|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
: ^8 K' y o k2 n& r/ O% h: i& {3 i: Z; m0 G/ K8 ~* |
一.准备工作
) I3 D1 g$ j% a E$ x7 o# ~, W, {9 \
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0. e' B* l' j0 b9 s
# W4 ]8 n8 A* z* j) L& c9 Vtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz9 g( B) _5 c% {$ [" N5 e( ` \
% g9 o$ W+ o0 W4 v! amodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# y: r# H2 q2 A: s
( D. O3 c5 P# x+ M
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs" i* ]1 j1 @& k' a6 D
6 T. v1 k/ D1 a$ e5 D/ y依赖关系:1 c( }) J% A5 p j9 x7 `
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:2 a+ W. C6 f# C, M8 \9 [7 i2 `
' g- F% R/ E. C) A2 eyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
3 K. N- c, z( `$ Ymodsecurty依赖的包:pcre httpd-devel libxml2 apr
# m7 l$ E3 W- S; @& S# T' i
2 U; C; Q: h6 V( ^" E* P% `6 ayum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
1 G% u. T }7 X$ O二.启用standalone模块并编译" g$ u6 M2 \( {6 Z/ k
9 _1 k1 T Z$ S2 A! v5 X' g下载modsecurity for nginx 解压,进入解压后目录执行:+ ^& A. g& T" p6 Z4 | `1 s
% J5 s4 c% E; w./autogen.sh0 { G5 h# O" w/ L; o
./configure --enable-standalone-module --disable-mlogc
A( y" Q* Q( m5 q/ A) tmake 9 O5 T2 g& d: Y% R% }# a' [. z
三.nginx添加modsecurity模块
: k- `8 N8 v# x2 X2 T( t1 y2 q) ^4 p4 D/ k
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
0 t, Q& v8 _" T3 ?3 h
{% O6 { Q- M$ D: q; L./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine, f. s. E+ v/ v% L5 _
make && make install
0 k5 z% h0 ^- X7 v0 L四.添加规则; r7 f- a4 F: b) j% V
; K2 u* }) {) imodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。, X6 b- M' a* i* J+ r
: J7 ?# j# a9 A$ D
1.下载OWASP规则:
, W0 f( b# @5 i/ c5 z3 N
0 B# T, b9 Q: I& `- @6 Ngit clone https://github.com/SpiderLabs/owasp-modsecurity-crs; f, d1 J0 d; E
1 A: t* p3 A9 B U1 F( Y8 dmv owasp-modsecurity-crs /opt/tengine/conf/
- W- |/ @! X; ~2 g% L; f2 p! _1 b( k! |6 O+ G R, g# F- n, V
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
" V7 Z5 Z% y; B) ~' J/ ~$ q$ H2.启用OWASP规则:
/ ~. ? f. D8 ]7 ]' C
+ x! Z0 [+ y9 w; O: \3 _: l! R复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
" M5 l" X; K4 q" q# K
5 n m) @% }. H8 ~& v1 c; [) t编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
5 N. F! m% ~3 Y* a9 S2 N( q5 S* V
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" W/ u3 ~& _) D* I
& o# t# L3 v6 c/ v- \8 L- o7 x( _" nInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 F' T, ^, N8 f' aInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
# c' p5 e E) Q( l YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf6 ]* ]0 w* l( h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf2 a( M. f+ k+ k5 E$ @/ e7 O* ]! j* Q
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 w3 A2 d G! p) I3 n& t
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' }8 |! L- T' V/ ]1 W' kInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf- P h0 K6 E6 X) X2 @; C
五.配置nginx; u' E: p' @0 z/ {' s% m8 N7 c5 w
N+ K& N# ?! [# p k在需要启用modsecurity的主机的location下面加入下面两行即可:
3 F6 V2 Y/ X6 m7 V7 V; b( U j/ u8 h* J% }8 s3 C7 a1 ?
ModSecurityEnabled on; / E% e5 [+ x! m: a9 w1 n
ModSecurityConfig modsecurity.conf;) C2 }, @+ H4 o% i# P- Y) [
下面是两个示例配置,php虚拟主机:
: v, W5 B6 S& L* N& y; m( D! M' e* k: ]: R a# u9 C. w
server {
8 h g1 |* [+ X |6 w- m% s) M listen 80;* N" O6 l, D- v# A
server_name 52os.net www.52os.net;& u; u2 R4 P; s6 @1 P- {" E1 L
' w+ F1 R } D7 R, @% P location ~ \.php$ {
5 H$ H: v, i# b* `. T$ z5 X+ [ ModSecurityEnabled on; x% M2 X! ^7 j& R
ModSecurityConfig modsecurity.conf;6 C* @! o. ^7 R3 E& ~8 C$ D
, u3 l$ c6 m! V6 w9 Z$ c9 F0 W
root /web/wordpress;1 ~- L7 }: c" d8 E$ a
index index.php index.html index.htm;
0 Y1 ]* ?2 E A" q& d3 K0 s. h0 q2 x
; R0 n# ^$ |2 s3 W fastcgi_pass 127.0.0.1:9000;8 N/ ?, G+ D9 _% W
fastcgi_index index.php;
[. |- W' R3 p$ @ g8 y$ o fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name; s/ v- |8 x1 s4 e8 A/ e
include fastcgi_params;; O! w' u, m6 T5 q1 E; N# c
}9 P, E1 z \6 f) ^
}& R1 E' O+ A. Z) d6 K
upstream负载均衡:
! q7 q* x X) o- g+ u( }0 K2 D6 X: ]4 S7 J+ T4 Q' K) |
upstream 52os.net {
