|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" ?5 U& O; Z9 ~7 y9 l9 H$ K
+ O/ a+ Z) s5 M/ O- Q/ Q8 J一.准备工作
( X9 d9 v* {2 w m
5 n" ?5 z- o. I6 l' G系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.07 r+ B2 a& Y3 ^/ p* \4 a
) U! b- x$ E3 t$ b; @! O
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
& H5 x1 A$ s* s8 e0 h N
0 q2 h H. [; c, O8 K8 n9 ymodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. q% B7 H1 d N: v; t# r+ V$ [
! u3 n: z2 a( a9 S. |8 O1 U- I$ KOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: r/ @ d! Q! \6 O- e& l7 S' y9 D9 J2 W7 Y$ z- R
依赖关系:
/ U1 X! l0 H3 Itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
y& u& Q3 y. Z' w- C7 x5 y# ~! ^$ ~7 r4 B- S5 `4 S$ C0 i6 p& R; L
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 Y0 G4 [! J! _/ I" L5 Y# `modsecurty依赖的包:pcre httpd-devel libxml2 apr
X# R/ P1 Y0 G5 P; N
M) ~7 o9 G {# f% M; w' dyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
+ `' Y1 t' g( E. S; ? \+ F$ |二.启用standalone模块并编译/ z* ^' Q! W8 b5 O4 E3 j. t- k
2 S& U" N) z2 ]% i9 t2 l$ o" d
下载modsecurity for nginx 解压,进入解压后目录执行:3 F* G( {. w" i# T' W
. z: B, K! b* ^* J' J8 ^; a
./autogen.sh
8 ~2 @& w: G* t4 v$ B! p./configure --enable-standalone-module --disable-mlogc
* c$ N U) n+ }; B4 n+ Pmake
2 w( k/ }" y; R8 A8 ^. ]三.nginx添加modsecurity模块, a; Z5 I" H3 e+ t
5 ?1 @* d2 \* f* i( i. e5 d5 Z/ X9 M
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:" _. i' l. Z! M
2 `& l" H# v; q% P6 z1 J0 G' u
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine$ I# j1 V4 h. `
make && make install
& [+ ^/ H! a" a8 d* F# N4 y四.添加规则
7 C( D6 s- m! d9 o
/ v3 V8 o' L4 l8 N& Cmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
7 g+ Y5 T! P3 V( {" \2 q0 e ~- G- x# R7 X7 ?2 l
1.下载OWASP规则:) R. ?( d4 ^5 Y2 X, @4 ^
% B6 i. g4 T$ f6 V8 X0 \( @* ?+ s
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs. E4 J* a! j. j/ p
0 M0 q* y+ t+ p
mv owasp-modsecurity-crs /opt/tengine/conf/4 T/ M8 |- S- Y& D( W% P
& e- Q* t1 G6 F, L8 h% xcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
; H& o' Z ~( S( ]. V( g2.启用OWASP规则:
' h- K4 \9 f' c$ s! X5 A# h' i/ _* z7 R& y5 j8 ~7 s' [2 W; {
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
8 i5 s |: x2 j/ M" `
. w3 b7 Z( W; Z) y编辑modsecurity.conf 文件,将SecRuleEngine设置为 on( d4 F* @% _+ B2 b" S% [
4 `7 v3 \0 E; e& q4 Z; W% e
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。, `6 z, [& v4 A) ?; b2 u
, d j G" A5 |Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
. p$ N/ b4 n/ e& b: y; Q9 tInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
0 j% ]# _; L& sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf- F% d# b2 Z7 h7 X1 ^; w% F7 j
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf- {/ j2 l: c+ u
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf c1 O7 ]5 u7 ?. p* |8 h- j
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
) D# O; c& b# i8 k4 xInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* i, Q* j' q0 Y5 o# G2 c
五.配置nginx/ U! S: d7 p' n0 L( X
* n: W, B" S& m" S I- ]* c在需要启用modsecurity的主机的location下面加入下面两行即可:. k; W& L+ ]% V
8 N6 \: A, l3 ~* |' d* n
ModSecurityEnabled on; " l9 Z# T- a3 D- X) `, K% m H- E5 W
ModSecurityConfig modsecurity.conf;
# ?4 Y3 d0 x' _5 W下面是两个示例配置,php虚拟主机:. E( i v0 ?2 J4 Z6 Y0 {
, D) P" e0 Z. ?; g$ K* D
server {
$ B1 e/ O. s& T# l+ y; |+ Z7 J listen 80; P& t2 N {7 `3 D- P" T( K- V% d
server_name 52os.net www.52os.net;
6 k/ B' v" k$ O: j3 ]1 P
! F8 s2 K1 `: d location ~ \.php$ {) @( p9 Z/ u( Y- i/ s
ModSecurityEnabled on; # Z$ {1 P0 |2 g) M8 s1 o+ ?
