|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。9 x; V: U: c1 e) f* ?! N5 b) d
" Q( K6 V5 ~! I" |4 H一.准备工作2 f1 u" M3 F$ [, S4 I; ]
6 D8 {* ?& S& p系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 q, w* |; }! m" ^
2 q5 V& `) G6 O- l. i0 B
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz8 E1 U8 {8 |2 K7 j
& y4 ?/ _6 M6 |* Y$ e i! V" H8 R7 Lmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
% W* _. k; `* k" x( X6 c% a
/ W% ^* ~! p. [3 ]OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs/ C& |* ^3 [0 K- D
' r: S1 S2 k3 @- B2 F G) ?
依赖关系:
" D- G2 b! T# ~6 itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; ]$ }4 W' N+ ~6 \
) S6 @( U1 ^+ }$ C6 Y
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
9 ~# `$ B* Y6 nmodsecurty依赖的包:pcre httpd-devel libxml2 apr
. p W, j: }/ n$ n# H4 L3 _+ U% G' ~8 c
9 w5 I' C! J$ b5 tyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- L/ G3 t, p. \0 f
二.启用standalone模块并编译
& U; L d) _0 w
2 v1 {- t) z1 {9 O下载modsecurity for nginx 解压,进入解压后目录执行:
* D% j7 q$ `5 b1 `6 b: } Z/ ?0 |8 u7 T6 ?- r% I* g
./autogen.sh! A! J$ _% ^) v8 N5 [( X) L
./configure --enable-standalone-module --disable-mlogc2 {# n# _5 ~& A% i
make
* A, D9 Q' J5 _$ {" L三.nginx添加modsecurity模块
k7 ]! K# L) _# V1 f/ M; G$ l+ Y k- v
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
/ e$ M; o0 G1 N$ \) Z5 \( u% I* B4 ~ p7 P6 r6 Z' r6 d
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
9 ]5 A* {8 O7 ]7 l+ m6 H) Dmake && make install6 e; q. Q0 P( q! t0 G! J! {
四.添加规则; M9 L8 K) q5 C- G% L
" x0 y# ]% V: o: i* ~* ^ |6 Q; n+ U, Kmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' P) T+ r ?3 h3 g3 Z- t
! [2 q! C; r# I! L, b' `
1.下载OWASP规则:' `1 |. s5 @ x4 `8 r
# H- K8 N4 M) o
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs: ?* N% J, C0 V& J
- m! r6 }5 D s1 s1 |( v7 ^; w$ lmv owasp-modsecurity-crs /opt/tengine/conf/
3 o9 W5 e( s- P$ Z+ k9 t: v4 a U$ L. A: X
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
( m0 p! P. j- y3 A2 C, S5 T u9 R2.启用OWASP规则:
- o3 c! r. r1 N: @! y8 w+ L0 B+ |% Z7 K2 K4 v
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
6 @5 ]9 F2 ~/ L( w8 w; U7 R
7 R+ \: ^3 M3 r编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 R- f6 \3 B3 Y7 Z" ` r2 _" N& t K
2 Y0 |8 j5 T, e
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。0 B0 m' u- `1 l
# P9 C( J9 g6 I* ]8 N- b
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. ]) h5 K' d+ Z& @* |% c1 h; t& nInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf. D6 j, s9 p8 |! F+ ]9 B. Z w
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
, [- A- y: p& dInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf! ]$ ~- F) ?( H1 d+ V/ h
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" `7 f) g* }/ s* eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
