|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
" \* j/ }, I, p
' \& S" H. ?& s; y, I5 ^6 [一.准备工作
# n% v# B- P4 m' T+ m" J" O& O- O" C' r# w& S
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.07 w( z+ C( z5 E- R+ g
; G. J- ~7 P2 K3 `5 V" i) Ztengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz9 g2 g! y$ u) a" w% D* F% q
, t* U# }' T, P5 D* C) Zmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
! J W7 u9 H! O! G8 I: e& E& i2 g/ t4 O$ p
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 r: M6 T# |! m+ g' v5 L
/ J& [( D$ ~; O) i1 k依赖关系:5 z8 ?" t, w) K
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& ?% {5 x! J J/ r
( Y2 B$ Y2 T" j8 K& U/ @3 qyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
% u& v9 P* h Bmodsecurty依赖的包:pcre httpd-devel libxml2 apr
- n4 G) ]) k0 U. a5 {) |6 d, w
9 s* f8 u- U; Hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
* Q/ H! U& s, w% [二.启用standalone模块并编译4 [5 A. j( G! K5 C
& `; Z8 U+ ?8 s8 A下载modsecurity for nginx 解压,进入解压后目录执行:
, J- g3 u- N, O8 d q6 o# [' k
+ Z: C# \( N7 {2 q./autogen.sh9 o5 i0 X# d/ v, U
./configure --enable-standalone-module --disable-mlogc: Z% v: l. X1 ]- }' R3 y& }* }5 ]
make 9 t4 F6 Y, e2 C* W j- B8 B
三.nginx添加modsecurity模块
! }2 C6 I$ l1 N+ [* {, n2 ^: G2 m8 D A% Y
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
: r, N) a/ J% n$ U+ Z( o# A: s* ^4 D4 Y3 R
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% q9 L b2 h4 v& ^$ u* t' B9 Cmake && make install
, v1 z* x( Q/ p: C) k四.添加规则( d) v6 o, x; M# V" o: V, d
3 w9 N$ \6 Y* V; q5 L, ^modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
4 y( U) W a( B: j
* d h9 w1 {# p( ?/ m- ^1.下载OWASP规则:
6 ~, @8 T5 X6 u" r
( u6 x/ E+ \+ E! D& P! c0 G, vgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs, q/ g) k4 d( a, e
! q" @( b" w* S+ V
mv owasp-modsecurity-crs /opt/tengine/conf/1 `8 N1 `2 I1 M0 K
) r5 N% O; U, q/ q7 f3 mcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, b$ s$ }5 \( b) g
2.启用OWASP规则:& S! U; R2 n# d3 H
' O3 k6 y! `" E5 S7 r& O# B
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。- X2 E' u; F% _, u- [$ @
. Q, ^# V3 {. D
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on; w- ?3 j1 L$ O0 \+ K
6 D5 G6 G3 m& y1 N3 W V( c& p
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
U. B1 n0 f1 }2 s* e
2 B/ }8 x2 |+ wInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf, ]/ e$ J* {9 g( `
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
/ [; x6 L& D% j: tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf4 m# O: g* x8 q- e3 c
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
/ N) r7 O# E" v4 L+ gInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 y% f2 k2 ]- M8 Y, Q( {0 a) k- S+ ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 N' P! I" r) t7 X/ r5 w7 f; FInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf1 V g$ j$ u+ _4 X, N
五.配置nginx% E2 I' I" h9 Z/ ]2 N5 P
/ P! Z' U6 w! T% m3 B7 d
在需要启用modsecurity的主机的location下面加入下面两行即可:9 C3 U7 |' D5 O1 F: x( v8 K' [6 A
* t1 B5 b$ h7 c6 aModSecurityEnabled on; : s1 N3 ~# s$ A4 V m
ModSecurityConfig modsecurity.conf;
* i; }6 j+ K% B( I下面是两个示例配置,php虚拟主机:
! y& Q, R7 \3 W- j! n( h# |# F& j' Z# D8 Y; m7 p, c9 c5 W
server {8 A8 G/ n6 }6 H }" H
listen 80;( X `, G Y( U1 w% n+ e8 v
server_name 52os.net www.52os.net;) o# q% {& q0 O' D. g1 p
" l* K) ?5 ~" W' _ U- ]: f8 E
location ~ \.php$ {
# P; C- C$ ^3 F3 C: T1 H ModSecurityEnabled on;
! X: e' o1 B* Q; h7 x. z ModSecurityConfig modsecurity.conf;" I" I$ Z2 [7 E; K, u
/ {/ ?4 E* h& f3 V& Z) z# y
root /web/wordpress;( v% |. `, P- s1 K) P
index index.php index.html index.htm;& }- D/ ?& N& ^& U
, d6 Z! g/ f5 t/ I2 t2 b8 m
fastcgi_pass 127.0.0.1:9000;
, e$ n$ w. W: ^$ y8 w5 U: L7 m9 S fastcgi_index index.php;' b" z! U+ c- F
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 f/ B/ J8 r3 ~& f
include fastcgi_params;% p2 \: t% G: @; v
}/ A) {( h4 X, T% n. t7 k0 D$ L
}1 h& ]' D1 u e0 {/ ]# j4 q
upstream负载均衡:
1 `9 i8 R* {; Q$ o% t6 i$ [/ |6 J+ @0 T& V8 `3 _' Y. p" f
upstream 52os.net {
# M3 ^/ Y' {3 d0 E/ B( k8 r server 192.168.1.100:8080; }' ~/ g# R0 ]& X4 ~& C! F( @
server 192.168.1.101:8080 backup;- z1 n0 I4 W% b8 W, ~
