|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
3 c+ q+ I, c9 E$ F' d. l a5 _# O0 w' [* l$ J0 b+ Y3 E
一.准备工作+ v9 B) S5 W5 ^
6 S# M. u, J' Z$ B9 _# T系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0& A! c% y0 o; F8 g1 V- m1 p- z
: w( ]( }% J0 Z4 s/ L/ e
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 o- _8 N" }5 H5 a
, q3 b0 J4 p5 x5 @- Cmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz$ |" y" A ] |; ]+ j- C& {
" v2 `- p) M/ ~& `! u& _$ n( GOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' x* R: }9 R' f- J
& Q- ~7 ^' r! l9 A l/ E/ s依赖关系:; t1 v. g, W9 J" N% K9 q" t
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
' {6 e$ t8 r& u2 a8 O( P6 ^
; X$ n( P% o2 x4 w+ ]5 }, A1 uyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
/ w {3 W3 I0 a) B8 qmodsecurty依赖的包:pcre httpd-devel libxml2 apr
' y5 [$ |$ H5 P# ^" H, h' C/ x$ [3 ~3 d1 w$ g$ R6 l3 t' |
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, R4 o' ~' F) n/ I* ?
二.启用standalone模块并编译! }, a5 `/ k# `! f: u
0 c7 \- V# o' H# r( D下载modsecurity for nginx 解压,进入解压后目录执行:
P4 S, `8 s8 U b/ d7 k, F1 h8 w; k( ?. {2 W& N' o
./autogen.sh: Q1 g4 l8 B( V& a: _& i$ J
./configure --enable-standalone-module --disable-mlogc
; w, S" Q* _9 G. Z, I, fmake $ A; Y- G) k8 w) S5 I* [: o
三.nginx添加modsecurity模块
) C# I l; q6 R Y
* ^9 q: ^3 b2 r: B4 ?, R a在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* t$ `- w7 X6 w6 _ f
# E" O5 @9 l. c2 I6 ]./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
4 W/ s1 z# A) Q/ ?+ g$ l+ ]! ?9 ~make && make install
5 c6 @& E. T% S. ]四.添加规则, b& n! m' T) a( a0 z
% b: L2 f# k, [; j$ d. ]0 L& K
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: j4 v7 }# x- l
' \9 ]% y, _" o ]; g B2 i, I' N1.下载OWASP规则:
5 I Z7 S0 d" k# p
# p% N% E: Y2 a0 q% P3 {git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
x/ d7 U1 W( P% F, }# C2 u6 q4 S2 n' z/ Q6 F3 x1 D$ S
mv owasp-modsecurity-crs /opt/tengine/conf/6 Z! |# J, m% [* |4 G: Q C* E
2 }' w% [- D" [7 i; k! [' Z
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
$ I5 z2 g5 W4 [2.启用OWASP规则:
1 `" a" y" E! i) c* ?0 [+ I* ~* O, P6 }. j6 f
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
6 s+ O S8 _0 O1 @4 [2 e/ @! m ~: u
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
2 d# z8 \) u; L. E; i" g, s7 c: x) h0 u$ }
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
' V$ Q0 v5 l0 J7 e2 g
/ ` z) s! Q9 M* q9 vInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
H1 b. ]9 a( w+ x7 `8 z O" FInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: ]$ H d$ Q* n& L) j: J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 d) K. F8 S2 g% l" B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf6 L" \, b* d) R& D" P
