|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
[3 O( ~$ X/ S' k9 W7 |9 u' I8 [: t% s, W: o' F
一.准备工作
+ F! a6 n2 L- e) [- B5 t+ x5 n# {8 e0 Z& x, `2 O
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0+ E2 w1 U" R( p5 a" g& i6 C6 G. i
7 r+ s+ t; |8 `* B7 Z
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
7 M- c) A- M3 r" z8 J8 Y% C4 d# K! T2 l
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
) Z7 E. t5 n$ a+ o8 m1 P' r5 [" y/ {1 y: Y# [
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: q4 e/ G* w2 `0 i1 o2 S
. x/ ~9 K' o: A O/ ^依赖关系:
& Q2 l7 H; k+ q$ K* i" utengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
. L: x* {0 o/ X+ }% @) C
6 K0 Y+ }! y" C5 L7 ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel& z/ D# m6 v. T- t, J/ Z
modsecurty依赖的包:pcre httpd-devel libxml2 apr) T7 i& Q% c- c, K1 X3 |
: h+ e6 ^% m% m3 _5 K& |
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ S, C# ~- L" t% E5 H6 [) m二.启用standalone模块并编译: e8 ~) V- ]6 Y8 O
8 J5 j; H7 _+ f- m- F. M* ]" K下载modsecurity for nginx 解压,进入解压后目录执行:0 L' e! v9 a$ {5 a
# W( k2 Q, G. `
./autogen.sh% I# A5 ~6 R, x
./configure --enable-standalone-module --disable-mlogc0 k0 F3 h, ]0 z8 u, P7 K
make / W2 d4 r$ ?" g8 \' N
三.nginx添加modsecurity模块: S# k }2 {8 X8 {+ [- w D
7 t ?6 R; t; a, a- k
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; Q {7 n7 j# S0 @ F" j: ~/ y. D' [) x$ Z( F v
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ J s4 z, @ l1 q7 b
make && make install0 z: @5 _2 J' H" S8 n# l! p+ o
四.添加规则
6 V3 J# o; n, T( i( F1 \$ f4 P% t) m2 ~. u" B; Q; S
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。4 `$ U1 g& \$ t* S9 Z, ]6 U
0 M9 o# b) n; ~! T1.下载OWASP规则:# A+ @$ z2 l; m8 g: a8 f
( _- F1 o4 N$ qgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
8 T# f3 s4 j# J1 b# u9 ^4 s; t7 O8 w6 K+ h9 e1 \- u) W
mv owasp-modsecurity-crs /opt/tengine/conf/
3 m8 H* D/ n0 }3 U! e
4 g* q1 a6 T. Q2 W, O T! ncd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
. g! Q J9 o& t6 ~- {2 m- V; O2.启用OWASP规则:
& t, W! U- X( ~; {7 v8 y* P" _7 l( t' _; [( u2 Y! w
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
' y! B3 ]5 @4 m+ j {
8 M+ p6 B" H1 _7 B编辑modsecurity.conf 文件,将SecRuleEngine设置为 on# @3 R3 z1 P0 N5 w% z- U8 l
1 W: c# @1 w) `/ Iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。 m% ~& n4 A% a! N) d
1 x& x8 M$ V5 s1 M- q. \' N1 I' DInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
+ {8 E. x) O/ u/ `! m% @! l/ ZInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf& D3 C5 {0 c. k$ B
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
2 ]1 i- K, I& @$ ~/ w. }Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
- s" O. i) j$ x" D9 Q+ jInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 ^' [3 s' G! L' ~
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf7 w+ i. s9 ?: z6 X0 f8 r
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf, P; G* K: O( P( y! F% y8 U
五.配置nginx
: V, N1 g# o' j! X. U* j; ^$ j1 r4 J5 w, Y/ C
