|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
7 `5 F- F$ X5 I- W+ e+ a3 `) f$ X3 n H# S" S
一.准备工作( h" B3 B6 U$ c
' ~. ?" J6 O1 {; N6 p0 x系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; p u" W6 P% _9 G ?9 Y
. _" }4 b, T3 q# Q5 A( qtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" j- x- Y o' l3 n" N) S
3 x$ P4 ]/ w) imodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; B2 x, x2 L6 R0 c5 h8 K- L- i
6 i( x* B& e8 a) s+ r ^! W; aOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
! J* ]7 z) ]! r N# h
; [- f1 i& y; A依赖关系:: r3 Q9 x) Z1 l0 n S$ ?: ^
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
8 d; o2 J1 {8 {3 _/ Y( E7 @' k$ g. O9 r/ V3 Y, G6 X. f8 r/ a
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) k7 z& ]- l0 G% `: S4 ymodsecurty依赖的包:pcre httpd-devel libxml2 apr! \1 J W* A( b+ l! D7 i
3 e* Q# s7 h% R) Y: x% Tyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ A8 K2 T8 ]& X# L8 x
二.启用standalone模块并编译" g% u: z& m/ X1 t/ B) _, E
* f$ x5 |6 S. t下载modsecurity for nginx 解压,进入解压后目录执行:
% f& [, [9 Q: w) W# w
& n1 C% g' f6 B1 S./autogen.sh$ z: M4 ]" H, I7 \2 ~
./configure --enable-standalone-module --disable-mlogc+ T+ z, v! F0 j( N6 d4 e7 y
make
/ f3 r. l5 A4 }9 |1 y三.nginx添加modsecurity模块. l4 T) e$ \3 Z: l3 Z
2 U) J3 t1 f1 l. A! z4 x在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:4 t( [3 J5 X- K3 o. H
/ D: z3 R+ i5 L) w. h
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
6 k3 E6 }6 g2 ~& L- Qmake && make install" z3 \1 _! L8 ^* n1 l
四.添加规则
$ E0 @' s! j4 m3 o7 B- y/ M0 N$ R' A( G$ Z& f
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
i- W! w% H4 @, U. _6 w. e9 Y1 b7 N/ m" a" B4 o8 |+ `
1.下载OWASP规则:2 x+ J- |5 B K1 Q
# e$ e4 A+ y( ?6 S5 J" }git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 M/ y2 X% e" [+ H
: G& ]/ q. l, A* F4 T' ]mv owasp-modsecurity-crs /opt/tengine/conf/5 N3 C& R2 k9 s9 z5 J# w
" u) G; V0 x+ Y+ ]% j& s+ _ I
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf9 f- `7 @+ l6 x. u4 P- O
2.启用OWASP规则:
" e! L$ g4 B" [' l& W3 B
+ @0 @. {! o1 Y/ M. A复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。2 C/ r: H" |) x. B. Z3 y
; }& Z) F8 I7 Q$ @! K# P2 Z编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
U% k/ Q3 j- ]$ L5 O
' `/ u) @3 _8 V: R( xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
/ ]) M; J" T9 K3 ^0 n3 Y* p" j+ L# y) C3 S w+ j) p; P7 i, A
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 T8 `1 C- N# |! T9 b9 oInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf" Y% {; r) I: h1 y. x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 |) v/ p' c6 q s
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! X- {8 ~( X4 W! O5 y$ k* JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
0 I% W: m2 b5 d" o% ]6 }, k( lInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* P& Q' F& J0 j) |% u
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf5 L' R: T6 `7 B' P: Q1 k
五.配置nginx
7 U+ B( N5 n9 |, N( b& \1 Z, J5 I6 s: a! M$ [3 Z
在需要启用modsecurity的主机的location下面加入下面两行即可:! l+ P% y7 m8 i1 E) U
; n6 B' B" p5 U% ^ModSecurityEnabled on; ( P! a, @, r* q t+ n0 d5 e
ModSecurityConfig modsecurity.conf; Y) |: Y! M! c! `! K3 b% X
下面是两个示例配置,php虚拟主机:
0 V4 Y+ I7 C5 c: R* w5 H2 B0 _7 ]$ t2 v" Q4 c: h
server {
6 Q# d9 F ~: O: y t8 g! G listen 80;8 |2 M; V) C6 T, W; E# u
server_name 52os.net www.52os.net;
8 H# i* U& W; ~( r 2 U; T! v. z. f
location ~ \.php$ {- j$ T, R5 I5 w$ k& `: Y) V4 \
ModSecurityEnabled on; ; h9 k& L8 Y* [& k
ModSecurityConfig modsecurity.conf;
1 o6 X$ {/ m3 c9 B1 W0 U% n
; ~( t7 u9 w+ ~6 x; \0 @ root /web/wordpress;. Z; Z& I% J% ]3 T7 Q
index index.php index.html index.htm;' x( Z+ Z" V4 X9 G: n
5 G* c6 u" A; z: K
fastcgi_pass 127.0.0.1:9000;2 k9 [1 x9 a; a/ Q/ y- C; }+ z
fastcgi_index index.php;5 S' }. Z& s; d, ]) c3 n3 h3 D
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;( E* H" X6 x5 |; ~/ @# C
include fastcgi_params;! j% _' ]; v5 u/ ^9 a6 ^% o
}
5 {2 e) r5 X) ? } n. b5 F0 A" [6 t, r# F
upstream负载均衡:3 c3 Y9 H( e d0 s8 q* g
$ r; I8 N; `1 T. s( j$ n9 }6 rupstream 52os.net {
