|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
0 @6 l7 B& _2 {$ L% S! X1 k3 I1 T% v% x% _. f1 P5 t
一.准备工作
4 H" V8 r; v8 y: y
% n. D$ E$ H$ z- [0 B7 P2 z系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
3 y6 b2 }1 M: [4 p0 o- ]4 y2 R/ a. C/ w) p+ {
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 P. h" D; e% e" ]1 g8 D, c8 N- ?
/ I/ {# p% ?1 fmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
; |1 u$ W! @* Q$ `. l' r7 d. |* F: H6 X% m" Z
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs6 _- b% C8 ]# ]+ O1 E0 X
- v% l. x, ]! W; w依赖关系:# E/ f V: z+ r7 P2 s; J
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
. M$ f/ p" x0 Y2 Q2 f* `$ z/ c2 O: ~, [
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
' o8 d& T( L6 L4 J5 R3 vmodsecurty依赖的包:pcre httpd-devel libxml2 apr; g( W9 A! {! _9 `( {6 s) C6 T: e
( b' \) O5 D- {! h4 W. s$ ^; Q
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
6 E2 C* w2 ?# W1 n* c二.启用standalone模块并编译/ K* w# e2 _- Y. |4 F% p" H9 q
& Z! }" ~1 m: k7 R; A
下载modsecurity for nginx 解压,进入解压后目录执行:
# \/ J6 I! X1 U2 @* A$ H# O
' K6 _3 t0 o) f+ E9 G. X/ _./autogen.sh" @* a& w$ M |: N/ I, `0 }2 d& I
./configure --enable-standalone-module --disable-mlogc+ M- Y3 p! Q/ k
make |( a+ h9 q9 |6 c
三.nginx添加modsecurity模块( p7 k, A1 U7 y1 A2 T5 T- |( R
0 ?0 p s: J3 G4 {
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 Z% k/ ^2 s7 |6 A. h" ^
- i& U( T4 w/ g+ r% \# |# D' M./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
, g/ \* _! o1 c7 q8 ^make && make install5 R* d7 l3 `/ Z# y
四.添加规则
/ }0 b# E- r. X; a% m$ v1 i. w7 j( a+ V1 _9 ~4 v B8 U
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。" ~) l- f+ _$ R$ y& U0 Q' y$ g
7 i) s- z3 a0 A7 b2 s/ o
1.下载OWASP规则:& L o: k% l+ X- Q2 Z6 S3 m3 n
) {& I {3 X) {, {! u6 l& x* Xgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
! i p' S, @) T: V- m' W
7 ~& o. x8 p U" t4 bmv owasp-modsecurity-crs /opt/tengine/conf/
3 h( B( b% X+ H: M* C9 \8 `; v' ]5 d; i1 W- G* q
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
& P( y( b, N8 l8 R2.启用OWASP规则:, {+ T4 G. q; g& ?% r7 [
5 k, A7 c( G& p; n; `
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ M# B; B u3 c" }
+ Y+ [, ?2 {; k6 w y! x6 a4 b编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: h6 u1 L, }- ^% G& X% C: }! Q/ J; A) R0 F4 |/ R Z
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
" i# M3 I* _& H* i0 W* _7 a( {. V- i
+ J: {; `) }) j, wInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf! x+ P# K a& }) X6 Q& x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf! J# P+ Y# O" ?$ e+ x9 G( E) L
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
( a V5 _) H+ mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
