|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。1 m/ c* E/ C5 a1 I
" [7 F }+ E1 ^7 J: c9 W一.准备工作% b/ ?) u! Q! a4 a1 C6 Y
+ b* n+ M5 V' ?1 W; E' `# g
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
+ A& V: v# v% @% k7 V2 c
7 K" m4 v/ X8 }) j gtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 Q3 s7 y+ g; N2 n+ [6 O6 m
; X# `+ B6 r9 X& [1 {( Lmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; F% I) B4 Y ?7 U
. O9 j9 f; m2 Z+ Y
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' j+ M( e5 m, ^: Y) Q
( U% C" A+ V6 [依赖关系:
( i" {4 x: a& R8 Xtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( c% T+ `% @( O5 Z
& b' w6 y) Z: D6 d% o, [. eyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
- E, |' q4 d- @ S; l0 C# [modsecurty依赖的包:pcre httpd-devel libxml2 apr0 A$ L# g" {5 J6 ?0 C
0 P; v8 q l" eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" w, S9 R/ G+ E) f0 U* h& `
二.启用standalone模块并编译
! Z9 h+ \( O3 ]' o0 }7 u! k/ V" ` b2 |+ Y$ r; |
下载modsecurity for nginx 解压,进入解压后目录执行:
# g5 l: _5 F6 ~" e5 k H' i! j D5 c; y* Q& {
./autogen.sh
9 q' @8 i, v! V# }./configure --enable-standalone-module --disable-mlogc
q9 c1 ?' m% Y9 F! O8 E6 Fmake
( _: t. k3 F# R$ V三.nginx添加modsecurity模块
- S) X4 H# y( f
y2 y2 A! _7 W8 f在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
' m# {6 d7 o3 @! ]5 J$ O3 j5 B! v. ]. ]2 @7 X* v5 D2 }# N
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
( P6 _% m" k- L7 B/ E8 Nmake && make install; l. ]% Y; j" k. C1 |8 |/ J
四.添加规则
. E: W0 v( `% n7 a2 e* X2 {/ t1 d8 J/ c4 C- j: `* S
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
( z5 U% ]* c/ q+ F1 \- }& m; r' c5 b0 M3 m1 g
1.下载OWASP规则:
4 a$ I7 A7 Q( {) l2 n5 A
3 \% ]6 Q3 ^9 {9 ^5 ?git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
4 M/ r8 e) v6 Y6 Q8 E) E0 g6 G% t* h
mv owasp-modsecurity-crs /opt/tengine/conf/
+ J6 G* o$ |- G* o9 N# A' y' v2 x
' s" X0 ~ D0 R4 k$ T" u/ bcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf8 D% E7 N) o Q5 l: s/ k+ `
2.启用OWASP规则:
6 g# L1 D# s1 l$ F) i; K s9 O, n: l& e* L
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。/ q: X5 v# X) p3 H5 b' I! H
. W% i) ?5 _% F; i. l/ E编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
+ J% U: [" I. @; c5 [5 v, m1 d$ A5 d7 L# D4 |. t8 p
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, c# F/ u4 {, q) Y. o! g3 E2 `; ], H( e6 K
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf8 X8 t. m9 q* q! K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ W7 {* ?: s$ M) t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, K; m3 G* J2 i5 ?1 m& W; G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf5 Q B/ W% u' \+ X0 `& c
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
$ h3 V' [* ?+ H, B& }, e$ _5 BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, I8 A8 }+ K( W2 RInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
* j0 Q6 N9 D) t" s$ r. W五.配置nginx
& J0 U- U* _& ^7 w+ v; Z4 E' [3 r! r1 M5 f! O# f, L
在需要启用modsecurity的主机的location下面加入下面两行即可:& r: r7 F2 l- e7 B) y