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" e1 _# b9 t+ UInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf1 t: ]5 { h- r9 f4 Q0 ^
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
. J: F4 M1 R; G- I2 {3 H4 |五.配置nginx8 z- ]; H2 y+ f0 U& j+ ]: ~1 h2 K
9 T/ j/ p) t: v' V F
在需要启用modsecurity的主机的location下面加入下面两行即可:' ~- y% \$ ^1 G& Z: y4 N! B, A
. Q3 F8 u: x8 V3 ]. o( |ModSecurityEnabled on; ) A" r! ~% N# Y, W& o# s; H0 b+ |
ModSecurityConfig modsecurity.conf;
/ o v9 L9 r* L, ^6 n1 B0 k1 b下面是两个示例配置,php虚拟主机:0 d6 p" X ?9 \" w6 `- y$ E E
2 [8 [+ V6 A) Y, T/ j4 m/ ?) k8 K
server {
7 N* E5 |: j0 F4 |, g listen 80;
4 L6 T: G6 x) E- S server_name 52os.net www.52os.net;
! O( c( x! y7 f) S% }
! L& y6 E K9 y" ~5 A location ~ \.php$ {2 T: ]/ G; b0 {( z1 Y
ModSecurityEnabled on;
% Q; H; C) H" V) S- N ModSecurityConfig modsecurity.conf;# V9 ?, a/ Z! l+ H6 W8 {* ^
' c* {5 R& u& L# @
root /web/wordpress;" e/ P* C& B% {' H
index index.php index.html index.htm;' w+ l/ j3 ^) ~6 |& J5 x
/ p: l" n& l1 Z9 a, \( w2 w& S fastcgi_pass 127.0.0.1:9000;
: u3 [4 s1 k: }4 c2 n fastcgi_index index.php;9 z0 y( j/ |' |7 A+ F5 D& B
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
( T7 U2 {3 G: y include fastcgi_params;. P' n- I' I$ Q( o8 t
}
5 M; b. Y8 g, ^" A }7 X% O- i% l* y1 A
upstream负载均衡:3 l( x' s( M1 f P5 B) k- q
: W- ]5 i4 N6 i5 i7 T; k) G7 supstream 52os.net { f! N$ _ E7 ?& [$ z) r3 p
server 192.168.1.100:8080; z; c! ^$ T0 E& Y1 R+ |
server 192.168.1.101:8080 backup;; G/ u9 u N1 t8 x, E/ E/ o5 L
}
# V7 ~, m9 L0 g, z6 R" e& o6 E0 z" I5 x) m; R1 ~( c* I2 R; z) ?
server {8 ]& ~- g0 h! Y
listen 80;
/ f$ K/ }) x) X( userver_name 52os.net www.52os.net;
4 z$ S9 h7 \, s! C5 b' N2 H1 \! C& E8 f' a/ y" C1 ^! T
location / {
/ z% k- z. [9 v, L# [ V" { ModSecurityEnabled on; 9 V1 s, S- i- N+ L L$ j& E
ModSecurityConfig modsecurity.conf;
# E' n. t0 D5 V5 f( F# V% w1 w/ x- g/ }5 U
proxy_pass http://online;
3 T; J; {- h+ S* B1 Q5 [, g proxy_redirect off; o) n, f4 I" U% \
proxy_set_header Host $host; q9 k; Z6 X' ]. [# w7 ~2 K
proxy_set_header X-Real-IP $remote_addr;
# }# T Y! j( j( F1 ^" T" G0 ] proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;8 G, e( G5 c* J, i& {+ J
}
9 V8 L/ p& o; e# [$ P}
' ]- A+ E5 ?2 X; r1 C六.测试7 s0 p! e P* T1 x+ H6 u/ q$ r
* ?% n( _6 S- D( u6 e
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:1 n" s- B' N( h3 d: @
$ o! n, C$ L( T2 e* H<?php, x8 F( M9 R4 O5 \ j
phpinfo(); 7 \- W% P, b8 i9 @; e
?>. q- \+ K! R. s$ \
在浏览器中访问:! m1 r1 w# }1 h: Q. i
) N9 _# y' L r' q% Q, f
http://www.52os.net/phpinfo.php?id=1 正常显示。
7 h% v* K5 {/ Lhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
% o z- }8 a3 V9 \http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 o# N1 x6 \: B$ @4 G- Y说明sql注入和xss已经被过滤了
