|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 L" ^. V2 W2 I( D3 ~0 a, O& \
* U- |' O0 _( N1 Y# n- Q一.准备工作
% ?: o1 _& X- G: E- N
, m; q; X/ E) @, U' W系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0& u1 H7 e( g% ~- h, N, H9 @
% T3 N( [4 P" a; k. [( ptengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' ^' B( ?+ o# P
( e; Q c! n2 F' j. V
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
- ~! T5 E8 S5 M4 A' _2 J1 E3 a- [6 `- \3 i( ?
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs* ^* A5 D9 ~5 H2 ]2 w* Q7 { I
" W) s# A: _1 C' f2 Q" A$ M依赖关系:' H/ S3 U( s: U% ]. J8 I* g: d
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
$ E0 m& q; \7 k2 U( v) j# W) F3 c" g* _# X5 j
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
, d1 m% t$ d3 B* U2 O4 W8 f5 }modsecurty依赖的包:pcre httpd-devel libxml2 apr% t: B/ ^* n# A3 c7 F$ n
& \" V" q4 l0 Y2 I+ [2 g2 q; Kyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
) L: T$ u- u0 ]$ A7 A& a二.启用standalone模块并编译/ Z' P/ J S+ m( |& W! O7 n
5 z+ l# Z: N' U3 F. N
下载modsecurity for nginx 解压,进入解压后目录执行:
; ?8 _+ y3 u2 F5 M0 I d7 H* X. R0 {- F
./autogen.sh
: [8 g& w+ ~! k* N./configure --enable-standalone-module --disable-mlogc
0 H E4 m3 \4 z0 C: Rmake 0 a/ P% Z4 @' }5 {1 {' q; N: n$ C
三.nginx添加modsecurity模块
. V' w5 i: s+ {0 U. H$ L/ Y* r7 f' v/ X [ I2 q
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
! A7 V/ s9 }1 {* i7 V
# ]: |) }" l/ M9 r' ?/ o4 S./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine3 z% \8 h$ Q; L. r K9 ]
make && make install+ o- L8 @6 n4 D: J
四.添加规则
6 r! I2 J- R9 u$ r, C1 A5 H
( N. d/ j" \2 y5 a4 z/ l- zmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ x) `: I0 \! e* E& ?/ h/ o5 B9 w: J( Z: c
1.下载OWASP规则:! @2 x- b3 z. p: ?5 j5 _0 h
/ p$ L$ Y" m0 g2 F* C8 R0 l
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
, K& P( H) K7 ^' d5 R/ p/ H+ J
: d! J* u) `" ~mv owasp-modsecurity-crs /opt/tengine/conf/
9 T! b: ]0 ?# M* h+ G T h& `& B' k$ ~" G5 F- {5 j0 F( B5 K* U
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. t% b: y8 I0 v- R7 P% g
2.启用OWASP规则:' A! P1 ?+ u/ G8 o& ]% ~
4 b% R& b+ h2 V/ }: @* v复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。! C7 `4 Q$ a$ q/ z8 T# x
$ m' d2 ]6 K- M编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 G! b( [1 F3 q% T5 \0 @* V, M q
# [7 P) {* }- q$ jowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
) x7 g, P2 X+ q* i8 X2 M0 W4 M1 g- I, U, b7 @ j8 }+ }" e
