|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 u6 B& m3 X0 [7 X( g0 @
5 N; P n$ v; e一.准备工作
( U6 G" r4 b0 Z! \6 d+ o8 j- H2 U6 D! a3 o. F. |, f" D' E
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0$ d( ?7 w6 T; w8 |1 w, E7 w7 z; n
9 @, B6 p& B/ Mtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ X8 i1 U9 V- u# v
' t6 P% }( r- emodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# i7 T0 G S! N8 y" H
. W I$ t% t" _% l7 @, @
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# t9 H0 f! f9 X. ~. ~( x% `! e9 Z% h4 ~4 H3 t; a* O
依赖关系:" O) ~: v- l2 ~2 x( U
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有: {) X# k2 x" h/ N; I: [) n' S
) P$ T8 D! m( o1 v7 o4 }* Ryum install zlib zlib-devel openssl openssl-devel pcre pcre-devel. s+ {0 J; u2 a! [8 ~
modsecurty依赖的包:pcre httpd-devel libxml2 apr
8 o& o# W! U {% J( P
, ?- l/ H& N9 q0 pyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
3 u) s/ z8 Q7 @! l4 G8 R二.启用standalone模块并编译7 ~& B- D9 [0 ?& O
. b) v7 k7 [5 M0 p" F
下载modsecurity for nginx 解压,进入解压后目录执行:
* p9 q$ F% V6 \6 P: r1 W' g1 d. b; X/ W/ n+ Q5 f& @
./autogen.sh4 c8 r; s4 D$ r- t3 d- T
./configure --enable-standalone-module --disable-mlogc/ n0 y2 ?, l9 e0 F! g
make 0 U+ p) t( i; Z# o
三.nginx添加modsecurity模块2 h9 o* U. n8 t
% d% }/ s0 V9 ~
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:, Z5 V" ~8 e1 J; }5 S* D" s8 I
- ^2 n. T+ ?% g: Q3 `) o. E./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
/ t l0 v/ }) x0 C: A8 O# omake && make install
3 i3 C3 S: i( R b. P3 e四.添加规则0 v2 C8 C# E+ _1 h \
2 o# P5 _2 N6 L: N) x
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
- s6 F& O6 W/ r. p% e4 x! H
* x6 `* @- i. Z1.下载OWASP规则:" G5 n, p$ l/ z* z7 _2 Y
$ i+ U# G$ Z& n/ r# a
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs/ ~/ [2 Z( @ M" I9 O
+ W( W+ G; V) S/ @mv owasp-modsecurity-crs /opt/tengine/conf/5 e9 b7 V6 |0 q& w; k
- @* X2 {, N3 ~, U; l+ }2 J; H
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf; f! j' V- b. R
2.启用OWASP规则:; x7 X) \" c5 f
6 Z* `& B, g# {; g8 p: o8 a8 @6 w) i
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
9 V9 H8 l4 H1 |& o
* e0 d$ Y# Q+ G$ _ U/ P+ ~编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
8 Y3 Y* H }7 Y6 H6 T
7 Q4 z& j$ f( S) v& t8 aowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: a& S7 Z+ \# G) q- j3 h6 u
0 q. E& C$ A5 O! OInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* o5 r) w) F6 \. g4 a" HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
# b) G+ n$ V! q) T; s3 f; `- QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 z5 Y3 v* y8 a. ?$ GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
2 ?$ D4 L, Q+ y, R g/ ZInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
' _) i3 f( p8 q3 z! u, YInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 d) j' C5 I0 S ?. F9 B
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& a/ B! L; X4 @$ [) L
五.配置nginx: s1 h( h. u! g- Z9 R
5 P; V/ E( b* B5 x4 ?& K9 V0 j在需要启用modsecurity的主机的location下面加入下面两行即可:2 k+ i( ]- a+ d
