|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" U$ g( O W3 w: I
$ N: L( T! b0 y- F/ H2 s一.准备工作
: C0 m) D9 I0 R. B7 A) J# J
2 i/ O1 ]: T- f4 `8 j$ Z( ]' Y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; ?( J$ c: J1 N# N% k( L: Z' `; I: w, v6 z3 V
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz% P& ?( q8 ?2 }9 F
% q7 q2 x9 N* u
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ p9 N* X3 ?7 \) F7 z
8 L8 k5 c! } y# Z* ^" `6 x3 YOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
! X3 ]' ?$ }) b- u& \# P
2 w+ j# G' u* V! s9 N+ d) j0 R8 s: X6 ?依赖关系:1 Q- U2 }- Y: L) G9 X- @
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
. Q% w2 g1 k: _8 F/ C/ @1 V7 Y- ?, |) i# w/ V$ @8 ^
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' P2 I j* u$ _* `' q* ]/ U
modsecurty依赖的包:pcre httpd-devel libxml2 apr' A6 Z, c1 ~: |
3 F2 |# A# F( F o: T ~yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
& l" x! W/ m4 l( d! S9 L二.启用standalone模块并编译4 }. O5 Z# M2 c
3 C( {8 f) G$ ^( c( ^4 y6 V下载modsecurity for nginx 解压,进入解压后目录执行:* C) k4 ~% [- C) ?% ]6 n
, Z1 `/ C" P+ E: t$ f
./autogen.sh
2 G1 t" g- x2 _1 H./configure --enable-standalone-module --disable-mlogc) E1 f6 P, R6 [( s
make ' |! p) ?( J/ s( I! h6 G
三.nginx添加modsecurity模块
. P5 o' b4 h8 T3 H. c: f
" p2 M$ J$ N' R5 |: }% R在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( `& d- K; z7 B# V7 o
- j1 i2 B0 O5 T Q1 U2 }/ Q3 J, \./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
# O4 n* Q$ E& G2 Lmake && make install: g, @& `. v5 Z( i( V$ \
四.添加规则
0 h. T- G! ?8 T* z8 k' {; Y' L T5 V6 j( I$ r; \4 O/ W- J
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。8 n! g' G, P& g- f6 @% {& O
2 q; a, ~: S# S8 B8 R- F1.下载OWASP规则:) w9 j* Q! U7 l4 n; Z$ x v
- c, {% Q, Y+ x; O, M3 Vgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs) g) Q8 J1 w4 b# f* H: Z
7 \7 v& H+ |$ P( a& \5 y
mv owasp-modsecurity-crs /opt/tengine/conf/
+ q# a1 ]- c; e8 |, V* I. \% I1 L
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ [+ R# \! E; v- d- f2 Q2.启用OWASP规则:" v# w- }2 ]$ ? Y$ \3 r# m
3 d& C4 n' Z" i' {3 M3 k( e6 Z; i复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& i4 K9 v: D# B. e
, i" \5 T1 } v0 k* Q/ m/ |
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on w# F2 E E# A' w
' D# A# k# }' C4 C. B' y; _
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。4 r5 O u0 B3 K7 B5 H0 U) W8 i0 D
% _# W/ A; ?3 PInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf# e. v' F! Z( u8 D2 @" y8 g( v/ [
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf) z; _7 m4 z' O) j
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, r, g9 w+ J4 {+ P3 k( z% XInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
9 o: S6 q* P# V1 {9 lInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