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% M! o" _! Y ?; @) e- s' C n( g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf5 q6 Q! t# T# A7 _5 R7 g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ H0 u: w9 f: ^% V6 BInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 k2 N7 N* {9 B; dInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# P$ {5 M1 d7 i% Q" B& mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ y0 v2 x4 S8 r$ h0 C
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf4 u& h4 m# G9 O+ o
五.配置nginx
0 f8 B. |! r- N% i/ t: e" u( t2 ?' C" u# ?; y* l
在需要启用modsecurity的主机的location下面加入下面两行即可:2 [; D, r3 r" d$ k9 _$ [/ u# F' f9 e
; d, L8 I2 q* F# ~0 G. P
ModSecurityEnabled on; 5 J+ K% M' f6 U5 i
ModSecurityConfig modsecurity.conf;
5 s& G" }: ^" R% I ^, e5 ?- l8 M下面是两个示例配置,php虚拟主机:
! n) T+ w, n. B0 \4 W* I+ C& W! h# l: I2 M
server {
1 Z% Z# I, Q U$ W- e listen 80;% ?" C3 x' n1 K# F
server_name 52os.net www.52os.net;7 Q+ K* H: d5 K2 R8 M! J
, E7 k$ T [5 Q; @1 @' }
location ~ \.php$ {$ z1 U( U6 C% K' }" E0 B( g+ M- R5 ~
ModSecurityEnabled on;
. R, V( O" Q. O ~0 Z ModSecurityConfig modsecurity.conf;5 [* c- r9 M3 d1 q) Q! T9 n/ Q5 c
/ F3 B6 E( M/ V K) W" L9 e
root /web/wordpress;. k; j! u9 r" K0 i/ j( b/ B( N
index index.php index.html index.htm; Q4 m) k- _* I8 J$ C7 u
' J( e: e. N& R( Y) _3 X1 ]
fastcgi_pass 127.0.0.1:9000;
% S5 a# ~6 G) q' t5 @" I fastcgi_index index.php;
9 j6 ]) V& V6 U& d6 ?. \ fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
2 O9 v9 @ I. ~! C# J include fastcgi_params;$ d! w7 w. P' o, _' b; N" }/ [
}5 ^/ p1 W7 U1 Y* g6 b7 Y9 o
}
4 O) k& c. D0 Z; t4 [: A- r2 Gupstream负载均衡:
+ t. m/ W$ E' W9 y- O5 }( s0 ]& }- {9 U+ ?+ U7 F
upstream 52os.net {" ?6 d, W5 }, N' [
server 192.168.1.100:8080;
# Z( Z$ l5 x1 w5 Q6 p, i server 192.168.1.101:8080 backup;5 @ J8 s+ F! o& w# t+ p
}2 g: P+ D8 Q0 m) `, r, |8 D
/ I) n; ?# w, ~
server {
7 M! h, M; i- L/ f# Klisten 80;
' ]! d# t2 v# K+ Wserver_name 52os.net www.52os.net;
3 k+ P3 }3 W, O, V g6 p) G2 E. c; ?% i8 {8 a- \
location / {
9 k4 U2 g, a3 R2 I2 V4 w2 y1 e( T ModSecurityEnabled on; - m0 [1 k+ r4 ?. v( G5 l- \7 h
ModSecurityConfig modsecurity.conf;
, V% p' @2 m) P T# X
. u5 L B# w% ~/ _ proxy_pass http://online;
( ^. C$ C% e) M3 E6 B% X1 H5 D* Z proxy_redirect off;
- ?( |' m( F. x6 x" z proxy_set_header Host $host; ~# j) L3 F1 G3 i
proxy_set_header X-Real-IP $remote_addr; L' p# p8 |- a! B: I! y4 c% P
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) y- ~% I7 {) Q4 U6 f7 U
}- u# O, C) ~& |4 }8 F' {; ?
