|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 ]$ o+ U p( g( C, G9 o( {6 q" }; v2 }3 L" u7 K' e( F5 C7 v
一.准备工作
1 O5 i; \* \! R+ n+ t$ w. v1 G! x9 K' E5 U7 ^+ X+ f
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0; r" T6 b1 q1 h7 s8 b( n
" w/ r. p$ C: I) f F* d# V2 ]tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( V- {4 L3 t% X, W
! Y6 b% S# o# g0 v0 X' D3 T8 lmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz$ S& n! x( G& I' p0 s
0 X9 N, v% {% @OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs1 L/ V( D- E1 J3 ~- @5 ~
( ]6 j7 E, m0 |6 M! G5 x* b: U& N/ _依赖关系:5 R6 Y# w2 f+ n X. ?
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:$ E# T- D/ L7 s& P! u) r
) A: K# z( U0 n) k: T$ k @
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel$ O2 j8 R/ \2 t) w: J
modsecurty依赖的包:pcre httpd-devel libxml2 apr* K/ F# J5 T1 V% W
0 L/ D! Z+ Q3 T' `' x; h. @
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
7 d- T7 d3 t! l7 B9 M二.启用standalone模块并编译
" j0 w5 M( Z2 @: ]. ?$ [9 a/ d0 N2 @
下载modsecurity for nginx 解压,进入解压后目录执行:/ u# h( k* w4 G; ^: N
7 R5 v- B9 W$ X' ]0 p
./autogen.sh% E1 G" _' A, `' z
./configure --enable-standalone-module --disable-mlogc
( W0 x" Y- [, H% U( B2 B% bmake
6 H& l3 Y$ ]6 t9 [ i* X三.nginx添加modsecurity模块4 J [; N g1 P; O. E$ ?
( d. N7 B5 b* u" V- V( t& x, i在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
8 I( h3 s7 \( _( [; D/ @: R" a+ e2 V8 h' i
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine: G# |$ M) i/ Q
make && make install
2 E0 e$ @: H9 B+ ?+ _四.添加规则
4 T! D1 n& I6 P8 t9 o3 X) d! @* |2 x7 s% w6 S1 j, K: J
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: ] b( K" k5 h& r+ }$ i; A! c
5 w2 N' r, M2 C. k. O1 h1.下载OWASP规则:
1 X# |2 i- ^) @. A
: R( l, `6 V0 ?, b# fgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs/ w2 p; \1 m( | a7 b0 l2 X- m
. a/ j; k/ h+ \) [7 p4 mmv owasp-modsecurity-crs /opt/tengine/conf/, _6 Z# F6 y# t A/ U
+ n* Y7 b; g# r6 Y4 Pcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf& M: l# X/ ?0 o4 ?
2.启用OWASP规则:4 O3 f/ A2 Z6 f; ~( L$ E6 H' l
* }1 }5 {; I: p
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
% Y; h- _$ c: y# E" }
; e4 k5 [6 n( L7 A# ^+ ~& J" w% D1 I编辑modsecurity.conf 文件,将SecRuleEngine设置为 on! _' W0 j1 n) s& H! W5 {7 B; [
: D7 E3 K% \5 ~! A, o+ `
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。 _4 q, j. @4 s a- n B; ]" {
2 f5 X6 m7 m- m* m
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* h. ~ B: y! ?6 ]Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
6 O' w+ l8 ~1 I8 MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
5 g& ~) \/ O2 s+ N2 k+ l. H$ `Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf: K! w6 H: K" r% y# O3 K! n
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! f y: p4 ~- p2 C2 A% }% ^Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
3 i. W/ \1 S& x$ g, Q: fInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, h: p- _* @; A1 a
五.配置nginx9 l1 n1 P* }3 s" F
3 p' a. O9 q8 T" ~7 U; I, r在需要启用modsecurity的主机的location下面加入下面两行即可:
. i4 W' h$ c# r7 x7 g+ T6 Z
/ Y# [9 p" D T. Y) A. U% T% s3 kModSecurityEnabled on;
7 |5 O9 L) ?9 V4 @! s+ }ModSecurityConfig modsecurity.conf;
" ?- H( R* y% A6 ]( z下面是两个示例配置,php虚拟主机:5 e7 z2 \8 Y/ j9 y1 O$ d: P& I
4 w6 C& ? D+ d/ b% U! a% `' P, X7 T/ l
server {
. M8 ^- x ], E9 f) h listen 80;
3 z3 X# v; V% S I' C server_name 52os.net www.52os.net;2 ~6 W- M, Q2 |: Y
% d! x: s7 T# H z" n
location ~ \.php$ {
; \6 D/ h2 o2 f7 w- T ModSecurityEnabled on; 7 A& I# T9 Y: U. k, [
ModSecurityConfig modsecurity.conf;3 H1 {" K& h+ |
9 Y" m1 W+ q: h
root /web/wordpress;$ l0 s2 c- j6 }
index index.php index.html index.htm;2 ]+ X: ~. U0 `0 u2 T; l- U& M
" L; B( B+ \" |3 S" u
fastcgi_pass 127.0.0.1:9000;
# {. R/ W/ r, @' O! l fastcgi_index index.php;
" g6 l9 Z2 i4 B8 F! [. K fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
+ A* ^, f' Q( m; N6 F include fastcgi_params;
7 [3 i- v9 S; `4 z1 `8 L }* }; x s1 t! Z- g" P9 h
} v2 z! [! T0 \. i( H( }$ x
upstream负载均衡:
% I+ \9 v1 g) z2 |) C. t
6 K5 v; }/ H6 }( V& \upstream 52os.net {5 k7 d$ Y. X, s
