|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" m8 I, A1 V2 ~& k/ h
6 S3 D6 ~5 m8 _& R
一.准备工作" x" J( Q% U+ K" `3 ^
4 J# _" }* ~# k系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
" \8 _ r; H- n& K% u! S- Q7 a1 ^4 w/ B9 L
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' ^2 V6 g. c7 r2 F! Z5 u. t" U
- x1 ^3 Q2 @, T9 e' ^ h) Omodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. J" ]0 O' Y# u1 Y
7 y* O. f' U. m+ ]OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs( l* d) ]! U4 Q' V+ W
$ A* l( D7 }- r; |! h依赖关系:( z9 L p; l7 |6 x* T
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
# a) ?6 e/ v6 w8 \' Y, b- N3 u p/ Z
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel" X6 x3 N7 I( Z/ T! ^! u
modsecurty依赖的包:pcre httpd-devel libxml2 apr
. }. J; B3 Y) `+ I- t! u
! N! e5 `. V$ y. Z; j) ~ I9 ~9 Q; syum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
% i! Y1 ~) s! g) a2 h3 g k二.启用standalone模块并编译
) w0 e5 X; j8 f. T
) N; l l; B6 T4 u下载modsecurity for nginx 解压,进入解压后目录执行:
/ P6 S2 x0 V; o( ?
, Q4 C/ o+ D0 i6 K3 } X8 Y./autogen.sh$ r- L B/ g! M) ]( ~. \
./configure --enable-standalone-module --disable-mlogc
?; t7 [4 L% |& J! Dmake
7 P b) l1 k3 u) H6 u% S$ R% R三.nginx添加modsecurity模块
0 a( u1 H9 O6 ^" c% G
$ U- k8 u8 o# r4 C) J8 Y0 f. _在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: E( s/ L& Y# _- L* o5 _' J- F
; \* ]! n. n5 ^$ Q* \2 v- f: O
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine! v2 [: v* _1 W% t6 K. i" a+ z
make && make install
# f/ ^5 ?+ D( m, p7 ?9 R四.添加规则
1 f# @; ~- g1 ?! M7 q/ ?, I, N5 ^6 f0 E# j7 {$ r4 q
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
! r& w- c4 I2 V% ]3 M) I8 B
: D, M0 b1 C1 y1 b1.下载OWASP规则:) v+ ~- m' p; {; x+ J
! ?4 B" u0 h& \- }, q* n
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 f# Q; Z Z: |( N4 J/ x
8 N4 @4 |1 @3 ^" e' c
mv owasp-modsecurity-crs /opt/tengine/conf/+ C4 U' }; t$ D+ Q. ~! o7 i0 Q3 u/ |
1 k) {& d+ i5 \& e: \; w6 Acd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf; i6 H4 a$ ?, I$ Q. f
2.启用OWASP规则:! x" e1 ?5 R3 B9 o% o, m
/ s1 ~$ f) `. ~复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% Q- Z. @1 f5 c: }2 a
7 ~8 X1 \" t+ _- N1 t1 [* D
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
5 C$ a% n$ q9 g( v# F% i- Z" i3 R% |1 ^/ \
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
( S. ~1 R; b V/ j9 r% @3 g! q5 ^# ]) f" w N9 Y6 h/ b
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ h* i/ g! |: d0 d- [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf# J/ W& G% x4 y6 z0 c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
. K a, j& g' R. n/ fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf2 `0 \5 y$ C$ E
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
7 I0 e/ |# Y+ K* b eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf0 i+ ?; _8 h, S ~
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( B! P N0 D' H0 q7 l! O. l; I4 ]五.配置nginx+ d0 ~+ X3 `) d, `( u# r
) s, T8 F! ~; E4 C
在需要启用modsecurity的主机的location下面加入下面两行即可:
( n+ G; S* n+ Y* u( Z' q4 ^1 j# Y" J: Y8 y, Y& f
ModSecurityEnabled on; ' k& F* X0 Z* R7 \; Q2 ?2 H
ModSecurityConfig modsecurity.conf;
% V7 M. a* Q% ?% i9 J# N下面是两个示例配置,php虚拟主机:( H& K9 v5 D# Z6 O2 j2 J8 p/ Y; y& p
, K i; z+ V) p, b( j8 H$ K
server {% L; e7 y: k2 R9 V* a% ]
listen 80;9 \4 l" u" N' D$ Z8 N
server_name 52os.net www.52os.net;
% L, p$ Y+ R4 O8 A3 `
: }% Y* R9 U( `+ M/ S location ~ \.php$ {
" R% P3 F0 K) a) F- F- x ModSecurityEnabled on;
, i2 p1 R; I& h ModSecurityConfig modsecurity.conf;& \7 f6 y0 F. u9 [9 t
g- U! Q4 f. ]; F! U root /web/wordpress;
6 h/ d/ {3 E w index index.php index.html index.htm;
5 x o# K5 b" o+ d+ s
6 C+ W) |6 h) |) p& o fastcgi_pass 127.0.0.1:9000;0 Y4 t q# J6 `7 H. q! J
fastcgi_index index.php;) X7 m4 Z2 Q7 P/ x& `, p
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
3 X' O- ~7 L% w include fastcgi_params;& s( c0 _ ]5 y9 x; j, \
}
+ X+ z$ n6 o c2 f. g }- E6 \5 }% z8 c& S" d) X
upstream负载均衡:$ a) `1 h9 o( v- b _
9 G: H- P# K7 m. W0 Z
upstream 52os.net {
3 b$ ?8 V* `' l* [ server 192.168.1.100:8080;. i' Z. |( R& q" ^