8 N3 M6 Z) W' c/ @/ ]; I3 W9 UInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
! L: W6 d7 Y3 k2 ^( s2 {" iInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! n7 R' X8 v- L$ t" I! [1 eInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf4 k' ]8 W) @: X9 \
五.配置nginx( z' b: |0 l" ^3 z
# q0 f+ S+ S4 H6 Q( V# [
在需要启用modsecurity的主机的location下面加入下面两行即可:
0 J0 u( \. }5 l& F! x+ c& b4 y- r% K2 t: W0 q
ModSecurityEnabled on;
) v- K: k E+ n1 kModSecurityConfig modsecurity.conf;% b* u( x3 M; t' @
下面是两个示例配置,php虚拟主机:
7 n7 P' K9 e: y: p& O, Q6 }: L* b! ]/ l6 b
server {8 _8 i# p z: S$ g
listen 80;
; x& C' l# ^+ T server_name 52os.net www.52os.net;
4 G( C3 _6 D9 ]5 H) q& z9 J 7 A, q) }" Z' K! R% w
location ~ \.php$ {
& D7 \$ c7 ^1 p) [ ModSecurityEnabled on; " Y' ]$ K- q& d6 q
ModSecurityConfig modsecurity.conf;) T! @# @0 q" N l
- l: t5 B' A9 o2 K) p
root /web/wordpress;
" D! I, u! d$ O; w4 i& S% n index index.php index.html index.htm;) Y# B8 Q; p) E/ {! ^: P3 ^0 m
1 [* F9 S# @( }! A4 Y% C5 \ x8 l9 W
fastcgi_pass 127.0.0.1:9000;
y: u; s' {& K/ C/ q fastcgi_index index.php;- x( W/ {: u6 F" S" i
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
! V" w* Z) j" T* M5 J6 w include fastcgi_params;
: |! r2 H+ Z J, s6 U9 b$ `0 C }
( L- v4 u; `& p' R }
/ X; p* r: V% W& J9 Q! F, O7 k- qupstream负载均衡:" b. F* ?) `% l+ J: z" j
. n% w* `( Z4 r( ~4 \
upstream 52os.net {$ u& M9 c# I# {( Q2 h9 \
server 192.168.1.100:8080;8 ?' M" J/ K* r5 R5 n! h
server 192.168.1.101:8080 backup;
# p8 h9 i t6 W, _9 @, |. I}0 h$ D+ T% m! C9 V9 p* R' ?
) B/ `# \, E [$ \' ^server {
^2 ^1 L' q2 l0 m9 Jlisten 80;
, k" \7 v, L0 Hserver_name 52os.net www.52os.net;
: ~9 S3 q0 g9 B
) n/ [+ J# }* _4 Y5 ~location / {' D) q) q; q- y5 f
ModSecurityEnabled on;
+ e- v1 L" q! a M, n ModSecurityConfig modsecurity.conf;
4 b" ~2 Z6 M4 @9 w$ |% H
6 o h7 T5 u/ L8 X6 Y9 \, v6 }0 \ proxy_pass http://online;! ?$ w+ q* J; J( ]- K* j
proxy_redirect off;+ ]2 e/ t( ^% M+ L: u( d
proxy_set_header Host $host;3 Q6 h, d! A6 t1 I/ U4 n$ s
proxy_set_header X-Real-IP $remote_addr;
/ |# s9 g: H) Q1 V0 H7 Y proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;6 Y5 R3 `' m: T, y6 x& }
} k7 k; F' ]% ^* Z( g
}
+ z2 k! G" P2 Q) I) l六.测试* w0 f! }; \6 e1 A# ]
v9 S% L4 [/ j! U3 a% |我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 e0 F1 m4 \6 K6 O2 x
5 q3 S+ r7 A5 K! Q: ?<?php
9 C: k7 Y2 A) T& D( F+ T phpinfo(); : O0 u: c8 e- n. o) ]
?>. B% l4 k) `+ _. h: ^, C. E/ f' ]
在浏览器中访问:4 l; N" r' M' a7 v' c7 v
- |% C; t5 b9 m1 s [4 J3 mhttp://www.52os.net/phpinfo.php?id=1 正常显示。
* z( d, A, S" Z) S Y5 S8 D* M' N% p {http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。2 O, w- o( r0 S0 O# u4 ?
