|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。$ P* m6 g! I' q9 z$ `0 f! @7 `+ L
5 {, h/ ]7 L: i
一.准备工作# R8 Y' i4 m/ n% e/ w# ]
. X* d7 S9 T3 Q- |/ ^3 e0 r
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; T0 X5 ]( H i2 g. \6 K* U& w4 L& P( ~- S" t! l2 N
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz% T! M( H. }5 t9 e% P5 B
9 y6 C7 t3 Q. Gmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) g& ]( `* Q+ P
S1 O7 q3 O) Z- R- f0 V4 @; mOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
2 r0 \5 s# j: r* N2 E: {1 Y; [# y/ A. ?* t/ Z
依赖关系:
" k" s2 w- m: a: T4 e9 k: h& gtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( g+ L$ |& O! z+ r& A/ t8 E' i. R9 _ i) h: }$ l
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel/ G' p. v8 O* l/ P% o/ Z
modsecurty依赖的包:pcre httpd-devel libxml2 apr% j! q! f2 ] T
% {: D8 s0 d. m N& V; hyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
4 d6 I; i+ }; C$ S' I$ i& w二.启用standalone模块并编译, G9 x- Z. L& y% `, t
! N% O7 E7 p; h) i% r: c$ J下载modsecurity for nginx 解压,进入解压后目录执行:
% g: q' {8 f% |
! f; l U% g/ M2 P d/ V; C; |+ x./autogen.sh
! Y1 v I& z- ]7 S2 d G6 p$ p# a./configure --enable-standalone-module --disable-mlogc
4 u& K' I# k# ]# a$ {0 Bmake 5 f1 M& c; M' I I8 ]5 P
三.nginx添加modsecurity模块" R( K% }: T$ N, l& \6 H+ o
% J' A0 f4 T0 ~6 z/ _" f7 l在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:! Z$ n4 X2 J% g! T+ ^0 _; B8 u
c6 d$ p2 F" I
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
& d9 P v8 X+ c' a% H7 o! qmake && make install
& L8 C1 C% }8 \9 ~6 j四.添加规则) A4 v* ]5 }2 N* W/ g3 f
$ v" l6 G; `& q( j8 [; {modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
: l5 Z. V. I- m8 I) ^7 @4 C9 d# p/ L
, U$ e, A! o/ n& @: f! L1.下载OWASP规则:) `% _- ]- P5 T2 v! N/ n7 Q
2 ^: Z0 n0 ]) q3 j' j6 l
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 r; ?9 G0 S( i5 w, N# X- r( V; B$ j- s8 u; F
mv owasp-modsecurity-crs /opt/tengine/conf/, |4 w, x a" c
3 [" X% g H" x( \5 {3 X) scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
" t ~/ n/ |' H* [" ^2.启用OWASP规则:
4 Z& x2 A8 O. Y J+ V2 O; F7 _" N0 G2 M
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。" i* s9 u; O; E# k' x( H! Q
2 ~' d) K. v/ Y0 p- T/ v T编辑modsecurity.conf 文件,将SecRuleEngine设置为 on# X/ Q& {+ a0 ?- t. O6 g
8 S q# @$ [' K+ z: Nowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ S+ a, E8 |; @) Q3 Y
2 E3 Q- M8 i9 e
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 _: M/ O0 N xInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