; i( v K" Q9 y! M; }
+ e1 A9 \9 f6 V. c( d七、安装过程中排错
3 I. R- I4 M2 w% K
* ?$ f7 W5 w( a1.缺少APXS会报错. P3 E% e5 M% @: {
3 L: H9 q' {& Q% u2 H7 E2 X% y
configure: looking for Apache module support via DSO through APXS
0 i; r3 Z m& K& m# n1 Yconfigure: error: couldn't find APXS
, z* k! k6 l" {7 B& K7 _3 e; s; U2 lapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
; t1 |/ j" w- ]4 `解决方法:
% e. F& c. p1 H5 O% m8 H8 G. j
3 H4 n1 r" w7 e0 a( y) u( Jyum install httpd-devel% _% i$ G+ w! G+ m: i
2.没有pcre' S. j8 A$ l) f5 z
9 E, j$ D! f0 p3 i8 D
configure: *** pcre library not found.0 C8 B7 Q0 f' |
configure: error: pcre library is required9 B3 W; a1 ^" f7 P- f) h& D5 y/ {
解决方法:
7 P& u9 Q3 N$ }; z: a$ `
7 h& h1 d2 U' b$ k# M8 M' Ryum install pcre pcre-devel
Z; ]3 [* u6 q2 p* X3.没有libxml2
f! ?6 o# l+ ]7 v# R: a
/ S) o& b2 _8 C" w5 P
: Q& D w; r4 _8 Yconfigure: *** xml library not found.! C# m3 Z7 z& [, n) H
configure: error: libxml2 is required7 n+ |9 e/ O: C' i, C
解决方法:
?7 D; @1 T" r0 e& K
- N4 Q" ?; q ]3 ?yum install libxml2 libxml2-devel
8 N& G; }# {8 D& M3 i4.执行 /opt/tengine/sbin/nginx -m 时有警告# J$ y3 ~6 o. Q' |' s
1 K- P1 Y! ?( ]8 CTengine version: Tengine/2.1.0 (nginx/1.6.2)
4 M9 Z( {5 v, Gnginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 n3 ?9 N/ Z3 x1 R" c$ J
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
' Q; }1 H8 J2 `; j3 M
, b% @1 V% w4 ?6 E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, F7 w' Z8 V0 f' V8 G# J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
- I m1 J5 w5 k, O2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 s/ j5 }) v `- L$ J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" H9 ^) ?) r' U8 {' a2 \: A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6") ^$ u$ M2 o8 @0 m* K" t3 Y( z$ ]
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
0 D) ~" i6 B" Y4 U3 \2 e* c解决方法,移除低版本的APR (1.3.9)
( Q1 d2 ~; a4 y6 x+ U: V" d- M8 _/ z& _9 D' M Y7 X7 }- O
yum remove apr
6 j- z. l9 ^6 ^+ g2 w5.Error.log中有: Audit log: Failed to lock global mutex
3 \; Y; D- l! F) @9 j& d0 f5 {2 l, t/ z7 r: F2 ?
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 4 I n* Q" o+ o+ }1 W9 A
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
9 t# F( O3 e g$ v' F1 P& M解决方法:: [- H, N9 p, J9 b
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
, [+ A8 r. P6 g3 @8 \* m1 r4 ?1 x+ `) L
2 B3 P3 b/ \/ U7 ASecAuditLogDirMode 0777
% f7 B9 L6 ?; r! E7 K7 j9 ?SecAuditLogFileMode 0550
/ b0 N, |6 _: w8 I; o, v2 R+ qSecAuditLogStorageDir /var/log/modsecurity
/ s0 b' d& N$ i! o9 tSecAuditLogType Concurrent" B- C5 W2 b4 Q, ^' k. g
参考文章:
3 F% [- Q% n# X/ |( h! p% O* ^https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
4 ?5 U1 [. i( n @0 }! y5 H) ^http://drops.wooyun.org/tips/2614 |
|