|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。 W( G% k; q3 ?/ {
/ l5 h0 A P6 S3 n( C' }
一.准备工作
5 u# j. g- S6 u
/ B& B; w* u( u/ R* @+ O @/ Y系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.01 Q& S1 M9 E+ J1 Y& c" A
3 j% u2 d; r6 R3 u- N
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
9 W' D% R1 I$ @8 A' J4 W ~( o0 z0 X4 F, i. U
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. a, g! s& E- u2 V
) O; k% F; ]! L% xOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: h7 g2 d6 D7 I+ P( x
7 ~. x9 |( T3 A% f, C1 X0 f% a* a依赖关系:
. r+ R0 v5 f: U' p7 G" X( C" @7 Rtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
- ^) D* ~: H* T0 n$ K' [# b# \- L+ r! A( f/ f5 y
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
& y5 C1 f2 C: }/ T! imodsecurty依赖的包:pcre httpd-devel libxml2 apr
% {3 l5 Q0 P9 S; r2 W* b! Q1 G8 ^5 | g' A0 O) \( f) S
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
: d7 t" K) e+ p0 H. q二.启用standalone模块并编译$ |$ v; l2 L f+ X
. S& R' y' E9 d# |* W
下载modsecurity for nginx 解压,进入解压后目录执行:" u; |( A/ |6 X7 P1 I: u7 e$ W
7 y3 u1 G# |6 F! p9 h1 x1 E
./autogen.sh
/ U( `, h% d' j. {./configure --enable-standalone-module --disable-mlogc: c9 F# k/ {! s& q4 i" } \5 U
make
! N- O# G; R4 L" c8 _' }6 @* z; ]0 y$ D三.nginx添加modsecurity模块! r8 M. C3 v' G
) i- U8 K4 K- h' w# ]
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:) d6 y$ H0 t! i3 J; R% y M
1 Y$ D& j4 K$ m& Y% V7 n
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine& T3 r3 C* J) }; c* M
make && make install4 s. w7 q. o& R7 q8 s, b0 m8 v
四.添加规则 F, e B" A# F/ d- Z5 ]
+ \ {5 L( ~8 C2 e) p( R$ xmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
' y& e( O3 B4 A ]; u; x% o. E6 F; Y9 r5 f9 E! j; _
1.下载OWASP规则:2 h8 i: P/ b( G. W& V0 e J/ h7 J
0 B O7 }) O `1 O7 T- P- n# X. Fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs& b* @8 B( Y5 m0 }& m( V2 X: {2 K/ y
' F" y: T2 R% Q9 T4 U* |) c
mv owasp-modsecurity-crs /opt/tengine/conf/
3 c% ?: \3 Q+ v3 F0 y+ c, g( E1 @
5 {( H& M& M% y/ O v4 Hcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* N8 r d% b. b7 j5 q. m' f, |
2.启用OWASP规则:/ U% K3 z/ q3 w# e% D+ A
1 o4 z6 k* C& k1 Y: ~0 i2 v6 o
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
: b' s0 s9 F3 a: D- I
7 }$ ^2 f: s: B y+ t; B编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 f- T7 Q1 `, I1 E- L* P) y/ ?