, D2 O% ~+ N4 v4 UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) o( x, ~& }8 w, EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! A$ ~" ^$ G; a7 jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
1 B; p2 v1 ?" Z1 }Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf. T2 ?7 z) n; \! }) V
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, K9 Y" ~" ]4 x1 ?, x; l# T: V
五.配置nginx3 b3 {3 `9 m9 M$ L% ^: `& ]
0 P) r' `' J7 S, M2 c/ \# l+ M3 M
在需要启用modsecurity的主机的location下面加入下面两行即可:
1 }( R: }( K/ V; W s. I/ g# }; }$ U3 ?9 i+ @% e0 \
ModSecurityEnabled on; - W N2 n7 u( Z- c |
ModSecurityConfig modsecurity.conf;* j0 C2 K. ^) P0 ^9 }1 m
下面是两个示例配置,php虚拟主机:
: b$ o% }* d1 p0 p+ g9 |, C) ]3 B1 h+ w, l1 D" h9 ^ {3 c9 c$ t8 \
server {
% v3 i4 F) W' y W1 V3 c* M' F listen 80;6 m/ e) m) T! h5 S2 H6 K( h
server_name 52os.net www.52os.net;* U, @2 S2 n5 s- u
# j: Z( _5 [( |- F9 y, F# h1 D location ~ \.php$ {
/ X2 c% j0 _/ v+ x; I ModSecurityEnabled on; 0 a( W4 H5 P% ^* K6 j
ModSecurityConfig modsecurity.conf;
5 a& _2 E0 A) f: H2 D: x4 [
) W& T6 l/ S' f) |2 t+ y root /web/wordpress;
! M7 m+ K1 R$ g% u% o index index.php index.html index.htm;0 C" v' C" C7 s/ ]2 g
2 s4 P6 E7 T( I
fastcgi_pass 127.0.0.1:9000;
4 o+ U7 V, ^1 p6 | fastcgi_index index.php;
6 b( M; E5 u* N! I fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;! y3 k- W. T# m! [. x3 n" r! Q
include fastcgi_params;
7 y* ]3 s) h( @& ` c% t }
+ X% y* h/ j5 I9 O* A- T/ @ }) B& \& k/ W4 w6 H M
upstream负载均衡:
, Y5 F' ?$ }! U& P9 f v" _5 C: [4 N1 D! F- m+ N' v, v3 J
upstream 52os.net {
8 X. V" L$ w- Q* P6 f) o server 192.168.1.100:8080;
1 R7 X' L+ Z* J q) P; g. I server 192.168.1.101:8080 backup;: f0 x8 m" w1 T* ~) G& x6 t
}$ y) s& T4 g! G
+ C0 S5 S0 r4 @# \server {5 M+ q' S+ n5 |5 x9 ?7 H9 u
listen 80;
+ _) \; c$ h) x& u: O! Mserver_name 52os.net www.52os.net;3 F5 h& [% o; W1 l) b6 U F
3 ]* w; x$ N& h9 [0 U$ l
location / {$ d& v* G( K7 l6 R: R
ModSecurityEnabled on; k8 t2 W! m) T3 c& A& I
ModSecurityConfig modsecurity.conf;
; j8 ~. _( o. _: A+ a2 l* V# }
4 g5 t) ^* Y% l* P. @" m5 q0 ~ proxy_pass http://online;$ `; U4 F2 J4 q
proxy_redirect off;9 t, A4 [. _" C/ Z2 I' i
proxy_set_header Host $host;
( a+ }% u. j0 \ proxy_set_header X-Real-IP $remote_addr;
& Q6 T8 v$ L# t' g! x3 Y- E4 f proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ y9 _" I9 E' n R5 P# p3 ^- R* Z }* p8 {! _/ O, z6 F* x. ?# ?
