|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 i" _2 r8 B6 f9 V
, f' Y% @% n0 v$ B8 P5 D+ l, `3 s
一.准备工作
; V! w, x# i- T n/ T, T* _1 j& k8 H* d5 Z4 e" j" Y
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.06 l! [9 ]) T0 h5 h
, f3 n8 H- Z! _6 y! x3 n
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz+ H* y* ^. J9 W
! j- [- ?' E' ^. e; R) b# I
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz1 W! i; X( q6 a/ G; l5 y" `: v
: V% z9 M. }% X4 ?: |5 V/ P, m/ WOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs$ I5 T% e5 J: l: l1 u5 B7 {$ r
# i+ H5 [& N9 D, `2 c y* {依赖关系: w! A" z$ ]6 J; x, X& A3 @
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:. O" o+ S8 T6 g
: J) W+ N. d# j0 B- q
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
. n' r% u7 e) v$ V' _modsecurty依赖的包:pcre httpd-devel libxml2 apr* r5 W: K ]$ U2 ^
0 q) H* i/ i' }3 |+ B* k. [* U# nyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
2 V2 Q- G, L0 d+ X ], v二.启用standalone模块并编译
2 N3 m% L1 F. v4 C* i2 N
p- P% ?5 B! x下载modsecurity for nginx 解压,进入解压后目录执行:( C/ |' x' M+ d8 R! `
4 s8 e: L# M9 }9 R& E
./autogen.sh! o( M2 V0 K, J% p) T. ]* N
./configure --enable-standalone-module --disable-mlogc9 J9 `& l5 Q4 `1 W; X
make
5 u4 w) c4 B7 H# o+ f三.nginx添加modsecurity模块6 x' G! z R, K+ P
5 }8 z3 z! e" o% N5 J
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:+ d8 ~; [& a b; k- H' K
% }3 q# W1 b( y7 e
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
& ]/ T* i/ m' S5 hmake && make install5 x9 g4 W% T1 d4 \- Q9 [- Q
四.添加规则2 Z5 `" A6 R+ Q1 c2 D5 p
( n# W: ~8 c6 Z) ]* N$ F) jmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( Y/ M2 | v d
6 A* Z% [$ c* h$ R7 O' {
1.下载OWASP规则:4 k/ U$ X; c& B$ C
2 J) s8 @" k; ~) V/ N0 \git clone https://github.com/SpiderLabs/owasp-modsecurity-crs# E9 l& K# C: S. A. C4 K
; z4 }) V+ x4 d6 P1 f& Y
mv owasp-modsecurity-crs /opt/tengine/conf/# _$ {0 t& I+ D" {8 W
) F# ?) z1 T: p7 U
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
: p7 V% W/ ?7 @2.启用OWASP规则:2 c9 A/ O" ^3 u5 Q
+ t* B. x2 s3 M; z2 z+ [1 K+ W0 e复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 t' W& @9 j `6 Q/ X7 Z
) ]( L0 K, N& X0 ]编辑modsecurity.conf 文件,将SecRuleEngine设置为 on3 i5 [% f _8 l! ? O0 E- c
. M& \! K' L4 Y3 h1 D: cowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 s" G8 N" L' d+ ]$ B, k0 t, m4 v# p% o' s: \& Z
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf9 v* l6 W+ a* `7 M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 t$ N( M3 X2 q2 Y# I2 w$ l% X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf+ V+ K7 L2 O3 w& F/ {. W& f
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 m6 p" @3 V" j; v. L) _0 e. V. C
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
' @# G$ M1 ]/ kInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
5 p% l$ D' b% k! R; GInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf- F) D; x9 v. N* B
五.配置nginx3 m( A U8 z1 N1 L
( y$ y2 c7 w1 g+ Z$ L% j在需要启用modsecurity的主机的location下面加入下面两行即可:3 C9 ]5 V$ m- u0 V
/ r& f8 Q/ k1 x
ModSecurityEnabled on;
- n4 l k2 c3 K6 U$ r8 C/ ]* kModSecurityConfig modsecurity.conf;
9 V) P4 {' ]0 R5 j K0 {9 a下面是两个示例配置,php虚拟主机:
7 A3 z, k! `' ?" K2 p6 v% h+ u/ k |6 r1 u, \% ]- W
server {
, F$ S& j( q' |' u9 \2 k listen 80;
% f( b3 \* v! U5 E$ _ server_name 52os.net www.52os.net;
) t& M) C; m* G* j- h/ F. }. c1 J
; P# i8 p7 j( z) t" X% C! l/ X location ~ \.php$ {
. U: g9 d# p, v* I3 @ ModSecurityEnabled on;
) ]+ Z( B+ y0 ]( I, j! I ModSecurityConfig modsecurity.conf;/ I* Y8 K& v% u
; Y g0 B# u4 A5 d2 L/ v3 D1 p root /web/wordpress;
9 \7 |6 ~ m0 F9 Q index index.php index.html index.htm;
/ }0 e+ w; _6 x" P8 u8 U/ ? # w. K6 s5 a* p6 G. i
fastcgi_pass 127.0.0.1:9000;
, W; c1 J4 h- b g* A# g: V, ]& A fastcgi_index index.php;9 g7 W- T' c, c8 f
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;8 r( L& h, U, \" |% \) X
include fastcgi_params;5 d! N6 k, ]; z. ]
}
5 D$ J6 ?2 {( M- n* w! V }
6 [1 w/ E3 z9 U# ~upstream负载均衡:5 ]7 y4 k" c& r2 @) X
' Y" n X9 s+ d' kupstream 52os.net {
