|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 \$ {4 m& h& y s S' g9 S
& h4 ], B6 ~& l$ e' [" j3 [5 _一.准备工作( W- y, J5 k, Z2 E& \: X0 w
$ D- t. k z' T. m. u
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0 \% [, P( B1 G
6 k# O) V4 @/ W1 q
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
7 q* S0 i: \- k H( D% ^/ K* |; K6 H3 ~1 r F4 n1 i: ?: J8 W
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz. j7 T7 j" [9 Z! q( m* P! y
4 p0 |0 W* a* B; X1 I) ?. E( S; dOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs+ G) R) N f& ^$ g; k" d/ d* [
0 I6 }0 Q2 r) o7 w5 m; D依赖关系:5 _/ G3 T0 A# l0 v- B4 f( _
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
0 _# x, E/ z2 Y" r$ e( I+ `. F$ C& A/ U, P, i
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
. ^: u" H1 a& o+ Qmodsecurty依赖的包:pcre httpd-devel libxml2 apr
6 z5 }. l3 O- o5 D* [" Z
( i2 o) |2 N; Qyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* F" [# U* `1 [$ r+ z3 \9 D二.启用standalone模块并编译
2 u$ C/ {% h# r, P: b+ D- k" J3 O
$ X" P' i, k$ w6 |5 @9 o- n% U3 ?3 y下载modsecurity for nginx 解压,进入解压后目录执行:
# J7 F: k3 ^! l+ G0 _! r. D
1 F; Q& _1 r1 I3 \./autogen.sh) q: d. ]7 o2 l# }& A V
./configure --enable-standalone-module --disable-mlogc# c7 k9 L* S& C" [ d
make 3 C/ ]& a5 K% _$ r) r2 I- b
三.nginx添加modsecurity模块) Q1 |* p" ~& l
* Q# q( x2 `) {: N2 J, B- B* d在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ O: ^+ |8 P2 J( \7 \$ H
7 E0 N% Q8 H' v6 W% ]; g+ _9 T" b./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine* r' j2 k" e* g
make && make install
6 k% S8 b0 P8 X3 f; i四.添加规则& S$ z& O0 ?; Z- W6 i `
" x7 ^7 l# c ]$ Y6 \' G4 B+ a' v
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
8 Y$ {/ b# Y; K! t, @# C5 a6 a0 A9 a* m$ ^: _5 o0 d
1.下载OWASP规则: n- l" I5 F7 _% W0 f% {+ W8 W3 W
4 y% L( t* ~, H/ R, f
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
& _' g8 e; N7 e- \% g& h3 Z; `
& {" y& k v$ w; B& ]mv owasp-modsecurity-crs /opt/tengine/conf/
( P0 ~+ z% D+ {8 Z" I( ]
7 \3 X9 B3 P+ pcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, o; r/ U" P, i& c2.启用OWASP规则:
$ o4 l; \8 r) o2 c. Y" U6 O: |$ l# h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& G0 N8 j5 Y6 e% d7 {/ D" g
2 j: V& q0 l$ v1 l8 q
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on5 Z% a/ `3 K4 U% y7 h
8 i9 W# {. f; R: r+ O
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" t2 |/ L) b4 n& j, G. C2 R
1 O7 S G& S1 ~- R+ hInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf/ x6 K4 m0 K6 b* d! K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- ?0 M! y1 y1 m, Y8 X' g6 V5 o# ?Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
% r: q3 q, G8 {5 J7 }5 e6 ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 R4 j& k' p- l9 L+ YInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
( _3 W- y: W: w2 g5 r. Y2 KInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf- q+ b6 o3 G" C( u
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
2 g# P: V. A$ ^% w; m- H五.配置nginx ]" x ?4 [3 i) c
/ a" M) H3 X! [( e
