|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。' w! d J& k5 k+ ^1 P1 \
* J, n7 p; }6 h/ M: }, ^
一.准备工作
& U r1 M5 C1 c1 f0 ^$ ^$ \# I. F/ m5 g: I1 J* ]) l: \- p9 R
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 _$ e( b: B# P$ D3 \/ x1 L
+ o. r: m# @' `& D& {tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 a P5 i+ Y* q% I* l
9 ^( G7 f9 j1 M3 u9 t, T% Tmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) h# Z3 j1 ^& Z* S5 e5 i
0 m6 a+ `+ {2 ]OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs2 F; h. {; L! }+ B& d3 K; S
/ G. x. k' K4 H' b& i2 N: t依赖关系:) n% C' W* D5 X: B
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, Y4 X h+ D1 q, @2 `2 a: |. l4 y
5 y) r8 s6 h+ g: }: u1 p
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel8 h S! n5 c! {4 q3 o
modsecurty依赖的包:pcre httpd-devel libxml2 apr
8 h2 u7 {; v& A1 A8 ^5 s+ {3 ~- L, x
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel2 \3 g' S: T, ~* O0 m+ p
二.启用standalone模块并编译
/ N% K8 C- r8 B' ^' G6 W# {) ?3 E) d7 R* v9 e. i
下载modsecurity for nginx 解压,进入解压后目录执行:' [5 }9 B$ U! V B$ g
' v3 n* E6 s" k9 P/ y# X6 L/ [; t4 `! m
./autogen.sh
: i% [4 {2 T. l$ N6 a./configure --enable-standalone-module --disable-mlogc/ e* s+ o4 x# D# H- d# I, F" B
make 7 ^/ M6 Z' h" A
三.nginx添加modsecurity模块
0 ?" Y/ J, `. \5 O U$ P! h' |7 Q+ v0 k7 W6 c" g* v6 }
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) l F& I( P, s4 s4 v+ V. U) P% l; U! b0 A- g2 r
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine [* ^7 Q; L! U: K9 L
make && make install
% A4 I0 ~* T$ a1 e1 N. h# X. Q四.添加规则9 ?( C' `9 e7 V5 \& v
( m u4 I% X. l! _1 E. b; Z7 s {modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。- u6 Y& ? E$ J! {* p. v
: D7 E3 O0 \; k [% \8 ?1.下载OWASP规则:
! ], `0 }" i* k0 w% d% X F
, i7 ?" d3 \$ D0 d2 {& w6 Q/ agit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; _- g/ k( l& E3 v, f
2 u6 c" a' e6 T. t+ q }/ dmv owasp-modsecurity-crs /opt/tengine/conf/& i* b R) u5 S5 B, y
( l8 e3 g3 R8 |6 f) Q6 `7 tcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: o. m. C+ }: `2 k0 ~7 \% _2.启用OWASP规则:
% B8 w& \& D9 m7 V- X" m
) `, i0 B& X9 m( ^* |! [9 G; M复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。! |6 B+ t' l. O V2 Y
B: q( m/ B3 y! E+ p& Q
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
8 j( {( J/ Z) P- ?( b4 H3 f/ h2 y% G" V1 ^
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ ^- ~* h8 f+ E7 I' g
% P) x6 j& }: d
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 j7 S. a3 `# ~/ m/ s/ K8 kInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# H% p4 x6 ~9 g. R
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf% o0 W0 `$ p3 o4 y0 e& |* k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
/ N; {! D) b4 Q/ }- z/ BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
( h) [& h% {6 Y& |$ T0 nInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
: i- u) U q% S$ B* r" YInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf( c9 E' f" W; N( M
五.配置nginx7 |! N7 r- p) P$ M6 b* G, w8 u* r1 d' P
8 ]# G0 i* ^( _' P在需要启用modsecurity的主机的location下面加入下面两行即可:
5 x- @2 n6 _* e. \) h+ P p9 C
/ t6 T: g& o1 a5 m3 E* w2 n$ PModSecurityEnabled on;
: H' u% N+ Z4 r$ a. YModSecurityConfig modsecurity.conf;- ], n) l% x. o" \
下面是两个示例配置,php虚拟主机:5 O/ \, U# I6 a5 I& n
( w( ?7 d, ~1 _2 v$ eserver {3 v! ~2 {' p0 j7 c: H# O, E0 R
listen 80;9 z9 v( K5 D/ `2 J5 `, L
server_name 52os.net www.52os.net;
& U" q U; M- J4 U# ?