}
. _3 B0 B7 E: B4 x' C( c; S0 Y K六.测试
' v, Y) f- _4 t, E( x/ F' _8 s1 w6 R# f+ _5 n' m( f
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:% Q$ k4 M; _9 c. G5 y$ X4 R
6 A8 n0 ~; }9 }3 D9 _* ?<?php* Y# {" ? d7 B7 Z4 t) j
phpinfo();
3 T: d' `8 A- b& C1 B% ~?>& a2 w: j/ a* j3 U' a0 a
在浏览器中访问:
- W. g6 r$ G/ D% V$ |, z! A# G7 s
$ b# j; X& h0 Hhttp://www.52os.net/phpinfo.php?id=1 正常显示。5 G4 e0 ?% z/ D# |
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
( }9 g3 z9 t1 A9 R3 O: ehttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
$ p }( n0 F3 [; B0 g7 }& R0 H说明sql注入和xss已经被过滤了
. F5 i1 ?+ N& s+ O z9 |
, O; B$ l( k4 f8 V- E' \8 Q七、安装过程中排错4 d& ^& X+ ` n' p3 Q9 n
$ N1 r1 j1 M' w* G1.缺少APXS会报错$ a5 L% J) I! ]
' |6 u0 ?" W P* L9 s# q9 d
configure: looking for Apache module support via DSO through APXS5 v: N1 k- D# C3 ]% Y
configure: error: couldn't find APXS
T. R+ H0 E' ]- yapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。" S) n3 ?9 l9 A
解决方法:
/ V; O, s8 Z* b! x! O( @5 |# [
6 s* X) n1 ]5 C! H8 Z Xyum install httpd-devel
+ ^- p( P* |. O: z' V6 A2.没有pcre
( D3 { d" ]. v* |4 t5 r& k3 B7 n. L$ \
configure: *** pcre library not found.( M4 r# [" [) `( v% W0 e, w. L, M
configure: error: pcre library is required
/ R; u* d1 r: K2 m解决方法:
* }$ q% o% z9 G1 `' z) P3 v! R' Q s4 _' h% N
yum install pcre pcre-devel4 ~" b& @' P5 M! I6 {5 t1 [+ z
3.没有libxml2
2 y8 Z& e" s. s0 v! n
) Y% [+ n: \! z! w' o" _% x: D* D# `; A- ~5 V/ s- y7 p6 I# I
configure: *** xml library not found.1 ]2 G+ |/ M V# O# {; ?0 S3 m
configure: error: libxml2 is required `& c9 b. _( o
解决方法:4 u; X- N, m0 j6 F5 t, ~( \0 T
; T$ }1 i3 N% m% t2 jyum install libxml2 libxml2-devel
/ A2 M6 I/ Q9 C$ V) c9 G, s! G. H- E4.执行 /opt/tengine/sbin/nginx -m 时有警告
7 {# i4 N& n) {: G( P6 I
# X6 E6 B" a" n: s8 o# D7 [$ PTengine version: Tengine/2.1.0 (nginx/1.6.2)
( a+ O4 r( q$ s% n4 O, E* lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!2 M7 }& Q6 h2 m8 B8 p4 u3 d
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 b, x4 e2 ~8 [/ x, D) F4 {6 | {+ p$ C3 |- o
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.( t5 s0 f+ z' S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
0 d4 ?0 |* A) m7 ~) u2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!, L+ S( t! L4 ]; h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 y' u6 {7 ^* _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"1 B3 R7 y" B$ l+ N# }: P2 ` K
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 y) d8 } a; r; y% S: d7 i8 N
解决方法,移除低版本的APR (1.3.9)
9 W9 H) F# v/ W/ c8 _: k8 a7 q7 U$ M: c
yum remove apr- P' H/ r: ?$ t) L
5.Error.log中有: Audit log: Failed to lock global mutex
' Z2 A7 h3 h* t, M Z$ W: t6 G
% {3 d3 e% A* @; W2 v8 h" o2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 3 J4 G& O8 e% K1 E/ d; c3 B
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]5 s; S: E1 G& [4 D
解决方法:
( n3 T* b. a7 a- L+ ?. f8 X编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
. s0 y2 H0 g% i; T9 H% G6 i) N! j$ r7 l
SecAuditLogDirMode 0777; I: b7 Y, b6 P- |4 B
SecAuditLogFileMode 0550# o2 m% N( d/ F5 A+ A
SecAuditLogStorageDir /var/log/modsecurity4 e) E6 \7 R1 J, B2 a, {$ x
SecAuditLogType Concurrent
. V) L, |$ T9 B4 I3 H, {0 b5 T! a参考文章:
P$ w8 I* {4 Z: L9 {https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX/ t( }' m, p% F1 d4 \
http://drops.wooyun.org/tips/2614 |
|