& J7 S8 [1 F: J$ N/ k/ W! UInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! G, d. \2 t F: I: A X9 JInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
" _ b$ } B7 o7 k) h. D' F% M五.配置nginx5 Q+ b4 K8 t$ `: q
4 s: a7 L' F( p8 [! S/ |) g4 f
在需要启用modsecurity的主机的location下面加入下面两行即可:
/ b% p* ^( A! L/ d0 [$ I7 i" }+ _. D2 i0 p: [* J" y0 f
ModSecurityEnabled on;
( X2 W [- r1 J! w N$ w5 sModSecurityConfig modsecurity.conf;3 r9 Q7 K% H% Z' A0 x& Y
下面是两个示例配置,php虚拟主机:( B4 j( F* v1 y4 Z0 ]' g
* l* v; E$ t- B# A! u
server {
6 Q3 X# G; u+ j listen 80;1 g; a0 L) M- k
server_name 52os.net www.52os.net;1 F9 _) a! |) N U& {/ @- ]
% F. G! R3 v9 [- }
location ~ \.php$ {4 J! g; d) w! f! P
ModSecurityEnabled on;
( V8 H# [" g, e- g/ F1 Z ModSecurityConfig modsecurity.conf;
. t! Z# a& l6 n# d9 m# n6 f' P- f! n0 l
root /web/wordpress;
, r7 W/ k" |3 C index index.php index.html index.htm;
1 C- N' H+ m& n* J+ c ( ?7 D8 P# @# t- r/ U1 P
fastcgi_pass 127.0.0.1:9000;
6 V0 h' g7 V& t fastcgi_index index.php;
5 s5 r$ P3 p( o0 ~ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
8 `% ]7 I) X: V( s. h7 P include fastcgi_params;
7 r$ _* A: v" W }! i) t, i3 ]! ]' D
}
7 o% M6 k* ~( Q# {+ ^1 V3 @4 r" Tupstream负载均衡:
1 G# k& Z: L; m9 k+ U1 h0 L d+ v
% t$ Z2 w! `' J, G2 _upstream 52os.net {
# S+ c# s, ?; e- x( l0 o& H/ K3 Z server 192.168.1.100:8080;
5 }5 l' z* z4 g: W& S- q4 t; i server 192.168.1.101:8080 backup;
2 F, e. U& [* [3 i( `}
G, [) J* [7 o C) ?4 b9 ~
, t4 O4 D. ]; U* Rserver {
7 b7 ~4 n6 _8 P8 b: ?- M0 W: Zlisten 80;
( v! I1 W P! d+ P& ^7 Mserver_name 52os.net www.52os.net;
: [: w! e: o u' {. g0 f, e% p$ A! s! o+ ]* J+ y0 I
location / {
6 L8 ~ l5 q& Z3 d5 f- L) y ModSecurityEnabled on;
+ N9 a% e9 p8 x: T8 x ModSecurityConfig modsecurity.conf;
* R* v# w; Q7 a, f' ~ C1 k
0 H$ w' Q0 k6 y) j) `. b! r proxy_pass http://online;
- Q5 Y# k. R, l4 w proxy_redirect off;, F. o4 J) T3 o! T! q
proxy_set_header Host $host;
$ c" D& k: N* d proxy_set_header X-Real-IP $remote_addr;
( c7 K, P% s6 p: v/ f proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
: G0 A4 H3 E. d' M9 w1 @3 ]( G }3 G' D+ Q; L* ?6 N( v. X
}
# t+ ^" A+ Z& N) h0 s! f% E; s5 w六.测试: ?5 ?% ]' {6 |# [0 ]9 t) i; \! Z
5 ]" l, r" ]# l我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
: p, {& s( x( W3 g' h+ z/ J$ U( {3 k$ N" p" A x; k9 ^
<?php# ^6 O. J) Y. @
phpinfo(); 6 d. S- H2 J# I$ f6 }
?> w w/ g @/ w1 f! s
在浏览器中访问:
% i- n. k2 O/ L& Q, d1 m/ e" t
7 S2 w8 F6 g9 Z& Qhttp://www.52os.net/phpinfo.php?id=1 正常显示。9 @7 z" P- t+ \5 W3 W
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
- [2 L6 V, Z% y8 Y7 K+ Y/ Fhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
- M- e! n& L- Z M x+ o3 v d说明sql注入和xss已经被过滤了, F- g! j# F: `1 j( e% V