* z6 w7 z" o% E; W6 ] location ~ \.php$ {0 C2 ~8 X& ^. n1 r2 q
ModSecurityEnabled on; 3 z6 \' z4 [4 v' ~/ j& T) R Z3 G, }
ModSecurityConfig modsecurity.conf;
9 G C+ i. P D, `3 d7 h O! r# ?2 z4 y3 R( e- r( ^" \, F l* u
root /web/wordpress;
+ S% S6 U* [- q/ _' J% k9 W1 s index index.php index.html index.htm;
) k1 k- j$ H4 ]+ W
3 y; Q3 K" \9 j8 l6 I8 ?" b fastcgi_pass 127.0.0.1:9000;
) z1 K2 d, q- J fastcgi_index index.php;& [/ U4 V: m& c% I
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;+ Z0 M I% F2 X5 ~, j
include fastcgi_params;1 `4 _7 y) L* R8 c1 n
}* F$ U% O1 r8 y9 P; v; v- J) ^1 o
}: ]0 u5 X' W4 W
upstream负载均衡:
/ Z9 K% _) Z7 @9 _5 d) b* [! m) I
) S/ J$ N; s: g) ^3 K" {0 V% jupstream 52os.net {( y! J+ c: V+ g/ d0 A8 k
server 192.168.1.100:8080;* N& Q: w, k: o4 o. Q7 o# ` l
server 192.168.1.101:8080 backup;
% X1 ~5 Q7 H# @1 |0 D" t" r; c}* I, h* I2 d+ I( ^! z8 d
: v: I* _ o- j" {3 Sserver {
' y, I4 o, u9 w- Ylisten 80;
7 T$ F' I; h5 j6 _( G) Fserver_name 52os.net www.52os.net;. F, I) n. S8 u. A3 o& K
* \# q4 S& i- q9 O2 p. }# F% L5 nlocation / {
: v& x @5 V; t7 H( k: w7 s7 n ModSecurityEnabled on; 3 y' ?; i# N$ b! R- t3 o
ModSecurityConfig modsecurity.conf; 4 M3 E; `# d) J# g7 Q( p
/ l- [0 N: I; w0 T; E proxy_pass http://online;( p( ~! F. R' j! s( Y
proxy_redirect off;
6 c; ]: r# j9 ?; A" F proxy_set_header Host $host;6 e# L+ X; K& O; U8 _
proxy_set_header X-Real-IP $remote_addr;
+ o! I$ z q: ^* f$ @/ ]2 u& m& ? proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# P o3 A. m8 {6 b: t
}
5 A1 O/ y* w, G) K+ [5 c' T2 @}
: \" ]) d5 z, e1 d3 J% \- z六.测试6 T7 ~3 }# l+ {" I% c
' k8 b2 H+ Q1 l1 ?- A( A, W4 [我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
+ V! }/ m: A+ Q( a. \( F% Z5 [; T4 u5 z
<?php
; F- R- y0 q$ J; s phpinfo(); 7 L" N* [3 p3 K" {. X) R$ U# ]
?>
* \7 B& b; f# S在浏览器中访问:
, _- m% Y; U7 X* b
{: ^ \ ^( ^1 t1 L* j: Mhttp://www.52os.net/phpinfo.php?id=1 正常显示。+ ]% k$ e' K; e& Y* K
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
- b) m7 x6 j2 ] _9 uhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
2 \0 _& k: A! X/ `. b! t说明sql注入和xss已经被过滤了1 w3 _1 x4 b. B" A5 O: V
& z+ H6 q0 Q4 |5 V" Q) |七、安装过程中排错1 [( g. J' n( z$ \' N$ m
5 q5 O3 K" Y8 g# ?3 p+ O( F
1.缺少APXS会报错
# b9 F; ?: H5 _% I
! `8 n" M2 `4 e& ]( Gconfigure: looking for Apache module support via DSO through APXS7 @6 u" |. A4 D3 v+ B
configure: error: couldn't find APXS3 {2 V5 Q% q; X+ }
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
7 a9 S3 W$ @% i7 U8 D w5 g# U/ K: X解决方法:1 L% Q* e* S( |' U% V2 z* T6 G
% Y" b6 w8 g/ nyum install httpd-devel" E9 M4 N' }2 F4 `* l$ Q
2.没有pcre
9 \6 I! d- W2 g8 M) g
6 p7 U+ o# M3 T% Mconfigure: *** pcre library not found.