server 192.168.1.101:8080 backup;) o6 u$ M! j) o$ K. G: t" \* e
}
# } E9 d# f- {" `
& n6 k; N5 g# K' @; T* Qserver {
, V! t3 k( \' `, i/ {+ [' ~0 F# S/ glisten 80;6 j+ w1 ^8 U0 y- n' T3 y3 Z
server_name 52os.net www.52os.net;* T- Z3 j3 e' m6 v! S- r- Z# e# O
n, h0 f, J1 ?) J+ \; x5 Slocation / {2 X! h. u! O+ a0 x1 i o4 L
ModSecurityEnabled on; 3 {& E0 ~. s8 z% o
ModSecurityConfig modsecurity.conf;
2 |3 H6 g7 ^0 l) `$ S2 O$ F5 u4 g) d8 Z& A
proxy_pass http://online;
- g2 O* S6 O8 I( b6 y proxy_redirect off;
# n. n2 O- b$ u1 E2 ^ proxy_set_header Host $host;
. d, n+ I; L7 p* V* x proxy_set_header X-Real-IP $remote_addr;2 z) X9 S8 a4 [
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 e# n' g$ h# s) N }$ @9 v0 _2 Y: ~) n
}2 u( j6 o2 Z: x2 w
六.测试$ g. y3 X+ z2 j, }
5 O$ o$ ?: \: R6 G" S0 V, b8 s我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, V5 Z( J+ J" ]
+ M; e \0 U8 H+ [& @: B3 n<?php
, ~# g! U/ L8 p( ?1 R phpinfo(); & h7 f2 L4 U/ Z- {6 i- X" x
?>
. K$ q4 N1 I. T) J在浏览器中访问:8 ^1 i" G5 d9 j3 B4 g1 A2 F P
0 [9 L* m0 f# H# y
http://www.52os.net/phpinfo.php?id=1 正常显示。
9 ]- _6 M" E: O i5 Q% q$ ~( W& J: P) fhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。3 x0 c" t" Z1 l0 O* }; s
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。* ^# `/ ~! g) u$ `
说明sql注入和xss已经被过滤了
; U3 a6 h6 z$ \1 s4 I
! q" P. _9 j/ @* ]) \: L) D! X K七、安装过程中排错
: P( o* Q; k8 J5 {
( D# |9 y! L E3 g1.缺少APXS会报错( x7 |* \! |$ N# @
' O8 a9 y8 h, z3 R$ Fconfigure: looking for Apache module support via DSO through APXS. T( @/ A" l& l: E# G* l
configure: error: couldn't find APXS. `) y" K8 p) Y8 L: L" C7 f
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
# V+ Q& d$ A' U解决方法:
0 F! n) y! e! k, h- {- X; y5 i: v$ {8 s% q+ K& d
yum install httpd-devel8 b" n( b. F) B$ \
2.没有pcre, h5 a( m. e; r$ x7 u% U3 M
* ]6 `8 @/ ]' s
configure: *** pcre library not found.3 I2 \! S- H" G$ S& t4 @1 Q9 E
configure: error: pcre library is required
: P2 d' L' }5 E8 m解决方法:
?1 J* @2 [4 C+ h9 f+ b5 u& n s$ V! T" A
yum install pcre pcre-devel
) [7 B* a6 ?# W5 H2 |* {! v3.没有libxml2% _# F/ t* u c. I
) g/ a, w) q4 O) \' T; A
3 W: p5 N7 c+ ]! O* {# `
configure: *** xml library not found.7 J6 w, n+ M2 `) u& Z [
configure: error: libxml2 is required
3 V6 q! O% m) F& v6 N) Q解决方法:
# s( N8 T: j9 h) N! F. e! J" x, q& `% H7 X* F8 n
yum install libxml2 libxml2-devel
2 O$ r V9 n! Z4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 q3 U( s& {/ }7 k* r+ O9 I) a
9 q9 M8 G& U T5 ]4 A5 r) jTengine version: Tengine/2.1.0 (nginx/1.6.2)' [, j2 \$ T* s: \9 V, z, N
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* h: E* V8 u+ s原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 b. o8 K5 `) ?6 V' H% d! Y6 |
: N- g9 M# m) [: u' J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.4 C# Q; I H& {2 ~4 @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 a# C8 L3 e/ k' v8 J! D1 y& K2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. ]. S4 E0 T- @* ? M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% [; m, t0 l; q0 z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": }% R# U! `: g |$ K8 W, \
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.% l$ O# Z8 H$ ?9 E: L
解决方法,移除低版本的APR (1.3.9)0 Y. e( B6 b; C9 H% i, u" g
6 o3 I+ `' F+ @7 m2 P J, [yum remove apr
6 W. b: i w5 c3 a' u0 _5.Error.log中有: Audit log: Failed to lock global mutex
! o5 g7 G7 C4 x! N/ m( h/ S5 p( z0 \1 J. g
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 5 L7 X5 v4 ~1 g* E3 j
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
4 O+ n4 K* H7 m4 B解决方法:
# d7 {& B1 Z' F& R; U: g8 P" |编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& Q3 ?+ I* _3 _+ H
& A7 X1 q3 |( {% W4 e" B- {+ aSecAuditLogDirMode 0777( M% }- p$ m2 J8 K; {8 i
SecAuditLogFileMode 0550! X! y5 x; u2 [0 j3 H
SecAuditLogStorageDir /var/log/modsecurity% Y& p5 W% ?( S9 |& ^: W
SecAuditLogType Concurrent
$ n5 ]( O+ R) c1 H* V2 y参考文章:! ~* F" x# d! x4 s
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX5 B1 u; V2 F$ N) v+ h8 X
http://drops.wooyun.org/tips/2614 |
|