在需要启用modsecurity的主机的location下面加入下面两行即可:5 \4 E9 Y, M0 n, M4 n' g
$ z7 e) q5 r3 `& Q
ModSecurityEnabled on; " q$ D8 k4 [7 _
ModSecurityConfig modsecurity.conf;4 Q" u5 X% ^* M
下面是两个示例配置,php虚拟主机:
- N, M, B% @7 L; a, a: G/ c3 k8 U8 J
' ]- y, B! q/ Userver {
% d( Q( X* b) g, u- J: P( h7 e% c listen 80;
7 _/ t7 {$ e- h3 A7 i server_name 52os.net www.52os.net;2 i0 H3 h& S" k5 P0 X) `. m3 n
4 ~ X: S3 _0 P& G' n
location ~ \.php$ {) s% T7 D4 G c4 T
ModSecurityEnabled on; + s9 @) _) q7 p- H& E, y
ModSecurityConfig modsecurity.conf;" c& N' Y- O5 O% ~( O- W
, l6 Q z8 Y& E
root /web/wordpress;9 j$ T& J( t5 L; F' \) u/ C
index index.php index.html index.htm;
; J( S5 ]2 Y- j2 z) d8 k4 @0 B/ Z 3 c1 p4 F, T) \: {, y3 Q
fastcgi_pass 127.0.0.1:9000;+ x5 Z9 V! m6 O
fastcgi_index index.php;
, S4 Z+ |# @! U' v- q, f fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
1 z0 j6 p- j! O6 p include fastcgi_params;5 @5 \% f% n6 O9 l% t( \- A2 w
}
2 g5 v" Y0 ^6 W) K: ` }
/ F6 \$ r8 W* b( G) B- l' vupstream负载均衡:" F: g) o6 e" O
8 f# P* J r3 ?/ @5 A
upstream 52os.net {
2 S# k* b3 c }1 |! ~ server 192.168.1.100:8080; R0 e3 U4 \' Y8 w0 _& ~& S
server 192.168.1.101:8080 backup;; u6 Q& l3 x; c% }7 N: s1 V* [# N
}
8 [3 |1 [8 I" t' }* K3 ^& ?- b: w6 b& t9 K8 J9 F
server {
4 _- @8 b$ r6 [8 Jlisten 80;
# E% u3 N7 c6 }& Dserver_name 52os.net www.52os.net;% Q4 ]# U# x j5 x) m% ^8 U/ v
: O1 k4 [3 {/ C6 K. j& Y
location / {6 d5 P5 O. D4 j) z
ModSecurityEnabled on; 3 ]8 N' J+ E* g2 C2 h" G' }
ModSecurityConfig modsecurity.conf;
4 e1 P8 |. c( b5 Z6 q9 A3 [! g8 C' w$ {, c& p# e& e* ~& z
proxy_pass http://online;9 y: @& `7 p& E3 u6 L" \, G; u
proxy_redirect off;* N& O! j/ I+ M- k/ g3 S
proxy_set_header Host $host;
/ A0 X6 z# ^, R0 z0 k proxy_set_header X-Real-IP $remote_addr;
4 Z3 H8 g" Z; Z0 y; ` proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; m d2 y$ `' C/ |3 k
}
) Y: w; n/ v+ D }. d5 P$ Y4 [. N6 m}
3 `3 h" t: \+ Y% \5 w- g0 @六.测试
! T! l; f) ^) W, l* B+ c# f
# k; ^+ q3 O% ]7 _2 O, F我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, B3 `( _* g' s' @' h- D' u- a* s, y$ [- i
<?php- U2 A4 n8 M8 {$ v
phpinfo();
+ [ S7 [' X, U$ d' _- V?>
0 I( W* X2 N4 b1 Y3 K4 W在浏览器中访问:
9 T: c2 F6 y% J* _+ t5 @
9 U5 g. u' Z+ z- _" Vhttp://www.52os.net/phpinfo.php?id=1 正常显示。8 k. w& g/ q9 o: X
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
: {, J3 w) i! u, O0 khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。0 s% p: G# E8 r! q4 u) V
说明sql注入和xss已经被过滤了) T( A) e. r$ o! a' A) U% C
7 I" x/ k# q7 s% j2 [* B
七、安装过程中排错
! K' ]! d0 x7 b6 h
( y* V) v: L9 B: V# G' z+ @& U" _2 K1.缺少APXS会报错+ d, x5 l( K$ f9 B- ]
i7 h: H( W$ O8 n6 P
configure: looking for Apache module support via DSO through APXS
+ E9 J2 C. `. c. W2 K% k0 x0 Kconfigure: error: couldn't find APXS/ i" E4 Z( z. |: C
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。5 r7 G6 \: q9 v5 D8 [
解决方法:& Y5 [4 B5 C( Q3 q
0 F, i/ _) k0 J7 jyum install httpd-devel
! i7 H9 e/ P r2.没有pcre
! d2 A: _7 f& @1 F8 s$ f. K
. n: [1 t5 q3 e- n9 `) jconfigure: *** pcre library not found.