" w4 F/ a: U* V+ I9 n6 |" b server 192.168.1.100:8080;
- ]3 _7 J4 d- M$ O2 u server 192.168.1.101:8080 backup;
+ x' B7 V# Y# x}$ z U, o& V9 v: ]* o" M
- B; u4 Q! p# b* Eserver {
$ f- ?. |& K: ], B/ ?6 ^ C# n; }listen 80;
! [9 c" c0 Q. o' G+ p0 userver_name 52os.net www.52os.net;" g% |/ m. O( U4 i; f
, D6 \. O1 G |- L: |+ s% ]6 U
location / {/ [* F2 }0 b3 Z
ModSecurityEnabled on;
0 T- \0 q. t: m/ ]3 m1 U; Q ModSecurityConfig modsecurity.conf; ; e/ x8 g, P' J% \/ o
$ c' E7 B' M9 v( \; X
proxy_pass http://online;
7 F% a: L1 {1 n# d! _ proxy_redirect off;
) m I" N0 C! y# x$ N1 }' J, o proxy_set_header Host $host;
4 y: k* v- [3 o, l n proxy_set_header X-Real-IP $remote_addr;
( e( X" }; e$ h$ N% H proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;4 C2 k7 L/ Q0 A) `8 R; b$ {5 Q7 v
}4 U- H% l, Q2 C' Z; z& E# u, y
}1 a8 c" i& }! ^+ a' v
六.测试+ A' W) ~# b& O1 \; r+ W
& N$ `! d- L5 w( ?- [
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
- L( v& e# X: A) I7 l: t2 t1 y! E
2 F, i3 G4 Z( O, [9 R<?php
- \+ L# [2 t& w* [ phpinfo(); 6 G- x3 g( Z0 z
?>
/ q, O8 d# ~% j2 C& S在浏览器中访问:- [) \4 p2 ^, [4 H: C! e- W
/ x0 n# `2 s; b9 A# O: r' _http://www.52os.net/phpinfo.php?id=1 正常显示。
, q b2 P& L) R5 }http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。1 i; L+ V7 ~; s
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
L8 m- }6 u( M说明sql注入和xss已经被过滤了6 N S0 z5 i. z( ?. I
4 Z) c5 ^, u b& y% K# H; A
七、安装过程中排错0 ~7 V: n, E+ J: R. j
' R3 {$ _3 ]5 _# h5 x
1.缺少APXS会报错- K6 p/ k) H. e2 W" o' a, L7 T: }
; @& b4 F& T1 ]2 a+ tconfigure: looking for Apache module support via DSO through APXS
0 Q2 m. N/ W6 y" sconfigure: error: couldn't find APXS
2 N, X# r/ j e. b* E% Yapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
; H6 f* {* B* Y) v) I% K3 p解决方法:
& t3 R7 n' j+ ~! x2 _& c3 x' U/ s) p9 x, `
yum install httpd-devel
: B3 B; e7 D, d' i: O; f( K2.没有pcre
1 {' B& S- G' D7 s1 o" b
( @2 l; i9 K/ X; P' ]configure: *** pcre library not found.* }' x7 ]5 l$ \& L; y- r G
configure: error: pcre library is required4 s1 k' b' a4 H0 a X4 _
解决方法:
M* L5 x8 q/ i! b% J: |- V9 ]/ } M6 c/ K$ M' {0 h' L* [& S
yum install pcre pcre-devel
$ M. x# p5 v! O7 Y3.没有libxml24 `* O6 ~8 b1 g9 w! ?6 \
' b& L6 J4 ]& W1 K3 E2 U5 f+ X. j9 \7 Z
configure: *** xml library not found.
; [& _+ z I+ G! P* ]) M0 n% h5 hconfigure: error: libxml2 is required
C" C' s" u- N: }1 j2 P7 p: ?解决方法:* Z7 \) c Q2 I, B4 S* p
" x" p* D1 w- j E0 byum install libxml2 libxml2-devel& N e/ D. [0 K, X
4.执行 /opt/tengine/sbin/nginx -m 时有警告
9 F! S C! U% L: O( a/ G! j5 x% H9 p4 ]! f1 p' M! b
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
* D2 `) u3 ]" ~8 N* U" jnginx: [warn] ModSecurity: Loaded APR do not match with compiled!& ~+ }. \" B o5 Q$ l2 E* T
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log4 p6 n3 U8 l" p2 z9 s
) j7 i/ h) Q9 N) n6 b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.5 @' I3 H7 e! @8 c4 r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
# Z+ d6 k& \+ m, j2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
+ d- _! ^9 i% {$ Z7 Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
+ ~3 l' m9 y1 b; x7 z# @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 Q6 x% u, c) V7 u2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.2 T* O, V$ t3 w' v* M: C7 |+ }3 v
解决方法,移除低版本的APR (1.3.9)
- x& _/ l3 ]0 Z* u4 \4 i3 e% P6 |# \- `) @$ m" @
yum remove apr
2 T* X# c4 P" ^& _5.Error.log中有: Audit log: Failed to lock global mutex
. V4 \ m! s, L$ }! X7 G, u! ^8 g
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock , q0 U7 [+ l0 r( Z
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]' u$ x( a3 t, B
解决方法:1 M; l2 C7 Q- p, P5 ]
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:- r6 u" B" X0 f1 [
( H9 s: D9 c0 U! U$ C4 }SecAuditLogDirMode 0777
o/ S3 O. i6 `+ D; A! vSecAuditLogFileMode 0550
' Y' b3 m0 ~" o% ~! V0 `- T* i. SSecAuditLogStorageDir /var/log/modsecurity
$ o" M3 d; T* l m2 b: k0 W" U% K5 dSecAuditLogType Concurrent0 d0 L7 i& I, c0 r: c( i
参考文章:% J' w- K* p3 Y5 w* {
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX/ _8 O# O" @( z! s u
http://drops.wooyun.org/tips/2614 |
|