! x8 v+ g) S3 }: J" z# d/ M$ s& LInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf7 _% L# P- h/ k5 V
五.配置nginx
0 W9 y$ c b4 p P/ J6 x* w/ q5 [8 |+ y# S$ v8 R4 |: k
在需要启用modsecurity的主机的location下面加入下面两行即可:1 e8 V% \" M$ |7 V' @
+ V) x& M' R8 ^" N; y* w* b- eModSecurityEnabled on; 3 Q5 V" E! C3 G# {" B8 t0 |
ModSecurityConfig modsecurity.conf;
) X* |: W* J* Y: H3 |" X7 F下面是两个示例配置,php虚拟主机:% o: I1 R2 H& Z3 ~3 X. t
& }1 E! H3 @. c: Q5 d2 E1 I6 u
server {3 o9 [) J& c6 s( k# x4 a; A
listen 80;
5 _; x) ]; B' s; a. y server_name 52os.net www.52os.net;7 o9 |( D' j; M* q T$ v3 T6 j
( n5 x6 q$ }2 ^" e( r& ]
location ~ \.php$ {( `5 s" Y0 _, o
ModSecurityEnabled on;
* I3 J, v6 q: n' f+ [* M ModSecurityConfig modsecurity.conf;: k" c% S- @1 D- Z. T
& A$ O' a1 v8 `; c# G y8 R9 F root /web/wordpress;; N# o5 _( W9 d3 p
index index.php index.html index.htm;
7 x! Q, `1 p J7 i. A/ z% b
; T! X) [7 Z7 i, Z$ O8 I) J fastcgi_pass 127.0.0.1:9000;
/ \" `$ H1 j6 l0 d fastcgi_index index.php;: L% b p4 T+ r4 \, M: ]
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 X0 q) U% b7 a; X8 s
include fastcgi_params;
% n8 B, E) }2 b1 L: {! x }
5 ^# M; V% V- \& \4 \, ^ }2 |4 M% ?& u/ o- j1 f
upstream负载均衡:
5 c, v1 Q9 o+ s9 }9 T" Q5 ?/ }. u
upstream 52os.net {
: q% Z( _' D4 c server 192.168.1.100:8080;% X2 O" A; A, ^- X1 g% R
server 192.168.1.101:8080 backup;( g# M0 q( @& @- M
}
% e% J0 M9 L! N- N$ @; L5 n
/ k) d2 r0 S$ Y, g/ zserver {& T5 X5 `; F' w, ?2 b" t% n
listen 80;8 n0 U' V9 E3 y4 j$ T' ]
server_name 52os.net www.52os.net;
& ?5 l* U3 ~" J% D* e S' g
H: w' K8 N0 ?* h! [9 |9 [location / {
5 y2 p/ A6 b7 e o ModSecurityEnabled on; / H1 v4 l* S* O6 P& Q" z' R
ModSecurityConfig modsecurity.conf;
$ ^- P2 E9 N0 O6 U% t( w+ L3 v2 ^9 p: O
proxy_pass http://online;, m1 ]3 W0 s- _! [/ ^' s
proxy_redirect off;" u# R$ i( J% G5 ~" q& W5 Q& \0 L
proxy_set_header Host $host;, m8 n( ?; ?/ ?# j0 q0 X& {
proxy_set_header X-Real-IP $remote_addr;. r% h# l/ i7 k9 i. @6 ^: V6 d
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;, a, |4 W& X4 e2 {0 {* U
}7 D9 f# m! `2 Q* f9 s
}
/ P: e5 R, _1 F3 I六.测试" ?# v" ?) y3 l" h
. ]3 q0 q1 c1 z4 \+ W& P5 I
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, X! t! U. t1 S* O: V8 p Q4 q% V! r, H! x+ f: ^+ o$ K$ o' i* v
<?php
6 y9 b! ?$ Z9 r; ] phpinfo();
) N: r) Z& \3 j+ k- q?>. s K$ ^7 F- ] i
在浏览器中访问:
+ T% K9 B/ E% q+ }: v! p" T8 O' W1 A' t
http://www.52os.net/phpinfo.php?id=1 正常显示。
& J" S1 T. b: r+ B# O8 W. k1 Mhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
9 m8 b( M* D7 ?; J. X- jhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
1 b1 x9 Q, \, ~8 v说明sql注入和xss已经被过滤了/ Z1 _- O3 Q1 ]; ?% H/ y* M. C. E; d
3 j; A1 I. K4 j. D6 X6 {
七、安装过程中排错
