|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
! z% ^2 s, S9 B3 |% J) R/ y2 u
+ s' F% h( c7 `8 D& M一.准备工作
" o9 d! K1 ~. c e9 H6 |
4 x+ {3 u# g+ c e) ~系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ [7 J& f$ q4 J( x" M, H- u, G# f
6 x6 L0 N* @+ O
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz( q5 G% N4 V8 D3 P4 L% k5 k% i. o
6 f) k2 h$ A; C5 T8 h6 T& _& P4 p, bmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz% z, A( m- b9 J1 x
4 d. O1 j% u9 O8 a4 n" z' Q( A
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
4 A" B5 v% R" y2 o0 o% R4 S q$ L0 C7 b" x7 {: O( |% J, T
依赖关系:
p% w Z$ q: K' Atengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:7 Z) R v' H4 [3 d' y( C
( J7 d' [( f; s& f/ E
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
* w# d9 m3 `6 ~7 e+ n' imodsecurty依赖的包:pcre httpd-devel libxml2 apr
4 _( R' l: y3 d" _/ m/ B! b1 g& Z8 S7 u: o5 x. }) Z* D
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel' F, b, d) s) I* k& U4 E. b, ]7 i' @
二.启用standalone模块并编译
+ ^$ v4 r" R0 {8 k7 r8 z5 {' ^1 I! O4 J# V; `: \
下载modsecurity for nginx 解压,进入解压后目录执行:/ X: L$ e% E7 j2 _) q
! c1 f5 u" W+ T2 h1 O
./autogen.sh
' B$ Y# S$ W$ P5 ~+ v o! k./configure --enable-standalone-module --disable-mlogc2 R5 w; x5 s: K7 z n: m2 P% m8 N
make
: k2 _ k( ` ?3 y4 g* x# s三.nginx添加modsecurity模块9 J E' c# a" s( Y$ ?
3 ^% b2 n$ P e4 Y+ @; v在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 Z( o7 w$ G1 ^" w
1 m3 I L2 N0 W) u. a& j./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine) ^$ P" G! @2 D* D/ `& [+ j
make && make install2 T8 q! v6 m9 |5 f7 N
四.添加规则
$ `6 U( f- V% f- e3 ^- U: H+ _
! Y! o6 S& Y! a+ V9 }modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。" `2 a0 I9 F! V3 B1 @
$ c' P8 Z4 }4 I3 O3 D: A1.下载OWASP规则:8 ]# e. V+ @- h3 W! Z9 E
+ z. L2 \' F2 {
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs3 v2 n0 c4 ~" p
" t" D2 v- T4 }+ a6 kmv owasp-modsecurity-crs /opt/tengine/conf/
0 S- T2 h! H$ ]" \$ f3 E
8 ?) {5 ]& V7 x* Hcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf3 g: B; U" Y0 W
2.启用OWASP规则:
9 o! B1 \: I4 t6 I" f" g/ W) {' ` J" q" {
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。0 r- g k* L- p; a1 P$ {$ I
7 W O2 k6 U: h8 E6 i; |# i
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on2 @7 H6 ~2 [ V7 a
+ u9 p5 H. u% A+ v, h, |
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。- O# B9 a9 X# z/ t1 S
- Q3 J7 ?* w4 c( p, `Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
# T# T/ {7 g, p' f/ PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+ x! R5 W8 b+ H6 A1 M' L4 \Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
5 M; u* C3 D9 N$ S/ Z8 o( k, FInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
, g4 x2 T* U1 |* VInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 I* I' d$ ?! o9 m
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
1 T; W8 l1 N$ R, K u& E: b/ \Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf0 y7 L, @( e! Q0 {
五.配置nginx8 L! j7 E" A+ i- B9 e8 V; |
$ |3 ~ D! G/ t在需要启用modsecurity的主机的location下面加入下面两行即可:
# l( P, F* e0 `6 [( W" b8 J$ F$ r7 L! g* z5 L+ k
ModSecurityEnabled on;
9 n" U0 i2 ?3 z9 l5 PModSecurityConfig modsecurity.conf;0 ]+ V/ v8 T, x5 ?/ l) B* p4 g
下面是两个示例配置,php虚拟主机:
$ @7 V9 \# d# n3 Z/ e. X7 [7 f4 h D
server { A {. h) J" r' [
listen 80;7 J: \7 X6 v7 Y
server_name 52os.net www.52os.net;
8 a1 K# M& d4 K* X7 E0 e' ~ * t# q6 o) G4 q1 s
location ~ \.php$ {+ T8 w- h, c1 r9 s
ModSecurityEnabled on;
/ ^* K9 T6 ?- c ModSecurityConfig modsecurity.conf;' {+ X& T5 K6 Z e
$ ` ^1 r S$ }4 s root /web/wordpress;
4 u0 ?4 L. k% u3 n% k& _. M! r index index.php index.html index.htm;& M M6 q+ h& F4 M8 n0 V2 [) m- V
+ s4 R5 \5 p6 t
fastcgi_pass 127.0.0.1:9000;
9 W6 p: {8 w/ M# q" U6 R7 L fastcgi_index index.php;- x1 O; {/ y" Y8 v7 Y% q" }: W
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
3 n1 ]3 }4 Q( N2 k include fastcgi_params;* T* j8 x% s$ F6 F
}/ n. K2 ?0 ^4 d! W$ c- j
}; I: B6 k$ x; n3 h# n7 `3 b8 s# Z
upstream负载均衡:! Z2 k: u: {' [1 t! b
) }1 ]5 s. n% F) b" supstream 52os.net {
v# O0 r/ N& d, F5 y server 192.168.1.100:8080;% P+ G* \2 r& ^; r8 m. S4 z; k