( a! ?5 }; q' J+ n七、安装过程中排错
# M% q* T' ]' ?# Y- G/ n2 h; x
5 Q' m* _- u. H7 X6 k! I2 V8 ]8 M8 w1.缺少APXS会报错
7 G e) }0 T9 L2 I7 I. ^
, T7 O( x- o d' P* _ _* xconfigure: looking for Apache module support via DSO through APXS3 J- a' b, s) ]7 z! _5 p
configure: error: couldn't find APXS8 _- x; I b0 p% ]! i
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* Z+ C4 r2 R) f' e& G- v
解决方法:
" Y+ p$ Z! N; I
4 M8 Y2 C& `5 y$ q" n* Fyum install httpd-devel
: s' O5 X2 F( }1 P D6 K0 u/ j5 v2.没有pcre
+ o/ a) ], V& b; L& A* t9 ~* l" r# y5 @% N
configure: *** pcre library not found.1 X4 m6 ]& K' N
configure: error: pcre library is required
9 _# e; K( j* ~: n解决方法:
& b) P5 b% \6 V$ F+ w2 Y- l( E0 |* f! h8 U
yum install pcre pcre-devel
5 E# v9 M$ w3 d3.没有libxml2
' {7 G2 l0 K# P8 b+ M" W S+ b
' W; v! x8 Z' u3 f G( b' u/ G- }- d
configure: *** xml library not found.( W: |9 |6 f* `5 J- ]9 Z6 l
configure: error: libxml2 is required( \. w# M. w) ]" ^3 g9 I
解决方法:
& s2 c1 k* O9 p9 P9 N6 f b- m/ r
6 _5 p' h$ |# Wyum install libxml2 libxml2-devel
& V8 o. a7 u( O4.执行 /opt/tengine/sbin/nginx -m 时有警告, l# H0 k1 w/ V U8 O( d
+ p# _: l, Q6 i/ l6 `2 r" N
Tengine version: Tengine/2.1.0 (nginx/1.6.2)! f' v# {! S" G; m& O
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!% g" O: ^# V* @$ R+ E
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: L+ ?) @) v$ z% Z, E6 n2 o- [. W0 a4 o- I8 R& e; W; c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
" ]- ~8 h" t, [. t( w2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
5 d1 F% K8 l# i5 n2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!3 ]& ^8 P. ?" w# f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
8 Q1 X/ U" j' }6 o5 g0 _0 G8 u, ]6 |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
+ E% Y$ r3 _/ C* @9 M- q2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ t& `) \+ B0 m+ f8 S9 `解决方法,移除低版本的APR (1.3.9), @3 k9 z8 f0 [7 p7 J: m
" t$ U9 l( f" {
yum remove apr: W$ o5 B. b* I, a3 }
5.Error.log中有: Audit log: Failed to lock global mutex# H% Q, Y( t! z- _9 d2 \4 k
5 U* r, z9 V0 V$ Z9 K' l
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
$ Q& M$ B9 r( j2 ?5 {global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# t3 p# u0 M" C* N0 S: m" u0 S
解决方法:! O9 J7 u `3 T3 K
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:5 q) u4 R* x% Y+ ]% @
+ M: n' ]+ v: d" G7 D# k& T! f* s SSecAuditLogDirMode 07772 K+ ^4 N- T8 d6 V: b6 s1 x2 G" U
SecAuditLogFileMode 05506 v4 `% E" T* a, p
SecAuditLogStorageDir /var/log/modsecurity' Y- y8 B0 b7 M j
SecAuditLogType Concurrent* Q" n) C$ ]7 d# [& o# r$ n
参考文章:
4 i1 n7 Z, N5 `, Lhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX9 Z. d- c; m" ?& u) @% b
http://drops.wooyun.org/tips/2614 |
|