server 192.168.1.100:8080;9 @7 _$ p0 L4 d/ O% c. i/ `2 n
server 192.168.1.101:8080 backup;8 y. b3 S- ]4 ?& W
}
7 A: p) h1 K& T' P+ p* y
: } F5 E, R. ~* D7 ^7 J+ y' |server {8 \+ z- m: x0 ]! W1 N$ S f
listen 80;5 A2 n- \6 h- R. y, r( d
server_name 52os.net www.52os.net; A4 i+ o" l% C, }# h# o3 @4 n
( \/ Z. Y9 Z0 |$ V
location / {: B' K6 W' ]% H( p( Y
ModSecurityEnabled on; 9 O4 x) K; Y0 n; f
ModSecurityConfig modsecurity.conf; 8 w4 W% l% p' B" U6 c0 H4 m
4 Q3 {: f8 U! Q proxy_pass http://online;. A! y- a: E/ N3 [1 A( L
proxy_redirect off;
# \7 k b9 G# w1 l proxy_set_header Host $host;
, F& ]2 f; _8 r& f proxy_set_header X-Real-IP $remote_addr;, k. N) d7 [$ C/ k$ x! F. [5 k" f
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;/ y# N& [& |0 F3 \7 \- _% ~
}
0 z. v% N) _! d8 g7 N1 o}
9 G+ O! U' Y( R8 a- F# O六.测试9 S" M% P5 ?3 W
4 A5 x' N& [5 W P我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:8 o# s( L1 a8 H9 D) X
+ v( h6 ]! R4 ]! s
<?php' T( m* P1 _* k- b5 \0 A
phpinfo();
; O1 i0 E. V2 a6 a' G! v# i?>
! z( e3 A, y% h2 m8 C* L4 q) ?& f在浏览器中访问:
: A8 u7 m- d6 P
' i) ^9 ^! X: R: e( }: [http://www.52os.net/phpinfo.php?id=1 正常显示。0 n" ~* w' o5 k; @' O
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
0 m1 }2 q" D4 {. M2 @( d/ f: hhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
6 Y7 \9 ~/ |/ {/ T) E9 S说明sql注入和xss已经被过滤了
' _) l/ P+ {5 H" c0 M4 [& a4 Q& c' N, G
七、安装过程中排错
* m1 ^2 o, @/ r; p4 \# N4 }8 \" ^. A7 u/ _* @4 ~! b
1.缺少APXS会报错! p1 Z; S; \2 V+ b5 B \
3 a. e3 o5 I! |, Econfigure: looking for Apache module support via DSO through APXS# r& A' N/ B" S0 L, a
configure: error: couldn't find APXS' l& u$ t$ L: H* M
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。' ]! o* C Y( P7 {3 R# v- F
解决方法:. Z- _3 w) `, ~! ]' Y' q: z
& U- |" \* W* _: e8 F6 W4 [: z9 Oyum install httpd-devel
3 T& ^% U& g w; I8 r2 p2.没有pcre
! B7 L% V9 \. x3 e
: S" C' ?8 ^2 s; q( H5 P: `( h, Nconfigure: *** pcre library not found.
6 g, `' w* E2 J. |5 @+ D/ @configure: error: pcre library is required% }; s' j7 `2 k' f# O
解决方法:6 H/ V) f7 Q8 e |' f% N- {' H
1 E, ^' c) A9 w, y
yum install pcre pcre-devel0 A2 u% O3 A+ @9 V( m
3.没有libxml25 j& C) r0 ` B
" C7 {4 t; p% Y+ Q5 R- U
# H# \8 {' s2 V4 A# Y9 h. q
configure: *** xml library not found.! @1 b& ^ E# H
configure: error: libxml2 is required
8 T7 u$ Q& I( S) t" T) C/ a解决方法:
; {5 b( }( p" e! B" |# U
8 S, ^1 g* K8 L8 P" [3 @yum install libxml2 libxml2-devel( f; c) s6 q; ~, y: P( F
4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 g7 M9 c- [- O5 F+ W0 }2 T6 k) \% h! u- L
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
* g' J6 r+ g$ y0 E# p$ Q0 Jnginx: [warn] ModSecurity: Loaded APR do not match with compiled!. } V. D1 O- _. l7 g1 W8 {. t
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 b1 F2 s) V& Z1 ?, y/ e
5 P3 t; d+ T1 U8 L2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 P& v5 b/ U! \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
: R* M% |: ~5 t! c: X5 y2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
; m! F3 N% Y: K6 p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
3 H. t# y4 b# ?% [( }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"4 I2 Q( h* D: C+ b g% l; U
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.& A" a, [" J' z, j; T2 e
解决方法,移除低版本的APR (1.3.9): @0 A# `3 z3 v4 X
: \9 b' C/ L' Z0 j6 syum remove apr
4 R' t8 A9 s( m7 { _+ \& F5.Error.log中有: Audit log: Failed to lock global mutex$ [& j) l% V# ?, i. a
: {7 {3 f2 x6 g" ~8 _2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
' a) r3 n0 G' @+ A- Tglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
, `( \ o' Y( w' [1 z8 ]8 }1 W解决方法:
9 d7 o3 g. b2 G3 w编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* V9 X. c- s. C2 {9 X
6 U' k% ^; I. E* w* SSecAuditLogDirMode 07778 i+ c8 [: k+ F$ `) P/ K3 N
SecAuditLogFileMode 0550
2 y6 c) p+ {! e4 U3 |0 A. y, SSecAuditLogStorageDir /var/log/modsecurity8 E2 b* m9 W- R: [$ v
SecAuditLogType Concurrent
1 M: X% e) J. h1 `" J }, O- W9 g参考文章:3 f8 c- Y$ T K! ~/ D2 q
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX$ O: H1 P% \9 L L" H
http://drops.wooyun.org/tips/2614 |
|