|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
a5 J/ T9 a# N0 r3 N* E
: A5 Y, s' P2 u8 V) Z一.准备工作. G' j7 O1 E8 R$ [' ` [) P5 C
3 p1 R6 s" F9 _0 S' f0 P
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; `) D1 W6 J8 v+ {
: Z7 f9 v c. V- Ytengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
. M$ f8 a, h, r& \1 [% P2 R( d' x. F/ F+ Q: k
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz; Z7 D- O2 [+ i, P s- f; q
# x, n6 B9 j r9 P
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 r9 N9 x' R; \# b/ f& V/ N8 e
6 s6 J: o. h. y( Y9 C依赖关系:& ~1 m2 i5 t+ N8 P3 H+ V
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:% E2 A! U+ [2 k& Q+ z3 m
+ M) m' v1 A1 p5 D8 t
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
: G/ l) M7 ]* K' P0 w3 l3 qmodsecurty依赖的包:pcre httpd-devel libxml2 apr/ Q8 q6 \: g# ?! m/ j! ]
2 Y8 {. v3 ^6 c) M! e
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel$ [! T+ v6 k+ N# `
二.启用standalone模块并编译' p( u1 U1 A' b; X
5 c4 `+ E3 K' w2 Z( B0 }1 I+ s下载modsecurity for nginx 解压,进入解压后目录执行:0 n# j: F% T! N7 ?, ~2 W
! x8 K% Q. D# x+ M F( V
./autogen.sh
* ~2 T: p1 z- r+ |./configure --enable-standalone-module --disable-mlogc7 {, m- s% M2 @
make " d$ H& R2 o0 \ z
三.nginx添加modsecurity模块
9 a! ]( I: a( B# j3 m) D1 c+ e
6 j. P6 S6 b' \, o. ]) z在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; @3 Y) y: \: }2 y6 m8 c
6 l( ~! [0 v9 c& b2 y | \' D./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% ^( q8 k- c$ M4 \make && make install; D2 B( q- S. y
四.添加规则! l4 ?; M5 L, H
" i6 E" [: p# R9 y4 gmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。6 [ [1 J6 N$ t* g/ _
6 D- X# f: d, z- m- i( X! I4 |, V7 ]1.下载OWASP规则:
' D( {, T/ C) r U7 R8 Z1 R
5 c6 ]) O \% F" `6 j3 Agit clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 _7 j' y4 W: o% ~4 c
( L. A8 U7 c q3 Cmv owasp-modsecurity-crs /opt/tengine/conf/% I5 \( X! r. ~1 k& c) S
* l$ k5 r$ k$ T
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, z1 }. g4 p8 N. K" Y
2.启用OWASP规则:" Z# @) K- R Q# v+ z: V
" W/ i% O- o2 e, v( k复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
: u. x/ E5 i7 a2 r3 f% C' m" P3 g- f) C/ ~
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
$ h# q. O, `3 J; `" W
- t5 [ _! B+ I( gowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。. S6 R8 D% w9 K0 m4 R7 k
, H7 Z' M% a9 w1 J2 h: y+ b& W
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
8 b, G9 X7 y- K! F2 t9 fInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 ]0 J, Z# o |. p0 p' |
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 H' X5 Z* p5 b$ ~6 v' @& j( r( A3 A2 FInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 o8 B7 ` _ S7 r. a* G5 Y
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
5 t: g+ o, x8 V7 B/ u uInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
$ t: m/ F" p G( V* B) FInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf1 K' ?( C5 ~6 ?