' o- X. }5 s- E, [- m2 P# VModSecurityEnabled on; " E& e `; g+ o/ r' h
ModSecurityConfig modsecurity.conf;
; e9 v( E _5 B- l, n ~ ]5 c" G9 D* v0 f下面是两个示例配置,php虚拟主机:8 j( P% O8 N- b. C i8 i* c3 }
. a' A3 L, k0 yserver {9 r8 B% |1 z5 B( k, \9 v! \1 h
listen 80;
0 e& K' V; W4 ^2 F" V& q; v server_name 52os.net www.52os.net;
" n0 v( v$ ]1 ?! k
; t6 P3 `. | C location ~ \.php$ {# W0 s9 R* B/ Z; z0 S' Y H
ModSecurityEnabled on;
& g- C9 D. a# d ModSecurityConfig modsecurity.conf;
* X, x j& ^$ H2 b' n& v2 i7 D4 `
/ s" q; k+ w- K! l1 h root /web/wordpress;! Q! h; W+ ^( M
index index.php index.html index.htm;, A4 S! T( N4 r. w" b
8 R1 l3 G! a. ?' g1 c
fastcgi_pass 127.0.0.1:9000;. ~1 e% P$ T" L5 r4 X) A
fastcgi_index index.php;( m& t+ e4 r+ r- C. m O( O
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; H5 w+ v' r" c; F" M$ H" ]& _ A include fastcgi_params;3 G6 E) @# z! i
}, A. }' i9 s7 z0 J# x
}
: @) Z0 N- r- j" i R6 A/ m" Uupstream负载均衡:) F2 b; T, f3 R0 n4 \4 z+ R
6 M6 S' j7 A" h$ {/ E; g( h
upstream 52os.net {
+ P' S4 c7 |" P0 ?# }2 B! ] server 192.168.1.100:8080;
! {7 z5 O0 s2 @0 m1 n5 I5 W server 192.168.1.101:8080 backup;( ?6 n* _5 ]1 U: Y& m
}
* t+ N% j& D! J' R0 F6 p; C8 V! L, h. j8 r5 H( k4 }
server {, i: C$ i! s) `! ?* J; n
listen 80;
4 W; z6 b2 q5 {1 F' x p8 D8 rserver_name 52os.net www.52os.net;
4 w$ y* n% _4 g) C% K/ b y& r
( e1 s6 Y2 Q8 n8 k; @- p1 [! Elocation / {7 R$ ?, z% m {0 {- `6 @9 |& P
ModSecurityEnabled on;
2 u' i" A( o% D. Y1 [2 d6 z ModSecurityConfig modsecurity.conf;
0 r. O+ B4 B* Q @) i, N) F2 Z: I* D- r2 }0 ~
proxy_pass http://online;# K1 h7 y: u( k$ M9 Z" O
proxy_redirect off;
4 f9 ^2 i* P' a9 N proxy_set_header Host $host;
1 L5 X- O0 b( k, E9 t8 x0 H# M1 _ proxy_set_header X-Real-IP $remote_addr; d0 `( I- A: R7 g1 n. k; l9 h
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, E* p. s$ K5 [4 u
}
0 w! W7 | q1 b5 J1 |}
4 y% U3 d3 Y: t5 ?# C9 [/ k: N9 T2 \9 l X$ h六.测试
! l9 n% r; m, f6 {- v6 c# Y
, S' ]+ S7 a1 B" S b `- M" x我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
- [5 B' a/ E2 M
( j6 ^6 B# `% Y' o5 F<?php8 M6 _; s) W+ _2 B) S' m
phpinfo(); ( V @' j# N8 L7 R
?>: E7 i4 ~% n- S) H8 h+ b. \ e
在浏览器中访问:# G4 x3 F* m$ P3 G8 R
8 a' Y- s" |. \3 {http://www.52os.net/phpinfo.php?id=1 正常显示。
. D' V4 E# j: E. x! }3 u+ K& I& \http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
+ H4 V$ }* w. i* thttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。" `- N6 m: a! U$ t
说明sql注入和xss已经被过滤了
2 C3 Q( q- S$ |4 Z9 S7 @8 R6 Q8 B# V6 R J1 X
七、安装过程中排错
# X: ]7 l! X5 m$ K B0 x4 N) {# ]' g
1.缺少APXS会报错
n; \' Y* }8 k( {2 Y% F( O( a) X- v7 y' X- c+ q& [ N
configure: looking for Apache module support via DSO through APXS
) A: ^5 h* }/ u5 b7 Z* {configure: error: couldn't find APXS
7 A+ f( @/ ^$ [- v7 H8 o7 e5 Japxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
. N' s* w# f0 C解决方法:3 n; H( y+ L4 Q/ R) q/ D" I
7 n1 E2 w- e/ W& k1 n2 Dyum install httpd-devel
8 ]( S Z; f; l: K$ \0 m0 ]2.没有pcre
% z" g7 ?. H/ b/ u! J: q9 n+ q7 x: M6 }6 s! t
configure: *** pcre library not found.