/ h5 J D9 W' O1 o9 t/ ]$ d server 192.168.1.100:8080;. J3 x' z! E w
server 192.168.1.101:8080 backup;0 P8 k- Y* \$ A' j' E2 w+ k, [
}
& N* C( o3 B: r. ]8 B& O- Y/ V; `$ s, T3 T' U
server {# ?4 V% b# {4 I/ i, M4 y
listen 80;
% p. b, k- e, Hserver_name 52os.net www.52os.net;
, d. l7 o( ]( k0 ^: U1 z% k, R( ]2 y# b
location / {* ]8 m, o4 h; E; \
ModSecurityEnabled on; ' @' @& S% D" q9 S
ModSecurityConfig modsecurity.conf;
( ?9 ~1 g) X3 J# }* W% i
- {: X2 I' R% J1 b. C/ e proxy_pass http://online;
$ f5 l! A: ?" x3 ?) h proxy_redirect off;# x/ ~& f# `5 [2 D
proxy_set_header Host $host;
, Z0 I1 j$ P" b proxy_set_header X-Real-IP $remote_addr;4 O0 M* D( [& D3 ^/ h$ D3 H) g
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) G5 G$ k. q2 h2 A5 S }
9 j5 h. L4 l7 @7 W}
! ^# P4 I" w z! t六.测试( c" `6 \2 N! Z$ C7 h1 o i
( C6 X9 c- k! O# @9 ]我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:6 W) X9 \( G2 L s
. V: j0 s& Z' o4 `/ U! P
<?php
5 k: P6 |" s! l phpinfo();
1 \3 i$ g6 E) i. \?>. {2 J# b, w6 l- B. t
在浏览器中访问:# S; K: m1 s: I4 b3 Y
: D u" t. _2 I3 }4 K& chttp://www.52os.net/phpinfo.php?id=1 正常显示。
" c) I; G) Z% r4 [http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
6 m/ T1 j$ A* s/ @8 Ihttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ \: D$ v) z1 r T# F3 @; B说明sql注入和xss已经被过滤了9 ~( e9 a8 Q) u' M( {( @
- J, x$ g% [ c/ h2 p七、安装过程中排错; [- d$ C5 V( {2 u+ m# }" @: r
" X3 D) P9 d/ A5 p0 L
1.缺少APXS会报错4 P/ \3 M+ ?( h/ ?8 U
1 Y# R: P/ Q8 i
configure: looking for Apache module support via DSO through APXS) G4 e ]6 s) H% e* \+ O
configure: error: couldn't find APXS
4 v" q+ ^( t# m$ d+ kapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
% Z, B0 H k) J% d5 q2 _解决方法:- Q0 N& K0 y! N' F4 D
! x8 K. B$ X- l5 A8 ^
yum install httpd-devel
/ V% U8 `$ [: P$ v( \ O2.没有pcre6 }5 A X3 z4 _0 o
3 i, r# D: o, j+ v, ?4 |
configure: *** pcre library not found.
( a* a! l( D' `/ @7 [3 Gconfigure: error: pcre library is required0 y, s6 l1 g( F Q- N5 Q
解决方法:
) z0 x1 E" b `
. `+ k0 @/ ^' h( N" [# @" `7 Lyum install pcre pcre-devel7 {7 R: r+ K3 e6 r3 ?) j: y2 D8 n4 K
3.没有libxml2
; g; Z# C, ^) f' w/ X+ h u( l% j( q- Z9 c7 V7 d
9 q/ u) _( a9 c$ W- R
configure: *** xml library not found.
9 n- W2 d5 e. n) nconfigure: error: libxml2 is required( U: o- M. d2 C) z
解决方法:
( o9 a6 ^, s* z; i2 \" A
( y8 z. |' o. M F0 m. H" eyum install libxml2 libxml2-devel; L! t* Q5 Z9 Q4 w: D3 k- o
4.执行 /opt/tengine/sbin/nginx -m 时有警告, G* q& D2 [1 j
: r! X; ~1 ?% m: T2 s1 B
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
: c X, Y9 h5 anginx: [warn] ModSecurity: Loaded APR do not match with compiled!( ?, w( A9 n v- |$ p' A. c
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
6 E! f- t5 T9 w% i, `9 [- g
7 u# m% B+ p. E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
# K, @" |. E: W) U0 O* L- ^3 d0 ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
( I9 }' ?) Y& U& R# V8 A- b2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. ^6 M3 R& e) A! F& i- V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 t2 r5 G+ u3 A. z( }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" U! E! T7 }& d8 Q# _" _2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.1 G5 T2 n6 }5 A& } A& b! R- \0 n5 F" w
解决方法,移除低版本的APR (1.3.9) ]% V" A/ z' L- L) U& t( j1 s
: b5 l) h# i' n
yum remove apr
+ J- \8 D4 Z) `( x8 C5.Error.log中有: Audit log: Failed to lock global mutex
( K N. i, S. K+ _4 n
, g8 R p1 h z* }( b6 d$ Z8 h2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
! K* `! p% y' m, a" T1 Sglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]3 K. r! K' e; Y& H5 I
解决方法:
0 i' _: A; I( p' o! B编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:' F# |' n- o- ~" e, Z0 i
" f, r- `* H6 `6 ?
SecAuditLogDirMode 0777! h7 [5 _- p' W
SecAuditLogFileMode 0550
' d! R$ Z. T T+ LSecAuditLogStorageDir /var/log/modsecurity
) u& T! t3 c/ a0 \! @* Z8 x& Z, I3 ~SecAuditLogType Concurrent$ @3 b' }# f. O( [% T9 I
参考文章:
3 P; h w( u8 B( M ihttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
& `) ]7 Y9 P: v$ X& I, R( ?http://drops.wooyun.org/tips/2614 |
|