1 a* H+ ?8 v6 _% P/ j
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。3 M9 @( m6 t# `0 C
# z3 X q' A$ ^# C. K9 KInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf* W) f& p) ?* b% T
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# Q- `" w9 Y2 J5 K \
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf' `6 \8 {5 h2 n$ b
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf: `* J/ @' H$ a/ R
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
g& |, _' i$ ]/ _2 j$ pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, W/ d' k% P# K& j, V; r2 u8 VInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
8 f) Q- W) J+ i7 f: |7 P5 V. F2 `五.配置nginx; S! B% b& L' {/ X6 {: ~) y/ @5 u
p" n; }3 ~& P, U在需要启用modsecurity的主机的location下面加入下面两行即可:
! Y- E, d8 \ t; W" O7 q
$ E; W+ a0 e5 PModSecurityEnabled on;
+ |. P! I; e) V# j& v) ?4 uModSecurityConfig modsecurity.conf;/ [' R6 f; }6 Q) z3 s) Y, B+ Y
下面是两个示例配置,php虚拟主机:; F) F1 K4 v# u: K0 V- K
% N* m3 F4 \6 o9 E' Y$ [
server {+ C; ~7 J& p8 ~
listen 80;
; Y9 Y2 i! k& Y: y& w server_name 52os.net www.52os.net;# {9 T- p3 @$ v7 [8 }
9 y6 S: R0 @+ U) u4 _ X7 r
location ~ \.php$ {, U7 F S1 c+ r3 E, ^0 F! e4 \
ModSecurityEnabled on; 2 i" o% A! `- j E4 W
ModSecurityConfig modsecurity.conf;
# N* \& ` U. E' I' U* h% l; x2 v- @$ Y6 X3 N9 Q# `! f! a1 D
root /web/wordpress;5 I0 Z; p- n' D7 R/ Z
index index.php index.html index.htm;
" T6 @( D( @- c1 U 4 x% X6 j6 M! g& {; \
fastcgi_pass 127.0.0.1:9000;
; e" G V- `, f! x4 g- o1 h fastcgi_index index.php;! a# ]3 w( k+ f$ J
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;* L+ h, W. t i# ^, c7 a% b' Q* G) O
include fastcgi_params;& \9 x- e* ? L
}
5 s' i x% O. ]9 d! h }3 E" v, m6 ~( ]9 K
upstream负载均衡:0 L: P7 _2 z/ y. `
$ r3 ]/ C( x- L; P
upstream 52os.net {
- v9 V9 X* \8 {& W1 X G server 192.168.1.100:8080;
8 Q% _1 c. z' Q! { server 192.168.1.101:8080 backup;
( e0 ^, `, t# A" n4 ~' r}( i {5 X; m+ a
9 C" Z7 N+ g/ ^server {
' H2 f4 Z* Z+ B) Qlisten 80;
- ` e# E* @+ E/ T) E; M0 q) qserver_name 52os.net www.52os.net;1 e; C; r! b' D2 v; v
; u. L6 b- r' \' w* V/ alocation / {
# m& K# X, F8 j+ u( v ModSecurityEnabled on; 0 N7 J0 I' G7 t: t4 B6 H
ModSecurityConfig modsecurity.conf; , Q/ | E* T4 n
/ ` y X+ A. q' Z$ Y3 ]1 {3 K
proxy_pass http://online;
: b/ P8 Q" y' \" ?3 T4 X proxy_redirect off;
' \! h! c) K9 V/ _$ j9 q& j proxy_set_header Host $host;
, C! W, w) a& T) { proxy_set_header X-Real-IP $remote_addr;
D) W4 a9 ~4 c) w% K proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
3 L2 W, S& Q6 i: D4 u }$ M& p$ d; i6 v/ g# r3 y {
}
& I. \1 N( Y- r( @# y/ t4 k4 m: m! E, M六.测试
5 c* O: }9 L* Q P
+ F# G! S+ m5 M6 d4 o我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) w* }) \* s/ d# |2 _
0 J' R, @ y3 m! x$ z* T<?php1 t1 c9 e: \ |; s/ ~7 ~
phpinfo(); 8 B- h- h/ p) p0 g" w
?>
+ |! N3 q7 n6 f5 q! K. K, k在浏览器中访问:
6 E$ [8 ^9 U/ a/ P4 _
" u% t/ {. m$ a" M0 \7 _5 N6 G( Qhttp://www.52os.net/phpinfo.php?id=1 正常显示。# z: T) m( m( N1 {& }
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
# A3 D+ Y+ b' J" j# e* i; K+ G$ z+ rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% }) T& h8 x* g说明sql注入和xss已经被过滤了
. a1 f$ h9 \) I- i+ ~7 K% S8 r" s. W) F' p
七、安装过程中排错 l) e9 A% A. \- ?3 r. _9 D* W
$ _" e _/ X5 }9 S4 b1.缺少APXS会报错
8 S9 G# S3 O9 ?6 o! y8 J( P
( P- A: U1 Y Q' e2 \configure: looking for Apache module support via DSO through APXS
& v+ ^' `$ K+ a3 H$ i b3 @5 b0 Gconfigure: error: couldn't find APXS" s0 C" @; s" d: X5 W6 O
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。/ c. x9 q& x9 [& X" y9 M# F. ?