}
6 |3 e2 c R. k1 v7 d$ z六.测试/ ]) u& ~" B X! v+ Y' p# l3 A" t
# l5 q2 u. P% |( ~我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
9 B0 N; L, Z4 T: s
1 L& l0 Z# M+ e9 V<?php/ `( @/ |* u& C, R/ C, y" V( E
phpinfo(); 7 C0 G- S5 A3 \3 p; D: r
?>
& Y" i7 c7 d# d- P/ I& n在浏览器中访问:$ q- u) R& j( Q- d1 H$ i
* |: n: \6 N3 l$ K
http://www.52os.net/phpinfo.php?id=1 正常显示。7 X+ M; Y5 f6 n9 z
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
$ J. T0 i2 _$ D: S# m Zhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
1 T0 j7 O8 S4 }! r6 V说明sql注入和xss已经被过滤了
- Y2 f" ?5 ^8 L7 V% S& ]
4 ?. \0 p6 P6 S# j- S, n4 H七、安装过程中排错# M1 k: [3 O- ?% _" H! N) x9 c: K' s) [
, O' i, z& A( e# P3 m% o. E1.缺少APXS会报错
( p" b( `, _5 b# }8 D% W0 s' e* b/ A3 T
configure: looking for Apache module support via DSO through APXS
; x/ b! `( S* D' ^% N% K. h8 ?configure: error: couldn't find APXS) r5 g5 w3 C6 I3 t* S
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" o. E2 _5 K& M5 s9 t# p, _& e) |解决方法:/ F( O7 `" `( `2 s8 g
- P: o6 n( N0 n: D/ C" m' ryum install httpd-devel
* B) S- v; Q5 o4 s+ ]2.没有pcre: u% Y5 J0 m3 P1 r4 O
( X, ]/ G0 I) d
configure: *** pcre library not found." m0 |1 j, k5 p
configure: error: pcre library is required1 e7 }! { d# q" A8 U' i9 y9 S
解决方法:
# a2 @: i- e. R0 g3 c ~3 U( K
! k- y7 H0 D) T. i0 j. \" ^7 Wyum install pcre pcre-devel8 u+ w$ |. o+ N/ U
3.没有libxml2
, v0 O b( u( z' ?" |& M! Q, p1 o( ]# H1 j$ L
0 [# I# [. p- K: c$ d9 J* N
configure: *** xml library not found. g( O% q3 m, A) i# ~
configure: error: libxml2 is required
& _6 U8 I/ N9 G' b' e- O! t- }/ w解决方法:
8 z: Y+ G$ n4 H/ Y) R' h0 I4 Z9 o. G' X0 d
yum install libxml2 libxml2-devel/ S1 Z" V; S7 [# _. y6 z/ x) K2 p
4.执行 /opt/tengine/sbin/nginx -m 时有警告
6 v9 @, Z' V S$ g: I; e
k0 |3 A3 N- e* \7 wTengine version: Tengine/2.1.0 (nginx/1.6.2)
# J E; b. F8 @6 q) lnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
8 K$ ^0 B- U! ?8 H! J原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log$ y6 m+ D: }/ _, {+ x# Y
4 f7 T4 P9 |& }( s
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.: E9 \( p5 X J3 d# _7 F1 O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
, V) p# j( i; y$ }8 @# x9 q2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled! j7 w% Q, D, q. X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 |5 t1 ^8 N( v" P9 T: K; ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
6 L& L6 V/ @7 Y8 h2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 h' o% T4 s: M" ^. w0 _
解决方法,移除低版本的APR (1.3.9)
+ [0 c* R. w# E; v# Z6 m3 b/ g
& k# F" v- b0 K Cyum remove apr: @- F! O9 K* O7 L) r
5.Error.log中有: Audit log: Failed to lock global mutex' m, o+ k/ t$ m/ {
0 C4 k: U; s( b9 X/ ^( B+ J, q* I
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
5 z+ M4 O: q6 A) e" Q3 iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]9 }( Q/ _( V" _; z/ R3 U, t! G6 J
解决方法:
& Q. R- @# ^( |5 M# e, y" `编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:# \5 ^% ^5 n/ W3 `3 \) Q n* }
; ?, @, V7 o' nSecAuditLogDirMode 0777' E$ K% Q$ e( E! m8 B
SecAuditLogFileMode 0550# f: p5 E0 N9 g; Q
SecAuditLogStorageDir /var/log/modsecurity
1 x0 A( g% F+ j9 F! y% n; W7 {SecAuditLogType Concurrent
I3 f: x U7 E8 K5 U9 K- O6 m6 m参考文章:0 u- R/ a/ d2 r+ Q% t3 b" b) c7 f% Z
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX; F; P; [1 _7 r6 j
http://drops.wooyun.org/tips/2614 |
|