|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。3 ~* F% U; Z" i3 g$ K
) {( F1 `0 u8 w! l2 E
一.准备工作
! t. Y( [: Z6 d" {) M& U( f2 m: `0 W! `- T2 a& B
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.06 J' ]0 I5 m" m( H, x4 b ?/ H/ O
. N& Y! C& y5 c: s- I" _# ~. Y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz. J; p& O' r1 h
6 ^+ @5 `. H% i0 q0 ?4 C
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz) {4 b4 v, d' v/ K9 @+ P- @& j) m/ Z
2 m$ y& y- s0 I$ J pOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
; k: O/ \/ g' N8 h4 Q! j1 U( o% h, t3 v% ]" m# }
依赖关系:! d5 Y/ n* p3 d) M- Z/ k, a' k: F
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( k+ W6 ]+ ?" {& V+ H& p/ m' S: b# ]2 R/ V7 B/ o
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel& I. h, k4 r3 i
modsecurty依赖的包:pcre httpd-devel libxml2 apr; c8 C- k1 |' G+ I) {
8 M3 K1 n# \: Z b7 `yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel9 F* ^# f, \9 ~1 N
二.启用standalone模块并编译
$ }* `- E; i# _4 @! I. U3 H7 K, Y5 W$ U: [7 H0 H3 b
下载modsecurity for nginx 解压,进入解压后目录执行:
: H+ J7 y P/ E9 [& X# p5 H0 K
& n- j: A: d( K: u# [9 M./autogen.sh
7 e7 N2 `+ B$ E* Z./configure --enable-standalone-module --disable-mlogc. W9 D5 W0 r! a* ?7 C4 N
make . x$ k [! B7 y1 _/ X# n) T q, c
三.nginx添加modsecurity模块- q0 ^& Z# S+ h1 M8 ]3 d. m
) K- C' O3 \( b& o2 V0 N- e在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
2 m/ n9 w5 C0 H' s6 d/ [& i5 C) U' X, n# x, Y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine3 r/ v/ H2 y+ p" ?
make && make install
' Y. J2 i. i5 E, H, e" w四.添加规则
5 {6 U. P7 q! o+ A
% O7 \. x2 D! Gmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
6 t! l- x$ P7 P/ c/ ~- N( ]& u c% a
1.下载OWASP规则:
+ M9 b: [) L) o! U# K% f
: f2 z9 G& m" }% ^git clone https://github.com/SpiderLabs/owasp-modsecurity-crs o* ]1 c& P6 T
2 v* v r$ ~1 \# i; wmv owasp-modsecurity-crs /opt/tengine/conf/
+ Y% u% ~: K( j! e' n- h: _! L: f! l4 h: a9 B1 f# w% r! U& ^
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
2 N5 G* |4 @; ]- o" x2.启用OWASP规则:' O: j0 K6 v6 a4 R _. H: v2 b
# N) u5 U7 P" r0 q
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
0 [2 K+ D' |3 C) F+ S& \( t# J
' j# B! |# T' ~7 A编辑modsecurity.conf 文件,将SecRuleEngine设置为 on" e6 K/ b+ o4 \: m1 m: p: Z4 F
4 h1 c. h4 } ]9 S
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
$ k- G: J! r! _: v9 ^" \" T# f7 s& g* W: B% C
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf& Q' q2 x0 J: R- p1 N0 [
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf* j) G1 Q0 R. Y/ W: x& K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf8 y1 O+ y" {: t+ Q* r' i. i
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
. v8 B, _, }- CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf' {# V( H4 Q% k6 i7 |, n