在需要启用modsecurity的主机的location下面加入下面两行即可:
, I+ |) b/ ?0 I1 |! g, v% N
2 `1 u/ R' N h# U2 G" vModSecurityEnabled on;
( \! `% {: V( x1 Y9 \. [ModSecurityConfig modsecurity.conf;8 n) D8 ~- b+ a2 q2 W
下面是两个示例配置,php虚拟主机: |5 P* {1 k- o7 H) ]: w' T
8 s; ?" o$ r. U. \. e. Z z
server {
$ H5 g K8 o( \* E listen 80;
# q+ S4 O' l- m4 E: Z4 t server_name 52os.net www.52os.net;
6 d) J9 i- f% D7 X# i7 D* V2 s ( m' w0 @5 {- n/ K! a0 m, w" `
location ~ \.php$ {
* j& y& W9 w* n r+ y1 z4 d ModSecurityEnabled on; & N x: z; N8 W5 k9 q$ Q
ModSecurityConfig modsecurity.conf;9 L% L l4 W" q9 u5 @
z: e, k9 c* w0 K, T. F2 W F root /web/wordpress;' g0 t/ W+ W/ t5 x& {4 z
index index.php index.html index.htm;
) X) C9 Q# x( Q
4 Q# L/ {6 x7 a fastcgi_pass 127.0.0.1:9000;2 [, h# o1 d# a1 ]* @
fastcgi_index index.php;
$ R' c3 T5 f4 a2 H( w* L fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 d; J" h( ?! h1 ^- v/ e4 ]
include fastcgi_params;
/ m* e/ m9 A+ z }$ E4 N$ A. R: F3 v# w4 s5 u
}
; s- ]: |1 X3 ~7 |! ?upstream负载均衡:6 p+ o1 }2 H$ S/ D, d2 ^( J
% q1 \- a$ I0 b3 n7 N/ [upstream 52os.net {" ]' \2 c" T7 X+ D* M9 R
server 192.168.1.100:8080;6 q2 |; E, m" ~/ f
server 192.168.1.101:8080 backup;8 q% r; G7 h$ ]3 M- ]" V2 e
}
+ D6 m) O! R7 K" o
3 G k" [5 S, f1 g& l: z6 Vserver {
3 R3 p$ x6 C3 W- ~& clisten 80;, W' ]2 V0 ?3 f6 ]
server_name 52os.net www.52os.net;
$ @0 w) u ?' d
1 W( |6 l' d7 Nlocation / {
( D9 u. s% A6 R6 q7 Y2 Z1 R ModSecurityEnabled on; & ~, t4 M( c$ w
ModSecurityConfig modsecurity.conf; M9 T/ d2 Y$ D- ]$ q
( S$ Q4 Q9 p% s2 \. D/ M- F# _
proxy_pass http://online;
' m( E( [3 W, _1 x proxy_redirect off;
; @6 c) I4 e1 ~' H% S proxy_set_header Host $host;
9 K, w+ M) X0 H: f' j0 ~4 ~ proxy_set_header X-Real-IP $remote_addr;
% B% k0 v4 N; [ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
5 X, F3 R1 S5 X }
0 ~& g/ D: ^$ J! D}9 O8 P: t& P6 e2 [7 k
六.测试
6 ^5 d% j$ M' B" _/ W, f' H) o* m8 ~! t
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
]4 s5 K3 m0 w6 ?( u7 l& B
7 T% x0 }; k* W0 u" z1 j<?php1 m& j$ m8 a; m- x' a- A) Y8 L d
phpinfo(); 3 | s$ g& Q, h2 |1 p8 Z* S; h: p4 ?- T
?>
# ]2 Z. y- ]1 u9 r- ^" n! S在浏览器中访问:
0 w1 o. \: [+ U
, h8 D( a, I8 k) r+ Rhttp://www.52os.net/phpinfo.php?id=1 正常显示。
: z# q7 @; j4 @; F+ D' nhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。7 {7 j" \# p+ k# B
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。' B: c( `: N" i
说明sql注入和xss已经被过滤了
# @ v! R2 I9 t/ J! t; E, d2 b W/ u! m# T& s+ r
七、安装过程中排错* o1 V& W- R$ C
0 t' G3 F0 A; O/ S7 _3 W; h1.缺少APXS会报错. M" Y; {# C, x9 H" z
9 |& f2 J2 B7 U5 |& M* o
configure: looking for Apache module support via DSO through APXS+ U0 m% f7 }- `8 y4 P9 I/ n# V
configure: error: couldn't find APXS: Z8 d7 C" Q: V0 K8 l7 G7 Z3 P5 Q
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。7 J$ w5 k0 F* t/ H# f! O, j
解决方法:6 _" J2 W* Q0 G. }+ | F7 C4 S
i* c) o C9 P/ _/ \yum install httpd-devel
S7 j1 T3 m8 x; k1 j) j2.没有pcre
* K3 t8 W" C9 a4 J" B& z; ^6 x$ n% a- N. J" v+ J( W+ ?