; g# m# D& `( P, p) s) P) ^ModSecurityEnabled on;
8 }( j. u, p( ?! P" g# `ModSecurityConfig modsecurity.conf;
5 j4 } L3 Y9 m$ j$ ]% `下面是两个示例配置,php虚拟主机:
8 s2 c3 P- a+ w3 } \* \
f% b/ I; O$ K8 P+ yserver {. T1 l4 \1 n: v( ~- F- j
listen 80;
# w: F( Q% j D J. R server_name 52os.net www.52os.net;" ?! k! A9 u; N# o4 n
' ?0 \) B7 o6 A f location ~ \.php$ {, g$ U, ~% v9 U) r
ModSecurityEnabled on;
( m1 o( k; T0 l9 r) k1 S( { ModSecurityConfig modsecurity.conf;: p/ o4 u. O- r# Y% d1 t
/ N& Z4 P- ~- K: m. s
root /web/wordpress;" a( T( j$ p' G+ z3 k7 ^
index index.php index.html index.htm;
5 r; h" M& h. }$ f0 k$ c6 I3 d 1 X; ?0 \8 g6 p8 f1 p
fastcgi_pass 127.0.0.1:9000;
: A- w- J- L9 n fastcgi_index index.php;/ r0 W# S! F) ~% j a
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;: h8 a' g' [( p% u1 ~$ G
include fastcgi_params;
0 j1 g8 [$ I2 c7 q! f) z }% |$ u/ F) D8 Y6 z5 E
}% Q+ b+ K# y$ w8 x4 ~0 y" T* [" d
upstream负载均衡:
4 s6 }0 c% ^+ X3 W% r: I# g
1 ?5 \" c: _$ I) hupstream 52os.net {2 h8 Z# T4 G* ]# U* l7 R, o
server 192.168.1.100:8080;* y& d( q8 |; M) E/ ?
server 192.168.1.101:8080 backup;6 u! u" e7 P; X- e; o" Q
}( U) v. ]! O+ a# m5 F# F
+ f% R" Q& |* j* M. \- B# P
server {, r5 W- G' | y0 B9 L( P5 A5 n
listen 80;
2 ?& Z" D8 y2 o& J7 g; ?1 b, Wserver_name 52os.net www.52os.net;
b" J+ @# d7 e$ ?& A! T( F+ h& a3 o7 J. e
location / {
# b; Z4 P7 Y. m ModSecurityEnabled on; 6 r8 A9 t' M" _1 H1 x% m
ModSecurityConfig modsecurity.conf; 3 D* n2 j& }( ?* w
2 C* S* ?: m- f" S! ~9 s
proxy_pass http://online; v* g" T; q4 {/ o x! u. H2 i) u, b
proxy_redirect off;* I4 U% u0 L% H3 _" |' T
proxy_set_header Host $host;* S* r( R5 L( H( P: V
proxy_set_header X-Real-IP $remote_addr;3 |6 ?9 s# ~7 Y: s$ a
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;/ w( n4 \, r0 F
}
; l& |; }4 o7 A! k1 ]: X0 Q' q}
" ~; w+ u6 g& B S六.测试
! Y, o: H1 I7 h9 S" b8 s4 e' ]* D/ G/ q: u
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ ]/ |! x) x% y+ Y' B8 M
% d. y3 g+ _" V0 q0 L/ r
<?php
( g$ T" O! h$ B. ? phpinfo(); ; V2 a* g' @, z
?>
' ^- e- e( O( A/ f( g3 k2 Y! ?' Q在浏览器中访问:
/ E$ U/ P B, _" T- c2 [
# h( U' Q# m. h3 n" s* m$ shttp://www.52os.net/phpinfo.php?id=1 正常显示。
' S% i b9 E6 ^1 Ahttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。" T0 w H% \" \8 n; \
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 x8 w% }1 I7 `9 l
说明sql注入和xss已经被过滤了
9 Z: L! Z8 b8 `% e* m* M% t( U- g: c8 U
3 _; I& I ~# L2 K七、安装过程中排错
6 K0 ?5 S% T4 H6 s; m' T4 H( Y- w0 J! D6 R5 p, N* O2 R4 t' @+ k
1.缺少APXS会报错
1 e* K2 ]% \& j$ L! _) X- J
6 m* U v2 @; ]3 @3 E4 S3 Lconfigure: looking for Apache module support via DSO through APXS
# R- n# ~; m& U6 b5 yconfigure: error: couldn't find APXS
+ X# u- ^$ d4 [1 y, _apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
! E' V- T, W/ v9 t解决方法:( X) x/ ~" {( A' J9 A! z4 f( h
+ S: t8 ^1 @+ n: E( f7 Dyum install httpd-devel
2 x1 W5 d. q$ E0 e2 g3 t3 ~2.没有pcre
# |9 B0 F+ }1 R+ |" Y% P" F
( f" c; m! Y7 e* |- `configure: *** pcre library not found.