解决方法:
/ B, b6 p. B1 ^- ^) ~2 p, c4 z
+ B' M6 }6 p) K# G( V) G( }# p, L" Lyum install httpd-devel
7 _1 b, F' Q& q( W2.没有pcre- y" U. f2 F, s
! I9 J- @7 g9 M, z$ lconfigure: *** pcre library not found.
: x) R+ ?5 M6 e/ E0 B1 T$ z+ Kconfigure: error: pcre library is required# x( c+ b+ s3 ~! C0 G, O+ [9 x
解决方法:/ t' U! ~! R6 y3 z. ?( Y, C
7 d7 l3 D0 Z7 e* X! `
yum install pcre pcre-devel
2 a* a2 j% {/ [* J1 t% y1 e, V3.没有libxml2
7 v- @/ n7 ?- ^' q/ m1 P# k- s2 u$ h- n
- L9 ^- k3 D( K9 e# R& P
configure: *** xml library not found.- l3 D# V* ]' H0 c8 \4 e/ n
configure: error: libxml2 is required O/ |7 E/ T+ R$ _/ x4 h
解决方法:1 L0 A7 _. M8 }2 ^/ w! D' K C
7 S# M: C; ~3 ^) k0 \
yum install libxml2 libxml2-devel
/ Z& M. s( o `4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 B3 _" E5 {' V! ]! I
, ~* @4 x7 v+ Z. k6 ?, l6 J/ wTengine version: Tengine/2.1.0 (nginx/1.6.2). a* z$ Y7 {1 I9 G8 A9 l
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!$ i* f6 O& d+ G- u
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
/ C5 a$ S4 s+ F+ H
& U6 ?. W$ G3 o8 C# u7 v9 f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 G6 _% Q; b! W( L. a2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
* l( d9 S- W2 i, W6 b$ Q" `$ s8 D2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
; s3 ~! N' B1 o: H( C V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", r3 l# s( `3 Q/ v" s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" M$ N( C4 X! c2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 `# z, P2 X h解决方法,移除低版本的APR (1.3.9)
* ^8 K1 s! l! h4 Q) p
/ S/ C! R5 R- d" O2 _$ o ]yum remove apr+ C: H& b; [. n6 `. {# S
5.Error.log中有: Audit log: Failed to lock global mutex
6 b/ T5 V7 W: Y" q. J. U; ~5 v$ L0 h! k% P, }
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock & O3 M) @! C2 j8 S4 n
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
& h9 |$ {- w, }. N4 ~解决方法:0 P* Q# F! M! y8 F" e
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
8 L' \" R9 ~, D5 @ `' g8 O* B9 Z
SecAuditLogDirMode 0777
6 ]3 w4 @0 v+ S) CSecAuditLogFileMode 0550
' x& ~! `' G+ W/ R1 L% x" oSecAuditLogStorageDir /var/log/modsecurity% _) Z9 k8 b0 T7 m1 [3 T: R' L
SecAuditLogType Concurrent, Y) M& S* c# y
参考文章:
$ s- F. d. M. G" |3 p- [9 Uhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
# z: w/ x# S2 \( O( ghttp://drops.wooyun.org/tips/2614 |
|