' y( D' C/ v, g0 h2 Gconfigure: error: pcre library is required j+ K( }% W( o- a- Z
解决方法:
2 n) \ I! Z1 l. W- S) h5 N; \( m- T9 X$ w6 ^
yum install pcre pcre-devel
2 Q3 `: }% b2 v1 A3.没有libxml22 I& `: `& a" h0 a) C2 Z+ y% v
& X$ j c6 p' m$ P) k% {' |; x+ f. v6 c7 S
configure: *** xml library not found.6 R8 }) }' w1 ^" {$ z8 _
configure: error: libxml2 is required
; m) C4 ?5 w7 ~; }1 b5 L& z解决方法:
( I+ \# T' B) M- l6 N! h% c8 }- t
@% W" @+ q- T& y2 z' Byum install libxml2 libxml2-devel8 {% A8 |% j9 w
4.执行 /opt/tengine/sbin/nginx -m 时有警告) H3 S1 q* P+ z6 j4 p1 x6 K
) R$ R) F" d- w4 v# b5 xTengine version: Tengine/2.1.0 (nginx/1.6.2)* m' c+ V' \; @" a
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!4 U" `: B I/ u3 n* s) B1 Y
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
a, G; ?* |5 c* ^% C" z& _# e0 V$ x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
& J+ E0 ^ ^. \7 j: D9 j$ F& h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"" F+ `7 G3 |/ i2 b7 R. O( J
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!- M7 D3 x7 Z$ d% x l
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05", T) j6 B* e# H, g- Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
+ E: K4 r+ x m2 Y( y" J2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.+ K2 G; _; K( s* C% t5 E/ V1 N, k
解决方法,移除低版本的APR (1.3.9)& n$ s m! S/ F: n. G
3 V( N* [ q, Y; f; hyum remove apr
; n; J7 ?# D6 Z5.Error.log中有: Audit log: Failed to lock global mutex
, B, p! K$ d9 Q2 u. ^; c9 ?5 T2 b
3 {5 a! r0 L% u3 ~2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock / \ j) s& A+ y/ e( N1 U0 c1 I; Z0 ?
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]5 p1 d j2 H5 F' P
解决方法:
" W3 \; \& j, f; v/ ~+ x( G编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" K; y, {2 @9 m' h0 o8 _+ L8 x( I, V0 B8 J& ?1 N) a3 U
SecAuditLogDirMode 07772 M0 D- u2 x, x' b) q) ]
SecAuditLogFileMode 0550
* T. o$ m+ G/ e2 C, mSecAuditLogStorageDir /var/log/modsecurity
4 N' o+ B' v/ x3 _2 F4 K8 _ nSecAuditLogType Concurrent6 v4 d @7 [$ S
参考文章:
3 E9 ]) S. Q, C ^2 w- Khttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX5 G0 o1 H' j4 z+ Y, g. Q
http://drops.wooyun.org/tips/2614 |
|