}
4 N1 g1 }! ]8 v- M2 o) c5 t2 v- P( H8 M! t; h ^9 T
server {4 y; A8 H; }' g7 D4 }. U# Y5 f
listen 80;
3 I0 o+ X6 I W1 K8 h/ Gserver_name 52os.net www.52os.net;, Q. |! F( ]" K" r4 a8 m8 ^! z0 P
0 H! Z7 V+ E# q$ q. G. M5 M
location / {8 n0 t% k6 G# [# J
ModSecurityEnabled on; 9 K; \+ Z! `( D O
ModSecurityConfig modsecurity.conf; 6 N9 Y2 P! U7 L5 T1 v
9 x: m6 m/ N+ i; w
proxy_pass http://online;
7 b+ E! e7 `' P+ o5 g proxy_redirect off; h+ a3 M1 o; m- ]' F
proxy_set_header Host $host;0 c7 X; w' |$ h0 S; J# ]+ w
proxy_set_header X-Real-IP $remote_addr;
) }% C/ S, [) J" n0 W proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# D p! ^, T i R* z
}
+ {! o, Y- Y/ h% T8 R}! {( K( K4 B4 J/ }
六.测试6 l. P7 |& _9 D' I8 Y
( x1 `9 j2 |9 Q2 I& A4 V
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
& H# b+ ^, Q* U% J8 d7 f/ b2 e* u: J& h [& F$ q
<?php
/ x P1 V d# b phpinfo();
1 `9 ~" c1 D1 W+ N: P! x% N( r/ y?>8 l ?+ a& `' h. f3 }3 h
在浏览器中访问:5 s+ k- T+ u/ c# X4 b$ I7 R! O" t
# I' R! @! b* \6 S5 b8 i: ]5 @* @http://www.52os.net/phpinfo.php?id=1 正常显示。
% q4 D% {! |, z7 {http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
, v5 g2 j1 N& k# @0 khttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
+ n& b6 a x7 s" g u3 m说明sql注入和xss已经被过滤了( I4 ?( p7 ]" ?6 F+ k- |
{: }6 j) n# b$ `! b七、安装过程中排错4 Q W" W- ]: r. A, p ^
+ f% J# R& G; k5 M! H6 o5 a1.缺少APXS会报错
+ `( m& S& n5 m' T( @% A
3 B2 l6 b* b% j" y zconfigure: looking for Apache module support via DSO through APXS
& E" h- ?4 [7 z' ]configure: error: couldn't find APXS
1 X& m5 W( s% ]7 g- A0 K! U/ Rapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
' ^8 X8 {; L# ^; w5 ?& j5 b3 m6 e解决方法:
5 J4 f/ m& s; J N! h$ U8 X) @4 d- S% e$ g
yum install httpd-devel
+ M6 {& v0 w7 i% F2.没有pcre Y4 g2 i* V+ C2 O
5 }: r- R; E; \/ K0 R) Iconfigure: *** pcre library not found., \' ^) H/ J5 c4 f5 u+ {
configure: error: pcre library is required" a ~1 H8 @" C6 ^# Y8 y1 {6 z
解决方法:$ H- \: h3 M- I+ d4 o$ Z0 q
1 x. O+ ~9 `, P' {$ f `yum install pcre pcre-devel8 [0 [/ w. x0 Z+ e3 t# G! X
3.没有libxml2 H2 I+ s$ _4 A& V% r I2 ^
. _1 k) A% H" {3 |9 [! b+ p3 P: p. k: I5 c* q" g
configure: *** xml library not found.
8 p' C# y8 W3 F( {, w' y* econfigure: error: libxml2 is required
4 Z7 F$ `9 v% F# f, g, ^' R解决方法:
. a/ k/ s( o, [
Z9 I. m3 [3 P( J$ D1 iyum install libxml2 libxml2-devel- d9 q* Y! m& q e1 D. K' C
4.执行 /opt/tengine/sbin/nginx -m 时有警告3 I% F0 \9 a0 z( Q
, p7 {% C6 a7 l2 d# @
Tengine version: Tengine/2.1.0 (nginx/1.6.2)) ]1 n' _! L6 f
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, ?6 g6 s0 ?3 a( S原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 x! k g8 m M
9 ?, F7 M% f D9 W; ^
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 w G7 {. Y# Z9 x% W8 k; a' u
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
|% {' |# ]3 h+ g* O2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! ]" W0 f \) B& P8 R2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" K7 C) b- ]. |& e. J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 A7 B, E6 }7 @/ l8 c- \: ?$ ^
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 {1 }7 w+ _/ p7 @8 W7 Z
解决方法,移除低版本的APR (1.3.9)) D: g" L1 z+ e% k! u+ K) ?+ m# R
9 z" O. c. ]6 s: e& ^- i5 z+ |
yum remove apr' F. \5 W+ ~9 w5 G1 Q
5.Error.log中有: Audit log: Failed to lock global mutex
- ?8 {' e5 y1 N2 ]- u+ X) P/ q2 h- `$ k5 Q- `
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock - T/ B. G: Z. G" L! ?1 Y
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
% w" j$ R; m$ B" b0 F; u解决方法:
$ d$ T1 o8 F% {5 e, H/ d8 G编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* q ~4 H$ a% ~6 T& U2 `0 ], C3 y: H* Y0 s* w" p$ P; H6 D( F
SecAuditLogDirMode 0777+ \4 o) e6 E8 p# A3 F! ]! c$ I' h
SecAuditLogFileMode 0550
* D8 M9 R* I( J4 N6 b+ i: OSecAuditLogStorageDir /var/log/modsecurity
' T4 D% H$ x- u. o0 N1 RSecAuditLogType Concurrent
2 u3 _7 Q6 \0 e: H参考文章:7 \! O% |8 g; x( p0 T
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX5 t' T# _4 L! A9 u& B0 @" S6 P
http://drops.wooyun.org/tips/2614 |
|