i4 U; i/ o1 S' I# H X; O; n1 f5 x! `% H0 m
在需要启用modsecurity的主机的location下面加入下面两行即可:
' {+ m( j$ l- Q1 p5 N% B/ d2 ?2 Q P$ _( l% H6 P3 [0 K( h" j
ModSecurityEnabled on;
& M4 M- }, m Z" e: \: @ z) RModSecurityConfig modsecurity.conf;: k6 g5 p) Q6 ?) Q2 h7 u
下面是两个示例配置,php虚拟主机: Z. ]1 ^0 v) c( l" E
f* D& f. O9 k# P
server {
/ s& p' b& x$ t8 A+ x listen 80;
1 O) F- P9 c( K server_name 52os.net www.52os.net;
* |: m7 ]) s1 s0 `2 e/ z9 o ) N2 m" E& r/ q! ]. H
location ~ \.php$ {
* w) {4 Y# Q. R% a7 }6 |& g1 T ModSecurityEnabled on; 2 A) S8 e# z6 V% E
ModSecurityConfig modsecurity.conf;
; o* l& x8 |3 ?! E& y( e
5 D) Y3 Y; L' i3 L8 r! X' c root /web/wordpress;
) s2 _& f+ k' Y; ^5 X4 m index index.php index.html index.htm;
' A/ c" O, y9 U3 B5 l4 ^5 l . {' p# W6 {' o% H; O4 s
fastcgi_pass 127.0.0.1:9000;6 X; f' A+ P3 N
fastcgi_index index.php;$ L0 ^& l# @+ u
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;- ?) P4 C) l4 P" P" T/ v
include fastcgi_params;
- U k7 v( C z5 I( n$ X r+ d }% [" _7 \: `+ h! `
}
5 T9 v) x+ A6 T4 u* w- y+ Oupstream负载均衡:; ~; d1 `, y8 h
* L' p- x2 p4 ? o7 ?, _* ?7 v
upstream 52os.net {
9 z3 O9 y- M* f+ M5 L server 192.168.1.100:8080;5 e* [6 u- I/ k* G6 B4 E
server 192.168.1.101:8080 backup;
/ N1 d3 X, m4 r! }: O}
1 q E3 \4 f+ n
5 @" o2 c- }+ ~% U4 c2 f9 `: Bserver {
# e3 t) S6 d; X" W+ ]6 Vlisten 80;
% D, x: [( x g$ y9 E6 m0 Eserver_name 52os.net www.52os.net;& H0 i) t, [+ V, B( B
: E* t9 K$ E9 m' r# d
location / {
0 t, A/ I6 F& P1 n ModSecurityEnabled on;
( u6 z7 o* d3 s: x! v4 Q% M' j ModSecurityConfig modsecurity.conf;
: }& k+ E" W* r0 I$ l1 |9 c3 g/ @5 O. b( ]" }8 @/ o4 V
proxy_pass http://online;0 X6 Z7 @& }& k Y6 j. T
proxy_redirect off;/ D+ b; M @6 r) a
proxy_set_header Host $host;
/ H! N0 B) {4 v2 k* K' S! P proxy_set_header X-Real-IP $remote_addr;
' n. ~1 V3 a+ \3 i/ L proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;+ E0 u0 z3 A( s0 D$ Y5 y/ J# f" `
}
$ r Z% Y3 b' ~0 E& A5 {% v}* d% m4 w0 G2 K& I
六.测试
1 b' C4 ]4 h+ R# |# N# c7 t9 ]* ^! |# y9 U
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:# y! k# C; I2 }1 i
+ v+ B0 c% c( {6 a7 n# j<?php
1 Z, ^/ j+ f, l5 N phpinfo(); % d @/ y9 B) v/ c% x; q
?>
' i6 E- ~ v4 Y+ m8 P在浏览器中访问:
& F6 D4 I8 F$ W. {) r [ x8 n5 w' R3 @& h# \8 z
http://www.52os.net/phpinfo.php?id=1 正常显示。5 ]0 ]/ A N$ Z/ w4 _5 y8 B. o: X0 o& T
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。. }% t. X: v# P& u& O* z3 X
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。* G/ A% F$ m9 x3 J" m! `; a! i* `
说明sql注入和xss已经被过滤了
$ i9 ]7 ~, ?; r/ B6 \6 g) C- }- a G4 [' z" x6 y# F
七、安装过程中排错
# I, X, X& G. t% u7 Z4 b
" R9 @; p$ c2 P) n+ X, D" m6 G& s1.缺少APXS会报错
; n; n* g- R$ V* g8 L! L8 B8 n% d4 J" @2 O2 g