! w6 z+ u$ a2 econfigure: error: pcre library is required
. ?) A( o- S. e |3 c4 f7 t解决方法:0 M- E, [8 \& C+ T P
. b% h! n9 v- n' }yum install pcre pcre-devel* J4 s4 j6 G' o+ i0 t3 R: Z7 x
3.没有libxml21 {' s2 u) u' O, }$ {' u2 [
: o4 `) V6 M" e" L% ]& x1 Q' P, e* N
configure: *** xml library not found.
' `5 \5 J3 b C. m2 A, R9 @7 J$ econfigure: error: libxml2 is required
+ V: A' w9 F0 V' J% a( x# t. l' X解决方法:
7 Z1 E+ Y( m7 O* W5 h
7 v# Z; F( w+ T. Wyum install libxml2 libxml2-devel
# D3 |' b& o; L* B' S4.执行 /opt/tengine/sbin/nginx -m 时有警告" O2 A# s' J! x6 i) v8 U
- a* e1 o8 S+ h- m5 L( }. Z; OTengine version: Tengine/2.1.0 (nginx/1.6.2): G4 ]: h3 r Q& v4 F7 U* y1 T+ H8 d
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ e7 @: d& @7 W% r原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& W- \, [( n6 q' z1 Z, `" W
: n9 d3 }! L0 b% j8 o" D# J8 W) l5 f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
' X; s& g @5 ^, i+ N5 J' A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
: [2 C$ P6 L+ i0 b2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
* n" G! }0 D) M# G# _+ B2 l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"2 i- m1 Z$ Y" M: `4 ?3 _/ z! p: i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
5 w$ V h# R# P0 ]; S5 y8 v2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 E: v L* M' C! @& l解决方法,移除低版本的APR (1.3.9)3 g7 W( |0 y9 Y# c4 E
$ n+ H4 z/ @' D/ {/ [1 |yum remove apr% V3 X0 t" A& Q. R
5.Error.log中有: Audit log: Failed to lock global mutex
8 O' G; d" c6 F
& I* u) Y- e) ?4 ^: s- j2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
+ t: W9 c$ s9 P0 Cglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 z2 n! P! K6 n/ L% N解决方法:
; J8 q& T9 V7 Z( j4 o' W& F编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 V) j5 J2 C( Z- q" ^# t9 b
8 d& U9 V/ H5 o) j; Q& a" r
SecAuditLogDirMode 0777' \" X- J5 k' x2 N' d
SecAuditLogFileMode 0550. s. U; o6 v9 O; O6 D& K( q
SecAuditLogStorageDir /var/log/modsecurity+ R* p5 \' e$ z% F7 E' a% h' k s
SecAuditLogType Concurrent) u+ w# r% v) P( B8 ~
参考文章:
" m- B8 q: D a) l$ Uhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
U2 Z2 Y$ T7 G: T7 V: P4 }http://drops.wooyun.org/tips/2614 |
|