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
3 v U) f# R/ W/ g5 O1 P说明sql注入和xss已经被过滤了$ N: l- N! M2 j+ E% j5 T. k& A
$ V4 p( U- S6 O3 W0 |+ T七、安装过程中排错
' C, B1 Z* r! s+ R" q1 F7 H( m/ m5 m% x( A6 P9 |! h* u( [
1.缺少APXS会报错/ ]. P( e0 L3 k" H2 v+ w7 ?# V
7 A# n+ I- g- R0 C$ {- Z! x6 h/ e1 J- ~
configure: looking for Apache module support via DSO through APXS
8 ?3 d r& |- y0 n' yconfigure: error: couldn't find APXS9 G5 B6 D8 v) N* r2 w, t3 I! d
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。! d9 y7 ?# F% S' B- C4 {. H* e
解决方法:
# H& g( J, |/ z
) u% a0 `! g# p% U, Cyum install httpd-devel
$ z8 p: J0 g2 q) F T5 c" M9 x$ O2.没有pcre
, {6 {. {3 f# s
9 a: E# Y5 L# ~9 wconfigure: *** pcre library not found.
T! v' I; [8 o3 L) Z+ ~; ~configure: error: pcre library is required/ c7 a# i2 H0 O2 _. z6 I7 d) ]+ j/ O: J
解决方法:0 v/ b) s i: l3 y8 x; t8 a8 P8 w
. K @' ^, g" l- X" \/ s: O& }9 I8 W7 ]
yum install pcre pcre-devel$ ]2 N! H; s' a, E( `2 I! h
3.没有libxml2
* p5 R2 A' X" ^
; n5 i) c. [ s7 \8 o5 L
, o. L a- C2 P2 W/ \configure: *** xml library not found.8 q+ @6 W& a& T; @* |3 e
configure: error: libxml2 is required9 X7 {- m4 c$ L: n) E/ p3 s- C a
解决方法:
+ @2 ~0 A" @$ Y8 E' `- j+ P
% i. F5 g, u; B4 y3 H3 V6 Ryum install libxml2 libxml2-devel
8 W5 U) M' D% c8 P) l4.执行 /opt/tengine/sbin/nginx -m 时有警告/ P+ i' z( H7 P
& T" t* t# [( K y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)* d* q1 O+ r4 P
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 a% q' O6 L! f: O
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
( i) Y0 x- u# \% q& Z8 T+ y' T' s' n, m/ B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured." n3 k/ W0 y8 [+ e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"( S' E/ }' g/ s# o* J+ d4 a( q: c
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!; p+ V. P( Z5 _# I/ F& _
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"6 t7 c- x& `6 u& h2 Y: O. ]6 N8 n
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 {4 `" J+ Y& j
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.) p3 r* z% U+ \( n2 p G) ?8 c) y
解决方法,移除低版本的APR (1.3.9)
. D1 x6 y6 o$ s& w- E. F. k+ N" o! \5 a, o9 A1 S5 A) [
yum remove apr
2 I$ p( Y3 I6 O5.Error.log中有: Audit log: Failed to lock global mutex( w! g: w9 ~% D; Q( m
j( K+ T" Z# C9 d( J0 J0 K2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 9 k3 g' ^- a& u G' V
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]/ l1 K* Q/ p* n7 t& T- f
解决方法:% E% M( j9 e- _& f$ f8 s7 c5 R
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:, H2 ]3 f! h3 T2 M; k
5 l I P9 d2 I% N! V
SecAuditLogDirMode 0777
$ L Q/ J! G5 `; [$ Q+ a3 tSecAuditLogFileMode 0550
9 j( W" V% a. cSecAuditLogStorageDir /var/log/modsecurity
5 ?1 i% J8 g }6 C/ x ]SecAuditLogType Concurrent
( N; r( H; Q- M/ _参考文章:
5 L$ j; n( F5 \/ J3 p2 S: _https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
/ j9 f5 p n9 H- shttp://drops.wooyun.org/tips/2614 |
|