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf9 F& ~- ~5 `: I( }9 T2 F
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf! ^$ X) ]* ?: `5 E. o% v
五.配置nginx
6 }/ [7 x* s- c3 H2 Y
0 A+ E! G# r1 j% K; T在需要启用modsecurity的主机的location下面加入下面两行即可:
4 }7 y4 {! C! u+ |4 y, D3 y/ ]7 Z6 C# I# g, W
ModSecurityEnabled on;
: d" X2 f! v9 @% fModSecurityConfig modsecurity.conf;1 k6 R1 I4 n: J' f
下面是两个示例配置,php虚拟主机:8 l+ ~0 D( E. A
8 J+ P' A: _. t8 p4 a% C: k& l) iserver {" I" o h" Y- {" c" x7 u" I* K
listen 80;
: R; W+ O, `0 p; q; s& P server_name 52os.net www.52os.net;' p, r) ~$ b ~3 K9 _) h3 D' s
; X; C9 R0 E3 v' E7 q location ~ \.php$ {( l$ M& @5 ?' H
ModSecurityEnabled on; 5 |5 R( f, v( g3 W* O
ModSecurityConfig modsecurity.conf;3 g$ x; e. w" J) W1 h. C
, z5 {! ]: H6 k2 O% a/ |( [2 n8 p root /web/wordpress;
7 J& l8 m. a$ K/ d; m# ]5 W! S# ] index index.php index.html index.htm;5 q- u! O* x; p8 R }# Z
( R6 B% j9 r4 V fastcgi_pass 127.0.0.1:9000;- C1 a5 n- ~' _" w
fastcgi_index index.php;1 |+ z* n, s b+ _$ a& b1 }/ d
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
7 U' F( _6 z' {' Y6 w, e, N- j+ p include fastcgi_params;
# t3 a( P: K- I }1 F; s, ?4 @7 ~
}' c2 D# n9 m' r( z4 Q. F4 D; b+ g, h/ f
upstream负载均衡:
' e2 c! o- l9 O9 @$ \5 w3 O6 d g
% p5 ~3 c+ S4 M6 @2 O4 S7 c$ cupstream 52os.net {
3 b% n; H5 d5 `9 f# b server 192.168.1.100:8080;
8 g) P/ K1 d: z7 \ c3 o server 192.168.1.101:8080 backup;
/ j- U& F9 v, q4 `, G, V}
& B- A& N2 N1 C3 \/ G6 r
7 ?. a# Q; P" [3 Gserver {
9 v6 j, ?9 T1 mlisten 80;
: }& I* @, X) f9 dserver_name 52os.net www.52os.net;
9 R0 E& K l W& r( }$ Z, E+ m. }+ }- G& o+ \7 Z# t3 ]$ s; t
location / {8 M) f! N& a. n: L
ModSecurityEnabled on; 8 R, y1 ]. o8 A; u, c9 W
ModSecurityConfig modsecurity.conf; # s3 g4 E8 P. J' c8 d7 G
! |. L" K1 {& k) @' E0 y proxy_pass http://online; H4 I" R) j& S
proxy_redirect off;4 R! s8 s, _8 r/ W5 z) \! s
proxy_set_header Host $host;
* D( i1 q0 ?' p- C4 x, @ proxy_set_header X-Real-IP $remote_addr;( N# S. \+ _! {8 d3 b: N
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% m* p& I) J+ X }: h: p. ^( U2 k. d
}
z2 @3 _9 y7 \+ {6 d% b六.测试
; {6 c( {2 ?$ X5 Q- A0 I( P6 g T6 n9 s" Y8 @
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, Y0 m* g) m/ s0 g4 y
( O" M- `7 H8 V, l% g ^) g$ V<?php3 i& e0 \- R/ E& s0 C& ~
phpinfo(); 2 ~1 _4 j( V; c8 z
?>
7 a! }' X& M. ~" P f' g在浏览器中访问:
6 s9 c* B- |" B& r; k' T4 ?7 R) ~) Z% l
http://www.52os.net/phpinfo.php?id=1 正常显示。. {7 U2 f% j5 z# G; m, @- {
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
; Y5 ]" R9 K, }, t2 W0 E+ v3 Yhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
' ?* Z) S3 s* o5 J# P, z' V$ u说明sql注入和xss已经被过滤了) ]4 C; d j5 i, e7 {
