|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。! _4 {& {2 K0 U8 C
# C1 ?' E3 K& t G- ~" k# f一.准备工作
9 b& O* G! F9 Q* F6 i( k, f0 V$ g1 ~: ~% Z
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
: q% E1 h; e0 H a" Y X C$ L' H5 m9 M0 g
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz* d2 `- J- d* S+ p5 d5 u- {
& ]. L* N4 Y, ?2 z5 x) ^0 S$ |7 Cmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
8 ~' k3 H( p" ~% I8 J# d
1 Q$ U3 `4 s+ J2 u9 B0 t+ wOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 ?) S- ?( _- x5 T' r
/ c) V+ H8 C0 H% H$ w依赖关系:3 q8 {8 _) P7 B, z& ^+ o# B
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:4 M( E+ m3 H% D+ {+ R
, ^$ m& G5 _/ ?8 o. W1 N
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel: D8 B3 i. @7 B5 ?
modsecurty依赖的包:pcre httpd-devel libxml2 apr
/ J) {) ]: d0 H, X4 b( K4 `" K% m4 x( S" X* _
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel3 Y5 k& N1 W/ p9 U* o
二.启用standalone模块并编译8 A1 ^5 P& f X
1 h/ e/ X6 k) O# L# J. C
下载modsecurity for nginx 解压,进入解压后目录执行:
' ]; A, f9 I. Y7 n5 ^# Z; C6 v4 r. ]2 I3 n2 f. R
./autogen.sh
6 K3 d9 p j e/ s3 q* O./configure --enable-standalone-module --disable-mlogc. t- i$ F3 H6 P1 L' K6 ? [
make 9 l1 i. E- l; Z
三.nginx添加modsecurity模块
( f" T& E0 i+ k% l" U2 M4 m! ^4 X5 @: d8 {* @ U0 G5 d
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 e% I4 }" I7 m. O/ b
8 `1 w* o( E5 i5 ]7 Y* c, z5 Y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine& W6 }) C, M0 S2 u" F' a$ V
make && make install
5 j& ~3 l0 t& O) ~; l; s, r K四.添加规则: h% l7 J0 s# d
g9 C& |* u) p- K" emodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( ?, \8 Q2 d b
9 h h+ ?- u0 g' e6 p
1.下载OWASP规则:
8 `: p* `+ L+ K+ v- f" y4 f/ p4 k6 R7 s
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
+ K: i. \3 [% w; u) ]) e- U- f1 j d, ] n! G
mv owasp-modsecurity-crs /opt/tengine/conf/
/ l M! Z+ B; H1 @% o3 Z" `( j9 h. v2 W7 T$ h
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf' e0 e! x1 F9 ?* B* x0 Q( d
2.启用OWASP规则:/ u/ `4 ^+ O: q! q
L8 k! Y/ _$ R% w* R z复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
: ~- N& W& `# U6 }: g% Q
5 M$ v! @1 m) R( C编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
# ~6 U8 A0 `$ z" Y `9 |
' M6 `5 X7 w4 gowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% B8 b6 c. ~! H1 a
: @; h( [6 X- H. NInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf5 ]$ Z L% ~! }& C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- C5 b, \- L' a l4 R& sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
4 C+ o8 \: t5 N- T+ i" k, q2 MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf8 A( d: F& c# x8 y# ?3 ^1 t0 i4 x3 W
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 v# k* s6 ~5 I4 Z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
4 U& {! N$ \- FInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
& Q7 U8 m# C/ Q- ~- P5 U五.配置nginx
1 C0 m( X% f! v" U( A5 y9 I
( A# V c( f3 H- y4 C6 V) P在需要启用modsecurity的主机的location下面加入下面两行即可:
k. ]5 m* x. ~- \. o( v5 M; O d. V. i; n- f. C
ModSecurityEnabled on;
U! N" F7 I7 [ModSecurityConfig modsecurity.conf;/ S+ x# ?6 V; O1 t D+ n4 |5 C
下面是两个示例配置,php虚拟主机:
$ E; G6 Z2 u: Z# c
: U; e4 |% t- U5 g* Dserver {
. Q3 X8 w5 f) A1 f ~& e' ^. { listen 80; A9 q' \( y4 h) W( t7 E/ X
server_name 52os.net www.52os.net;* K/ Z' q! D6 c6 r2 Z) f. W0 h! S
" \! U6 @/ A0 ]7 ] location ~ \.php$ {
5 N( `6 ]9 }! R8 d5 w0 u ModSecurityEnabled on; ; ]9 G6 f% z/ j, D, j2 m; K& h; a
ModSecurityConfig modsecurity.conf;0 p; m5 d! f( C8 [
+ w/ _2 h% K# w1 W root /web/wordpress;1 v5 z: D+ Z% S5 ]
index index.php index.html index.htm;2 L/ q1 i. ]: c4 Y- X+ C
' l4 `( b! H* q1 D w7 C fastcgi_pass 127.0.0.1:9000;
( v9 @. ]4 I: B fastcgi_index index.php;
" m. n( i0 j; d fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
0 E5 X- [1 W# ~3 `) o include fastcgi_params;
2 c. D. s: e# g* m0 R) Z/ ] }
) D( H6 O# Q: _7 X) _* R }
8 d$ j: b6 w# p4 S( ]upstream负载均衡:1 E3 O$ N( K* Y8 p( n4 p
2 U9 A" ^* [5 {8 T) n# G9 X& u2 W) i( i
upstream 52os.net {' l4 K. g4 m& [
server 192.168.1.100:8080;