五.配置nginx
3 k8 i4 U6 M! v8 l- g
! @4 v, n% k' R/ U在需要启用modsecurity的主机的location下面加入下面两行即可:& Y' k. i7 P f6 B- D, ~0 f$ V7 m
" b& T* u7 ~8 M, C4 c
ModSecurityEnabled on;
- v0 \$ a9 W6 P0 Z' TModSecurityConfig modsecurity.conf;
B" b6 I1 b8 I# s( M( O! H下面是两个示例配置,php虚拟主机:
7 m* u% v' V5 n" q
' t7 N% u, C5 i3 {6 j1 m; F4 Gserver {$ j. d0 W& i- S1 _% m
listen 80;* c; I+ u% o2 H, a
server_name 52os.net www.52os.net;; P# \; t+ G3 T9 s3 b6 i( V) O
+ d# g2 G: }/ ~* a0 g* w7 ?& I
location ~ \.php$ { j' W' J9 Y3 t
ModSecurityEnabled on; ; d' s( s7 d6 k2 ?9 c
ModSecurityConfig modsecurity.conf;
8 v" [8 ~: ]' b
; T3 S Q# _. x* J8 ] root /web/wordpress;, \$ {2 `6 Q( X K& A/ _6 S* w" R
index index.php index.html index.htm;3 j# z! v7 P, }2 _% `7 {. J
) f3 `7 O9 h) l" j: W( z fastcgi_pass 127.0.0.1:9000;
) l! F7 W: n$ V7 E! c7 M6 u fastcgi_index index.php;
( G) n2 n+ v9 ^+ X4 L fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;- b- Y; j; `; g. L0 j
include fastcgi_params;0 c `! ?" a# h- X. @& @( W
}+ y$ s ^' o" v J
}
$ J; g) T( ^7 X' R: \+ G4 ?upstream负载均衡:: w& t* C9 i9 o( T
+ U0 [" W) `$ O- ~1 U* H* J `: L: c
upstream 52os.net {- J/ s2 j: n5 [$ q2 _) }
server 192.168.1.100:8080;
( `* r6 V/ x; u T3 H server 192.168.1.101:8080 backup;
$ @# h" A- | _- o5 z$ k( q}, o, E! m; L" {
/ ^; ?+ X6 C/ f3 y+ o- ]0 q& Hserver {
7 F* o1 n. N/ o: L" Xlisten 80;4 ^* ~5 X! P; E) x' g: `* Y1 s2 p7 D
server_name 52os.net www.52os.net;; J- o8 A$ k$ y) ?; m6 C7 Q. H
- e) }* w' y$ l/ @0 ? [9 b$ m8 x. v
location / {
2 m; p" K. ^+ g' k ModSecurityEnabled on;
9 t; Z/ N1 f2 G7 z8 e" N, {# P) C ModSecurityConfig modsecurity.conf;
$ O# B7 `& P4 I. a
0 F4 r" F5 ]9 U- O- ?2 p proxy_pass http://online;+ ?/ W4 \$ [- s9 k$ o
proxy_redirect off;
" g2 J% Q% w' y proxy_set_header Host $host;
. _# T2 u" ~: ?; {! Q9 O+ f proxy_set_header X-Real-IP $remote_addr;" h B0 ~1 v( K
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# M" h) { |8 {3 P: P3 ^
}
/ d4 D6 n* D1 @6 h/ `}
5 a! d& m1 O4 K' I六.测试
8 Q( h' M8 \! ~! Y# \7 H) ?" O" K/ y/ R3 g% z. Z. N
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:8 J+ N1 l/ J( E/ I( h* b
' P9 w% D- X1 ~" l" P7 v; D" b( s; V
<?php2 W( r/ y% {) l1 }# j" A2 V
phpinfo(); + X l4 c. @ D2 W' b5 R, \
?>0 j# @6 ^- Y. ~. N: o" ?' k
在浏览器中访问:5 I. M7 t! N+ K5 d4 W" @+ r
% l1 _5 L! w/ i8 Y; U
http://www.52os.net/phpinfo.php?id=1 正常显示。7 Q! I1 Y Y( d+ n
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。+ ?2 b3 u @) g
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。+ v' `8 @9 [* Y7 u
说明sql注入和xss已经被过滤了5 O, O; P2 @% d7 y3 ]+ e. y0 W
( G) V5 {. c) \( p# e9 P# i6 t
七、安装过程中排错# u- f( w$ ]6 H( V" F& u
W3 V% p* X4 \
1.缺少APXS会报错; {7 S$ u X8 [3 K! {/ T& {# W