% U3 Z# v/ R/ R8 Mconfigure: error: pcre library is required
1 H/ c" u9 y' Q9 N$ _+ k( E解决方法:1 C) a# B4 p5 T) S: V' o2 W% \% `" [
2 I& Z2 y$ N; W7 |% Y5 l3 p
yum install pcre pcre-devel
( }% m% |. } b. e- B( ~3.没有libxml2; k6 a5 e i# a- [2 e4 J
7 F3 n# \; c f3 w# K' {
' ]0 ~3 T5 a6 _( z5 Nconfigure: *** xml library not found.
5 H0 [$ c: A6 `% lconfigure: error: libxml2 is required
6 A! N3 P! U. H3 m1 g% `# R/ t6 c7 M解决方法:3 y! m8 ?+ o, ^& V# U% r
: a: [8 T/ A2 r9 {# Kyum install libxml2 libxml2-devel. j2 s* b6 O6 d; A' |
4.执行 /opt/tengine/sbin/nginx -m 时有警告
/ B3 G2 Y- X/ ?5 t9 I; ^# S. c. Q+ x0 D* D6 l; E" C
Tengine version: Tengine/2.1.0 (nginx/1.6.2)' S5 U2 M- \- h9 A4 N7 X+ n2 e
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ t7 L2 w8 `) S4 n8 P0 L; Q7 c. p原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log+ Q/ P: u+ k' I. G2 L$ | H
" l# h6 w+ t) e1 C+ K9 |. z+ m5 {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
! V) r- U! y( M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 H7 h |' H/ }: z4 |
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
; ? F& I, k6 i4 G) v q/ b2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"5 D3 g$ ^* o, f
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
- \* J5 P! k k: o! @/ b2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- {. {, b5 y# G& W) S. q解决方法,移除低版本的APR (1.3.9)
2 w* d, n( X5 |9 w: n3 d" T; ?" h) V% B& p" D2 i/ K! G
yum remove apr
5 Q6 A$ ?+ [( X5.Error.log中有: Audit log: Failed to lock global mutex4 b4 S$ l9 i% t- R: Z2 K
, Q' z& `+ B( Q! r, g, K/ y7 x2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock " d# U# m" x8 K: K" t5 L* Q9 d
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
2 b, O2 `- z, | l解决方法:
" c. k! z% W) c3 }4 p编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ |7 l/ B& O! g% R2 Q2 r _5 v
" \+ g7 T. m% M' h) y2 I8 ZSecAuditLogDirMode 0777
0 v& M6 z: S) N- {% } u/ b+ ]SecAuditLogFileMode 05505 \; u; t5 s0 N) k) b' D
SecAuditLogStorageDir /var/log/modsecurity& E) u/ \+ D. R/ {/ C
SecAuditLogType Concurrent0 y h6 U2 A0 j
参考文章:
8 @0 s" B& E! U; zhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 u+ [9 |! v2 }0 w) A3 i
http://drops.wooyun.org/tips/2614 |
|