/ J% Z% T$ l3 R1 Q9 @* n y& ` server 192.168.1.101:8080 backup;
$ Y7 X* x% W# j4 R- h0 C}
* W% M* M H' p$ i. s8 {* f
7 J( b, c9 x: Mserver {- b0 F/ E+ j7 s2 v
listen 80;% j' j# ]; }; b% C
server_name 52os.net www.52os.net;% g+ u/ ?" c! F0 k9 ~
+ j# ], E9 }( ]# |2 s4 ~
location / {
+ I& i6 i5 h" q& B ModSecurityEnabled on; 3 |0 l9 t: |+ j3 \) h
ModSecurityConfig modsecurity.conf; 1 }' P9 K+ Y7 d: f
9 b1 J Y" }+ e% s# M proxy_pass http://online;: b7 o; V6 R( M& n
proxy_redirect off;
7 H3 B! I% d" L! c% I proxy_set_header Host $host;
2 u; C$ \7 r* i/ G! }" p proxy_set_header X-Real-IP $remote_addr;
: N, x5 h$ G3 P. \+ o9 x proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;0 G+ k2 I. M% z' I- V7 s( b% @
}9 @. J0 a8 u& u. }9 G# a
}
8 b T0 D& {0 p5 q# O: \- p7 |六.测试& m) b' `; m) i+ S- n/ [& }
. Z$ i" X) U' g3 e/ k我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:, ?/ J* Z" I6 J& h
1 y' r2 g/ i9 W
<?php
% u" e1 \, W6 l- ]0 v% \2 Y phpinfo();
4 h$ ]0 t7 z. h9 H! j( f?>- l. N0 Y7 J, K9 Y' p& p
在浏览器中访问:$ R$ z2 M: d- J! }3 F7 N. f
" W1 y! l& v- w$ i4 A% C9 u) F8 W1 Z
http://www.52os.net/phpinfo.php?id=1 正常显示。3 {. b. t7 L4 D
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。$ k( P0 F* M" ?" i
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。4 X0 |, k$ g' e9 c" b- P
说明sql注入和xss已经被过滤了
# x2 }0 F- H, }+ m6 U- z/ [# p, V! p. J' F5 @' W) c y
七、安装过程中排错; c' a2 ^/ l5 C' f. U( a
$ `; z3 }5 B1 R! Z! y: U. h1.缺少APXS会报错
3 c0 A) I4 K& B0 W* |9 H* w' ~! B
$ M( x1 z3 n6 _4 xconfigure: looking for Apache module support via DSO through APXS# Z; u: O- q% Z4 m: y2 d {# r; [# z
configure: error: couldn't find APXS
( r, c+ }: x5 e9 }apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。: [3 I5 z9 R) V: n( ^9 p! u+ o
解决方法:
) E* d$ ~( w1 ]2 S! d! e, u9 {. I) L7 Y8 c1 [% \- C3 H, X+ B; y6 [
yum install httpd-devel3 j7 b6 k0 {, D/ z+ d/ q
2.没有pcre
- _$ v0 P# |0 d2 {: X7 m( W' K3 n, S: p9 y5 B- I5 u
configure: *** pcre library not found.8 i2 v3 @ V; j3 |
configure: error: pcre library is required
1 J0 a6 a M) P- U解决方法:
' W2 c# |! E, h6 j% q& y- y$ e) b3 z# [2 V l
yum install pcre pcre-devel! [- |0 @& p4 U7 N7 v" A
3.没有libxml24 Y% o/ @& K6 Z% `5 I: i" }. w" x
v- ^. {& z, E+ P4 Y4 O5 ~& H7 ?9 m9 s* R$ w- ]: y- c
configure: *** xml library not found.
J) B* Y6 W+ p; Qconfigure: error: libxml2 is required
/ @, D& n' ]( w1 K+ k解决方法:$ \; {6 p9 ?) g, z! c5 b
5 X& y' j) h& k
yum install libxml2 libxml2-devel
' ^2 |: [& s1 F% _% B4.执行 /opt/tengine/sbin/nginx -m 时有警告
. q7 [- R v+ Q1 P0 F% U
3 D; u4 m, V u3 {Tengine version: Tengine/2.1.0 (nginx/1.6.2)
. X$ V9 v+ h! N. m2 [! cnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
8 L' s. x) F* U+ L* V: N, K- Q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log. H" o% R- S: Y
% t: y9 D- r: O% l P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 e1 G, q2 |8 N9 ]" s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 O, F- N E! Z
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!4 H" ~$ j }& g- o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"5 Z( J, ?& w! U$ O3 q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
. C: j: p+ ~9 h2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ `. I! o m" t U解决方法,移除低版本的APR (1.3.9)
4 v3 C5 u3 ~) ]$ Q2 c
2 q9 _8 H& g( m7 Jyum remove apr! ]. i9 O0 Z6 ?# y( z
5.Error.log中有: Audit log: Failed to lock global mutex+ U. f+ I7 G+ |7 A" j# S7 {3 e
" _6 s& k( O# E u: J. k2 |6 ^8 s
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
- Y4 Q8 s, I0 V" \/ T6 Xglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
3 P7 I$ o' x+ l1 _2 m1 S7 l) ]$ m; O解决方法:
) a( o3 g7 P6 n% Q. |) N编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
4 N/ T: b8 w$ w0 h1 l, I3 E( b( H. U7 ~. q0 c7 h% A
SecAuditLogDirMode 0777 |# I9 {& r% u& i1 n- r9 M
SecAuditLogFileMode 0550/ e; l7 p3 u% q) F9 k W
SecAuditLogStorageDir /var/log/modsecurity
& T6 @ P, L% p# I- g& \SecAuditLogType Concurrent) `0 u$ Y, e- v
参考文章:+ m* M' R4 S: [/ Z/ p% y
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX) s( k* D5 |( Z
http://drops.wooyun.org/tips/2614 |
|