) q0 W0 x8 y- Z' a1 Y1 f% X$ p! X server 192.168.1.100:8080;
a' W9 u. H' K5 H7 p) o server 192.168.1.101:8080 backup;
$ N8 b% U, z$ R/ a3 F0 ^}
& z4 ~/ @: H) a: [: S) ]) i: o' c5 k7 v) I7 T# i" R
server {
# M, \2 i; }4 F! x: Ilisten 80;
3 V7 u! o+ H9 f: _server_name 52os.net www.52os.net;7 f' T, N2 N$ A4 O
$ S# k0 r' v; T+ [location / {# m& t7 d% q0 ?9 g
ModSecurityEnabled on;
% S( U7 J7 x |4 A3 R% ~ ModSecurityConfig modsecurity.conf;
# H6 L/ U0 n# z& n6 v% `3 s$ Z0 W# @- B, E( D k4 `8 v: T+ A2 ^
proxy_pass http://online;) y& [7 Z* d( g, V
proxy_redirect off;
+ s9 ?% X1 ]7 d5 F proxy_set_header Host $host;
$ Y% w0 s( y Z5 _$ D proxy_set_header X-Real-IP $remote_addr;* R: ?/ o& T% g1 Q
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;. [- C+ _: U- O0 {' |, [* ^$ o
}
7 P% O9 q/ O# j}" O! r, j& b; N' U( X! s- d5 c
六.测试
4 D* z I% |$ t
/ s4 i+ Z1 {: u我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:" z2 X! ^: J* Q: `. A+ B, w
. m; c. i3 ^9 `5 U }
<?php$ |9 }) z) u6 n( X- k
phpinfo();
5 d0 z G3 U) t9 A?>
% s Q' K1 B0 o在浏览器中访问:. ]' V& c" I9 f& N& E' E! j6 p$ U* A
( ], g$ f% K4 r: r& H! ]http://www.52os.net/phpinfo.php?id=1 正常显示。9 u$ p4 j" v6 M l9 s
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
/ ], p6 G1 l5 Mhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。8 T2 ^5 A! d4 B8 J1 l: H
说明sql注入和xss已经被过滤了9 w8 S" N; A* I* Z7 q# m
9 e) b, j$ w) V" q$ K! ^
七、安装过程中排错
8 r# W8 P3 m+ i3 K7 t, G
+ U9 t1 ~: S; j+ k3 V1 @& ]0 x3 {! z1.缺少APXS会报错8 y! U7 v8 @6 C; ~# w8 t
' j! c( F' c# Wconfigure: looking for Apache module support via DSO through APXS
, m* R' K& S% z. D' C% tconfigure: error: couldn't find APXS
/ V6 z- }2 a1 Sapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
. Y s5 J# \$ H) L3 ^3 a解决方法:( [, k q& _, A: V, T
) s) I( x2 w o) f- b. @- |' G/ c% [yum install httpd-devel
5 z5 v0 P, S6 p0 P2.没有pcre
, F3 O9 \3 x% I) F8 ^1 h, q# ]( b
# D# v2 ?, w- C& N& D8 rconfigure: *** pcre library not found.
; O) {/ y2 w6 lconfigure: error: pcre library is required
4 I6 M' x8 p$ u7 z6 X( q* A解决方法:1 `5 q+ p' D3 d
, S' E9 d( x" k9 `* G7 |yum install pcre pcre-devel
# D$ L) \7 D& `+ ?$ b! f3.没有libxml2
9 P! V0 e6 g% x( y( N6 X- S) S7 l; P9 t9 O! N
' I+ b( k8 z( U+ }) L, W4 cconfigure: *** xml library not found.( W( }, \& c1 x5 V6 n$ B
configure: error: libxml2 is required* B ~7 j; k% L. _" D* D
解决方法:0 d5 t9 C9 ^ ]9 @% Y" z
" g5 A; v1 j9 i
yum install libxml2 libxml2-devel
6 S& G( [/ D, S$ d% B) m4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 u: l1 ~( `; C
0 }* Y/ w9 Z8 D' lTengine version: Tengine/2.1.0 (nginx/1.6.2)$ V+ h8 q9 S O2 T0 l# ?
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
' f" k$ I" x+ h, ^) M原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
! R& W3 H3 c, I' g- r# ? z
# e9 h7 v6 N/ P% c$ R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
( a& k% t- K0 @( p {- v- q; t2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"; M8 a) d6 l5 g9 y3 h5 b- Z/ L
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
$ N$ r- l! k8 S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
8 F) L: I; }4 g2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
7 I4 q) m+ z& L2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
) y) J% F1 D+ @9 `解决方法,移除低版本的APR (1.3.9)
% {4 u: h( V2 ~2 \
) c- U& P X6 _( Iyum remove apr
: j: M8 S8 t- a, ~9 m5.Error.log中有: Audit log: Failed to lock global mutex
! D, ~- Q( U5 C
0 t! n+ j9 ~4 }6 m2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
7 a4 U3 f( t* c8 a- \; K# Q$ ~global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
2 b! A/ j, ^) ^4 c# Y解决方法:
" Q6 ~/ A/ t4 w8 Z编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:# L4 x/ o2 V* E2 z+ r1 }
. t" e }; _$ h9 Y, L I* @
SecAuditLogDirMode 0777. w3 V& |2 M7 T4 ~ h9 n
SecAuditLogFileMode 0550
, O9 r) z; ^7 y7 p' \- ySecAuditLogStorageDir /var/log/modsecurity6 A0 h" \0 B) u$ F$ n
SecAuditLogType Concurrent" n/ F4 S3 S. m( q2 W
参考文章:
+ R* b$ C- G7 m/ t( \https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX/ y& K9 L5 N1 V* s
http://drops.wooyun.org/tips/2614 |
|