configure: looking for Apache module support via DSO through APXS$ e, h2 V; ^ J' A( M8 q
configure: error: couldn't find APXS$ `; I, {$ Z( q8 `- S2 W+ |! P
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
; o- ^" |) P# q2 S7 O5 z解决方法:
/ O( e* p0 x, f( ]+ D
! U, `- S: S9 ^, c! Jyum install httpd-devel p" d& X; `# Z& [
2.没有pcre
5 G; U. C m$ F* g1 ^8 N; {( f( w: I4 @7 B
configure: *** pcre library not found. y$ V0 ~: _/ a
configure: error: pcre library is required
% b! s6 | t) N& {3 C' a2 d7 j5 A解决方法:! @% `- q; J' N0 y* S, ^# m* |0 q
& H6 H6 J8 G, u; {6 _, Uyum install pcre pcre-devel/ W% z0 `$ `7 I$ h8 B. m1 K
3.没有libxml24 Z4 U8 J- Y6 P
! ?: s4 S c5 V: U! U# S+ N- D/ T; r& C8 E5 u
configure: *** xml library not found.
$ d% D( c% r) ~configure: error: libxml2 is required
; L; I0 R: i9 T' j7 s! B解决方法:2 C% d* V& h. w1 W
0 J: J9 Z' p3 G& }' wyum install libxml2 libxml2-devel c4 t8 {6 N# R1 ?+ C
4.执行 /opt/tengine/sbin/nginx -m 时有警告) l) v* O& D1 X) X; |3 |
# N: b0 B! j. Z B R+ ^% w5 |Tengine version: Tengine/2.1.0 (nginx/1.6.2)3 p2 j5 H! l+ X" R1 O: g: u' y0 b3 x8 \# W
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
) _2 u1 b0 f0 c3 B9 i9 A( w4 W原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log8 W# ^1 G6 O( v3 ?1 O! l2 `$ a# q6 i- d
+ h+ I" _9 |5 ~ ~% j- Z1 ` J, \% ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
6 n* G" e, _0 Z, s+ I) o5 W2 z- {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
2 m7 u+ }( V3 p9 E# y9 f: U2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!0 ~% K9 L+ x, P( s: z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
& n7 M5 Q2 A: [; |0 y* w. d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6") O& E6 a7 F9 e1 p3 G' t" q7 J
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.! n" B6 c$ U$ m& W- |# u9 F# y; S
解决方法,移除低版本的APR (1.3.9)' z( q0 z, m+ ?; p" M1 ~2 V. z
7 \9 _. _ p i2 G) O7 Q% }
yum remove apr
( V! \( f X* S/ v$ R1 O5.Error.log中有: Audit log: Failed to lock global mutex! R/ U; q! O+ m$ }( r; K5 Q
1 R$ g7 P0 f9 o) A5 L5 l9 C
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock / ]' T9 V: }) ~# Z" V' I/ i
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]& T$ N6 j/ {4 E7 z+ O
解决方法:9 s, u+ r% E7 @+ s) h+ v( q- ?
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:3 ~, I1 X. e% o/ g% J2 P
3 Y0 C% n; X1 v- s# y9 s( _9 `: qSecAuditLogDirMode 0777) ], j" h6 c4 R" q! X6 u0 X0 x/ a
SecAuditLogFileMode 05503 m7 I: l- d$ l
SecAuditLogStorageDir /var/log/modsecurity9 Z, X5 C; c! v
SecAuditLogType Concurrent' V5 _* F+ ~( i/ }
参考文章:
% u$ L' h# \$ f- b) ~https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX' e1 J. x! H, k1 |) ?! M9 }
http://drops.wooyun.org/tips/2614 |
|