configure: *** pcre library not found.
; U0 `$ B! p ]" @configure: error: pcre library is required _$ g3 Q) g. ?2 B
解决方法:* X0 ^+ j! O5 v% B! h' L
& \3 k8 v M) b6 }% hyum install pcre pcre-devel% t3 [& D. Z& d& {
3.没有libxml2
% H# {: @5 B& E2 a6 M3 m
/ w$ x4 h, O' _ j+ e! f0 t4 A8 T- G0 s6 `; E4 |- l% S4 L- u
configure: *** xml library not found.7 _% u' C F/ O9 G. J* ] m- W
configure: error: libxml2 is required6 O$ ^, t; b) x# z* D
解决方法:4 L5 \ b. W8 {2 D
( r! d/ E$ j. V( p, G3 s% J
yum install libxml2 libxml2-devel
* c5 J, [/ K4 m' J& g8 j4.执行 /opt/tengine/sbin/nginx -m 时有警告
- c, ?4 W) l8 `( a
5 J* n J0 }( V8 l; PTengine version: Tengine/2.1.0 (nginx/1.6.2)
7 C! A0 Y! _5 V" ^! n1 b6 Wnginx: [warn] ModSecurity: Loaded APR do not match with compiled!% R8 ?0 E1 @9 u& R& F3 q+ Y* {7 I4 L
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 d( x5 }1 F3 A. D5 A9 a# X+ u" A
0 I1 L. ?* J0 j. C) s% \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
( T" r* M. t% e2 L. y# p8 ]+ _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 c5 q0 U2 A. t, N+ R# o
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ m/ z; j& G$ B% V; i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
$ @# O5 `7 U D' K/ C: M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
% u& Z+ L$ G* F$ `" c; y" n O2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ U' D* s; z; m& e$ b% X0 \解决方法,移除低版本的APR (1.3.9)
$ M: i! }* ]0 k2 N- |" A+ m. i0 T; g
yum remove apr0 b: K. Y8 t& p! P! r* @
5.Error.log中有: Audit log: Failed to lock global mutex# g5 h9 ]0 B* R$ v: K5 \
; @. k, J6 C7 }/ o! }8 C, c, r
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
. o' R. ^. f. {' b8 Y0 D" cglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]% H0 F% I( m$ Y$ [ D7 l
解决方法:
+ k* K& l+ T. t" X编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
; w: g- L* z+ u9 |
9 ]6 d/ M3 X- KSecAuditLogDirMode 0777
& U( [2 h0 a* C. y/ N6 [SecAuditLogFileMode 0550* g! h& f2 G3 _* \
SecAuditLogStorageDir /var/log/modsecurity6 Z! S. v% f2 K R- H# \& Q2 A* p
SecAuditLogType Concurrent
% \6 a+ ^7 _/ t+ ?0 [3 P3 z% u参考文章:
6 a$ S2 \: u! H9 W. ohttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX: D U3 k! f+ C' L2 s* Z
http://drops.wooyun.org/tips/2614 |
|