# A' l( l i( ~$ p, V3 t6 x: P" N1 S% B
1.缺少APXS会报错
7 d* `3 i2 R5 p* M
/ o& ^3 O8 Y' Z: _/ C& rconfigure: looking for Apache module support via DSO through APXS2 S* d5 U6 t3 c6 S1 k
configure: error: couldn't find APXS9 j. W7 Y* g" X o. C
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
! q5 p$ _' X$ @& E; K解决方法:
0 N" H7 i- |$ Z, ^* |
X' p* I& Z2 v4 \yum install httpd-devel- g$ |0 E* |' p5 Z' ^3 ~5 `" w
2.没有pcre
" `% x) I$ \0 ]3 X5 o) ?2 n2 [ n! C( }/ |& A
configure: *** pcre library not found.0 ~' x* B0 _" A: J# ?0 g7 P+ A$ ~
configure: error: pcre library is required! o6 }' y r2 K) k
解决方法:
2 N3 F* H. o! X4 B6 H+ e3 D1 G7 i: L) K M2 A$ m
yum install pcre pcre-devel- N( X% r9 N7 S4 o+ B0 N8 f( ]
3.没有libxml2 I# K7 q7 g* b9 m7 {1 G; b; i
) ]5 K5 k- r+ T4 `2 B0 P' a8 D
7 @3 I- ~$ D; `! f$ d0 e9 v7 Q
configure: *** xml library not found.5 _2 D O: {7 {( G4 Z( Z4 V
configure: error: libxml2 is required7 Z5 O- Y. M8 x$ I) u/ E
解决方法:( r- H, e+ a8 e9 C8 V! R
* R6 ]. \9 [* Z$ K7 O
yum install libxml2 libxml2-devel
' I0 F$ g: ?- v) J# F0 q/ o6 x4.执行 /opt/tengine/sbin/nginx -m 时有警告
0 _' g4 |! S3 s
+ d" Q2 r6 M# z" s, d3 gTengine version: Tengine/2.1.0 (nginx/1.6.2)
: \0 z8 _8 k& j6 | Jnginx: [warn] ModSecurity: Loaded APR do not match with compiled!% k, I. u! X( w% m) n
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
( M0 q8 e, \6 P( ^/ X$ U$ z! k {& E8 ~* A2 W# a8 y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
$ ~ Q3 {2 l" y# [9 C& {" e* `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"# U. p7 S% H" {& ~- }9 [
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!: F0 C7 Y6 A; _/ @
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
/ s3 V0 S4 F* _2 o8 P2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
5 C3 ?- ] b* O4 R3 V2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" F7 @" F( F& |# q1 K9 p解决方法,移除低版本的APR (1.3.9)9 {0 n' K- f" t$ v& H6 f* _. `, T3 z
$ v4 ^, m1 f$ ]5 k0 X# m5 {) C
yum remove apr
9 |: k! o( r& h3 G" `* J% M. R5.Error.log中有: Audit log: Failed to lock global mutex
1 H/ t) {5 A% G- R; z( R. q" w5 ^. I8 P0 o/ T" w
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock ; x. F U& |4 @8 G
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
1 T8 R' [8 D# G6 r) E6 T* H# f解决方法:, J! y# b9 P7 s/ ?+ R" F
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
! X! v. D" O" M' ]+ S d( s8 Z' d1 z" H. L& j1 H1 t/ L% a& u! M" i
SecAuditLogDirMode 07777 G' D* g6 _+ O/ R1 K- h
SecAuditLogFileMode 0550" l& E+ E" Y/ }2 q2 c# o
SecAuditLogStorageDir /var/log/modsecurity
5 o% u, @! A0 C/ t4 Z& i. \SecAuditLogType Concurrent
3 p; P' K. r# J3 p# k0 A2 M参考文章:2 S. P4 L. A% B
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX" t2 I' U- E& G3 K& O
http://drops.wooyun.org/tips/2614 |
|