+ o/ c$ s# L W5 i, F. b/ r& s' m七、安装过程中排错
4 e3 U5 z9 U- ?- q1 _/ t+ P- E4 r) J4 A# K: E: h. ?& F
1.缺少APXS会报错
& ~; o* d% @3 I6 s' \5 u# c4 C
; x- z" N. b4 a' D+ Zconfigure: looking for Apache module support via DSO through APXS c. d# M3 V. h# H% g
configure: error: couldn't find APXS
& t" e/ a9 H2 |apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。$ p; l* j {1 a1 Y& d
解决方法:9 Y2 u! j( G# D( d) A
! g9 ]1 f9 q' Y1 Pyum install httpd-devel
, v% @3 p# C. b$ C2.没有pcre
$ [/ |% a- [- y5 k" E1 i3 n, y \$ \6 z! K7 Z: W2 U1 _8 C* s& B
configure: *** pcre library not found.* b# R: P2 J/ s( A- E- h4 R
configure: error: pcre library is required
- H! [7 R4 b) D. D5 `' W解决方法:/ q) Y: ~3 q, ?! b
+ }9 K2 f. B& v3 x1 }! s& u& byum install pcre pcre-devel8 h0 j" E+ k0 s: }! H, O
3.没有libxml24 d5 Q4 w- L: [( u/ k5 ]3 K S5 H
/ @. R- H0 T# _- {& o. p
4 K8 c @3 T6 E) c1 [* Sconfigure: *** xml library not found.
5 z6 j# n6 A2 `& Sconfigure: error: libxml2 is required: m- Z/ O( x+ e$ k& \
解决方法:. Q" s1 k$ |3 w# x' U1 \
, c/ E" B" G) B, U# Vyum install libxml2 libxml2-devel+ s* x5 E- v# k
4.执行 /opt/tengine/sbin/nginx -m 时有警告
, x* i8 P! S Z4 n4 Q: [+ Z' ]
' W! D4 ^& i1 w8 X/ @Tengine version: Tengine/2.1.0 (nginx/1.6.2)5 U% d9 C# S# U( C1 y% X
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!! L3 s. b& h0 d' _- A1 z. B. y6 q
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log) g# m+ d# x% S6 t1 A- }) G. u
7 T9 X" B1 q4 A) L! C A
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.' W/ S7 h% t' ^& v3 M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9", O& W( P. g" t1 C
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ c* B7 h2 G `# J1 Y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 @8 H: j7 }, y2 E5 T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
: O' {' t# ]4 \4 u# L; S2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
5 w3 M- o, N+ l, l解决方法,移除低版本的APR (1.3.9)
( M" V6 J; f& N/ s4 e1 V7 t4 |
. ~9 l) a! i$ Q# y& Byum remove apr" y; D. R0 ^- r% `! ^( T
5.Error.log中有: Audit log: Failed to lock global mutex
3 r( h: A5 B# q4 b# s r. m1 G+ Q1 N! x% r/ n
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 0 K( [3 s% v" J4 M; m. m
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
( {0 |: ?4 ]$ c0 z2 t. W- o( J解决方法:
& P6 Q( e$ Q) f6 ^/ d8 S+ Y编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:$ g8 q/ I7 G, U& Q1 @
; }* P$ I( q3 ^! O3 T* q
SecAuditLogDirMode 0777: l. f" y0 ` F7 d1 [2 ?
SecAuditLogFileMode 0550+ P$ l' c- t6 i
SecAuditLogStorageDir /var/log/modsecurity, V( G5 o7 ~8 Q
SecAuditLogType Concurrent, \0 d D: H k: t2 D* @" ~3 G
参考文章:# c) R# C8 q' o6 ?
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
5 W4 b/ W% S; O6 Y: uhttp://drops.wooyun.org/tips/2614 |
|