: j$ K0 A, a. B$ [
configure: looking for Apache module support via DSO through APXS
0 v3 X' A+ c6 k5 O* q0 qconfigure: error: couldn't find APXS
' c7 B# n" K9 \. R* n9 _apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 p" n) _% v9 W7 H6 S% r' v# w
解决方法:
" P2 h* G( W2 W) m- N$ i9 f5 i% C8 P9 j5 j: d' C: o4 t- @
yum install httpd-devel% A: M$ g! z! F% B6 A( W S7 D+ `
2.没有pcre* h7 T) Z9 G* V3 u/ _8 z" c9 A
3 I( @" |& l7 Y( @: @, z7 Bconfigure: *** pcre library not found., m' h# _2 u+ W
configure: error: pcre library is required
$ |" g: G: c$ ?; a: X解决方法:9 K7 A3 |( s# b1 X' u
/ c7 g9 I$ O; L8 F: o7 G; D
yum install pcre pcre-devel( d1 E* j! @6 q$ K1 I. ]
3.没有libxml26 B; n; {6 T" H6 T) k# } C
- c' n* h4 @0 K, ~. Y! g- j* Y \: {; `$ G
configure: *** xml library not found." U( h% i" M# ^$ W+ E1 v* ^" q' b
configure: error: libxml2 is required& W* e" o7 K/ d
解决方法:" e7 N; t4 H, J" r2 Q1 G) Y
& ~' k6 A }3 l$ |9 V; _yum install libxml2 libxml2-devel5 C& J& |! x* h2 l
4.执行 /opt/tengine/sbin/nginx -m 时有警告
! f; M, ]8 }) k0 K; p' z. n- Q9 l4 |% q# W* U2 _; @
Tengine version: Tengine/2.1.0 (nginx/1.6.2)( ~' Q# _& q- D1 f+ e. D+ U$ M
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
k$ t/ u R; u6 Q8 c. b原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
4 d1 Z; d, v1 m3 r1 v7 q0 }. @0 }: q" w0 B) U3 f) q: m# |* t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 o( t% y& f4 Q# o' X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"' g- U) U( M/ H" O% M% ^6 D& d
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!+ M; |: ^3 f& c* b& S
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ O7 e& u3 y1 ^, E; I G4 ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
! v1 H# J. O. d4 L, E" e$ ]2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
; \1 M J k) [0 w$ {解决方法,移除低版本的APR (1.3.9)
8 M/ M0 E) q) `/ @" k9 D" A) [) U2 d) R* l) k: @ _
yum remove apr
9 ^. ]' b6 F% t! l! J5.Error.log中有: Audit log: Failed to lock global mutex$ g0 Z, G& |) g( ~/ }( [
( m T5 W# p3 f, X& ^2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
. O( @- N# @6 I9 W% H: i2 }global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 N5 ~0 b u0 F. t解决方法:
6 `9 k5 y3 u L/ A0 Y编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
, s, \5 ]9 W% f+ R Z; @9 `% n; N; _. m' N6 i. U9 B( F+ s
SecAuditLogDirMode 0777) Z0 N6 Q' y- N3 \ r
SecAuditLogFileMode 0550+ y0 k9 E! ^, N* S! l5 E+ Q, R
SecAuditLogStorageDir /var/log/modsecurity
) @, p6 N- e; @( f7 m# N. TSecAuditLogType Concurrent
" j! C5 Y2 n) I. B# A4 ?参考文章:
+ ]* M7 T F- H6 M: Shttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
, `8 h5 D4 E* P! V- Y0 S8 hhttp://drops.wooyun.org/tips/2614 |
|