server 192.168.1.101:8080 backup;
# Q7 z( v0 M+ c1 m4 w- q! R- f2 q* p}
( h x$ x) g9 j; y0 ^. i2 s
( z2 K, ?- I7 [, fserver {
' I( Y& O# ^- E: B, q( F Ylisten 80;
+ z& L% }3 O0 ?) R/ e9 d* `server_name 52os.net www.52os.net;; Q4 n k* ]5 P
( M* Q5 J/ E3 r+ Mlocation / {0 j! K6 Z9 q( T+ ~4 \0 v5 H; q
ModSecurityEnabled on;
: \# Q- P# p1 U0 F. g ModSecurityConfig modsecurity.conf;
& C8 y) y2 o+ s# v$ P1 `: @ W/ ]7 _! R# | H3 L: W, }. a' i3 b! G
proxy_pass http://online;2 O7 W7 D x8 I4 _, w: y) K
proxy_redirect off;
) a* R+ R7 L8 [* _" L proxy_set_header Host $host;1 b5 s) }& X& r" ~
proxy_set_header X-Real-IP $remote_addr;
5 h4 s- l6 l, G( }2 R2 P proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
; j* f O9 a0 k6 g. R; O }
5 Y1 d0 n! W9 O- C}
) t+ o4 ?5 I) m) J六.测试2 E1 g( [# J8 J: b
4 ]* u4 M! k. z" l7 r! L' f我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
0 y; n4 p: q% x" G/ n) d
& b$ k5 R3 d& b! M3 Y<?php
: x+ G4 k9 W2 `+ `3 ~& G5 ` phpinfo(); + B7 j _- C0 W' f1 d- J
?>& R7 S; R* R+ ?, O- D3 t2 O5 F
在浏览器中访问:
3 f# W# R% Q" B$ U2 K m# b8 p, w5 X* H# ]+ P, C
http://www.52os.net/phpinfo.php?id=1 正常显示。3 X2 ~0 y! \2 K( v5 i/ G" z
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
2 }# |, q( n% w' Bhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。9 J" M, y' g$ f7 ^4 h# s
说明sql注入和xss已经被过滤了) l+ X0 n2 N: j/ D/ g/ E
# b+ B" ]1 @# h( h; z6 D七、安装过程中排错( P( `6 G8 |, w8 m. I8 V3 h
9 q! G) G) w; X6 U) |1.缺少APXS会报错
( X U5 d. b" f! u) h4 v9 L" f/ T0 @
configure: looking for Apache module support via DSO through APXS% w" @2 R" O6 m g
configure: error: couldn't find APXS
5 K2 y2 |( P2 W4 Z% Z2 tapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& _5 n- A/ s. o解决方法:& \' a0 D3 J. V. n( R' C
' j1 T& J7 k+ N+ _
yum install httpd-devel
" i$ X) M5 z4 _+ W2.没有pcre
8 Z* f' v9 ^% t/ Q" ~ ^4 o
# @' t, ?, A& t* V( a6 D- uconfigure: *** pcre library not found.9 o! S& m" p8 R8 z) @
configure: error: pcre library is required
2 O- ?' Z/ r& K$ s% X" K解决方法:) v" y# `+ s$ N4 j R4 R$ f1 N
+ G; M; [0 N; w5 @( _6 r! [
yum install pcre pcre-devel
) W* ~3 j. r9 D$ i3.没有libxml2
+ x$ `2 Q8 E+ P' ~! M- i, R' U2 l7 X0 s0 j( P# Z
7 \% H# S9 p1 q/ R5 @
configure: *** xml library not found.4 d1 t! W( w. j" }+ g
configure: error: libxml2 is required& J1 O0 y# M/ t* A3 e
解决方法:
, V& q1 |. E2 X T# a8 p6 R0 u$ m: x, Y4 E% s# G% a
yum install libxml2 libxml2-devel- F, r; o/ _* M
4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 c3 ]4 M; x7 z2 H' R! v$ t. |0 s7 k7 w
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
1 `- f& z! o: {# ?6 }, `3 `3 J0 Dnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
8 [- O: k& }" _: w原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
9 e+ u2 ?4 N8 e/ c% N
+ G7 i( t. B. c* q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.. I% b* x6 n" v: A8 n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
) n) e f# N$ L Z% `% \2 D( E2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled! M' H$ _- P8 J# R
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"/ b0 g; {) a8 ]" Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"# y! J& H/ s+ g/ e. ~* O* D
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On./ y* }& q" U7 H0 V( _0 p
解决方法,移除低版本的APR (1.3.9)
, V/ [0 D! a# Y- B& @9 y1 i1 ]( a" t! w0 w* v) T
yum remove apr
1 E/ ]0 Q% Q2 {2 u: ?5.Error.log中有: Audit log: Failed to lock global mutex- d: Y, y; r ]- v4 p7 p
2 S0 o- F n8 n2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 5 z( d3 o0 a8 g( c, a
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 e3 J- z2 ~1 ]1 @) _3 J: _解决方法:
' e9 f4 f/ l+ ?4 G9 h( ]编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
/ V$ ^' q5 V. j% }7 M) T8 N# k' g! W: X* u# j0 L9 O* r$ i
SecAuditLogDirMode 0777
, K o1 U1 L# j9 d, O% zSecAuditLogFileMode 05509 S* H [% r' E+ `& y0 A, e {
SecAuditLogStorageDir /var/log/modsecurity" L1 x% P# J Y; j+ w6 B6 F
SecAuditLogType Concurrent
- m6 H) ~8 J- B+ D. g参考文章:" Q. D% ~: f* {* b7 i! H0 E
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
E2 y& {/ R- D2 f( j3 Shttp://drops.wooyun.org/tips/2614 |
|