/ S( }5 f* N6 p' Q+ ]+ L9 i0 T" bconfigure: error: pcre library is required2 r' s' B9 A! b& T
解决方法:
; C' {. f2 x5 r% A) y
1 s+ m3 |3 x0 S y: ]yum install pcre pcre-devel
. W$ e/ ?/ p8 m7 N O3.没有libxml2* d- T& Q$ K0 [/ M5 f& Y/ s! ?7 l9 L
9 [& G# v4 g; g3 p& m) R' d5 ~7 N F
configure: *** xml library not found.
* q9 D% a( |9 x: `( \+ W/ D6 zconfigure: error: libxml2 is required
- ]9 P& ^! M, W; \7 M解决方法:
) @: E' g/ Z* _: I+ M
/ Y. F& h% q8 f- jyum install libxml2 libxml2-devel
2 w+ M5 r4 W0 G: p4.执行 /opt/tengine/sbin/nginx -m 时有警告' T2 `$ o% A! d' h( p
* |7 T! w# n5 [ c- {Tengine version: Tengine/2.1.0 (nginx/1.6.2)
% _1 n0 w2 X$ y: U1 s& [% inginx: [warn] ModSecurity: Loaded APR do not match with compiled!
! W0 [5 r7 L: u U- u! Q% _( V _原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 _$ h) g* R; [* g! m1 X; v; @( P7 i0 M6 Q2 k! l9 f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 ~/ X5 ]6 ?) K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
" }! i8 f" K5 p# t$ z2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% B4 X& I4 s A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
. ?: Q+ j! q9 E, [6 [. R* u9 n$ n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 d* w9 ~ G2 w) D
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.6 _& R0 z; D+ v- @' u6 z
解决方法,移除低版本的APR (1.3.9)1 r5 K7 R6 u. r+ I
, Y- R7 @4 V* g1 A+ g) @; X
yum remove apr
$ }4 x* j8 B. Y5.Error.log中有: Audit log: Failed to lock global mutex
, U0 }+ X! a8 t: r( s, R- u: B
) }7 K' z: l" E( n0 j2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 6 O5 c2 k6 I' g. ~8 b
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]+ l% I4 w% T; h3 e8 U
解决方法:' J# z# Q1 h' X! V2 E; `$ X- O
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
1 l, d7 t+ u, D' [' u7 n O9 I1 q& }/ I7 W# n4 m9 x
SecAuditLogDirMode 0777
0 x$ j' J7 h, iSecAuditLogFileMode 0550" a6 i" R0 X/ N
SecAuditLogStorageDir /var/log/modsecurity
% `# F ?1 e o4 F/ j0 _1 MSecAuditLogType Concurrent; t, S7 @3 \9 b- [
参考文章:
3 _/ V6 s5 ]" O4 Ehttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
. \6 r) M5 K \$ [% B2 X# mhttp://drops.wooyun.org/tips/2614 |
|