ModSecurityConfig modsecurity.conf;% }$ Y" Y7 U2 j
. u- M( _& P. @ ~ root /web/wordpress;
/ \) u5 h# q; ^3 `' D9 _ index index.php index.html index.htm;
3 | a X4 `) Q9 t6 b2 _
0 l2 _! g& C' H* m% d0 `5 _ a fastcgi_pass 127.0.0.1:9000;
2 b+ ~& h0 m: f, y/ \) z. _ fastcgi_index index.php;" |- d' F- W" J; w) [- i; w1 [$ Z
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;4 R. r0 o/ m u4 ~' r2 c% J s
include fastcgi_params;9 x0 p6 p; y+ R6 M- w4 C1 T* `2 T! W- Q
}) O( E2 O6 i. z
}* ]5 J& F: p8 e3 O, K+ ^5 Y; [; k V1 E
upstream负载均衡:
8 R; ]; L* _( K$ g
; e. I' G7 M# s2 q& N" I1 V( vupstream 52os.net {
4 N- {8 W6 @" | server 192.168.1.100:8080;1 U/ N7 F, s( |4 z& B/ s4 W
server 192.168.1.101:8080 backup;
/ \$ c3 f3 c) [' D5 }& A}& H6 _: V% t. i0 A, \' _- l' y( {
9 M$ I. @# P$ T- `0 ?& r
server {
( }' K. g/ w y2 K1 E/ Slisten 80;
+ ?4 y- Z9 |3 u) |6 _6 Y( b4 e' w. pserver_name 52os.net www.52os.net;
' Q: x2 F, }4 @7 i. f& C5 u, n
location / {3 z# i, m; R0 ^% j/ }. ]# p# R C
ModSecurityEnabled on; 9 I8 F: s7 G8 ^6 m" v
ModSecurityConfig modsecurity.conf; % n% y% i: ?5 S2 _0 x" J
( E# E2 L8 \, J% [* z proxy_pass http://online;
, X( ~" h* H7 {% i& z proxy_redirect off;
7 Y' q- K( ~4 `4 R proxy_set_header Host $host;
9 Y! X8 z# T6 n* c0 \ proxy_set_header X-Real-IP $remote_addr;0 ~% I1 c6 D5 o' S" O
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
9 a' _ `2 O# p! j0 e# J, {* r }
- d F4 w, s3 h0 C}, M4 S- c6 q! b6 f& {; z# u0 I
六.测试
: D5 B" W! J# `3 u% u0 o/ x _) R3 d' R
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& m0 K/ K; j9 n1 g4 F: N
6 F1 E7 b6 R2 q' a* Q: F<?php
* |4 v& r2 E P9 c phpinfo();
( F& I j- k% K" Z0 w% g/ \2 C?>3 e/ ^$ C6 n- t
在浏览器中访问:
8 B; y E8 O8 z: O6 V/ ?% k/ Y, {3 a9 o# L& Q" a4 Z: A
http://www.52os.net/phpinfo.php?id=1 正常显示。
4 \+ p* p* J$ x) V1 ghttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。# j- j; U5 N/ L f9 \) R
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。" Z9 u5 r: C- J: N
说明sql注入和xss已经被过滤了+ V9 f& H# g8 x( v* \+ R" N
# [( w- U* L( ?* ?七、安装过程中排错; m! W: w. K- I& ?1 x& L1 N
! j8 s$ y( s8 A; D3 h
1.缺少APXS会报错
/ [. d; u6 @: V( \( o& q# y
6 S; @% ?: X! T; Jconfigure: looking for Apache module support via DSO through APXS+ l9 \0 b6 j3 s9 p1 ?& r
configure: error: couldn't find APXS
$ W- P: P* m8 C4 F* Capxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
8 p0 r! C: ?$ I s8 c解决方法:$ p( {# @4 ` u1 {+ E3 ?
, v0 w. E) l) _: ~7 k, [5 P0 Yyum install httpd-devel
/ m- o+ d0 A9 |$ Y2.没有pcre# K. A6 z5 Q$ F4 N! v
- q: |9 m9 }/ z, tconfigure: *** pcre library not found.
0 N9 H& q5 @* r' Q/ N2 Q; M6 Wconfigure: error: pcre library is required4 y' g6 `9 K8 W
解决方法:$ R/ N* [1 f. J) U3 L# e' ]7 Y1 A
4 F* Y3 x6 D4 L5 {yum install pcre pcre-devel0 ^9 U# M( \ S
3.没有libxml2
0 o, A1 t+ f" `' r2 K3 ^- Q' {& m
* L3 N. q- m1 Z9 C
configure: *** xml library not found.
; q' N9 A8 N Tconfigure: error: libxml2 is required, Q7 m0 P5 `+ B$ K% S0 t$ r
解决方法:, H# X+ [, ?( j6 a+ ]3 v
2 I8 ?1 k. u5 Z; ^: k
yum install libxml2 libxml2-devel
' Y. `1 Y E4 W! L7 u4.执行 /opt/tengine/sbin/nginx -m 时有警告" t! ^, c/ q0 Y3 T
% X: P1 B$ E, O5 }/ O1 D# {" L5 l8 XTengine version: Tengine/2.1.0 (nginx/1.6.2)
; ~' e! r5 I6 u: y+ mnginx: [warn] ModSecurity: Loaded APR do not match with compiled!$ Z2 @6 { E- j; o5 N
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
" _: {" W- y: L! w- Z) c
' |6 X" n: g8 @9 r% q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, A: I% \& i; M% h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"8 W# M: w8 @ m+ k
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
' _% }- x5 c3 y* E- f+ N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* p, _+ k6 Q2 P5 h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"9 W$ o5 `# \- \) z* q
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
. R4 V! A3 Q1 ^* P& R2 S解决方法,移除低版本的APR (1.3.9)" W0 y6 \5 @# }7 t3 F1 A! M& o2 R
: t9 I6 s, T V+ v9 g4 g% B, D
yum remove apr& X0 v. r" ~$ O
5.Error.log中有: Audit log: Failed to lock global mutex- m; t* I) B5 q
$ c9 b- a# v2 Y" ?1 w: i0 I2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
% _6 W4 t( c2 }! B) ?+ iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]7 l& f1 M. ^8 U
解决方法:5 N) j3 ~7 |& d8 H6 _3 A
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:) Q+ e7 x' \" n& s/ W, A; X
. _. ]6 @3 l! N4 v4 n- aSecAuditLogDirMode 0777* S8 S3 [# a% K) {8 W: n1 h
SecAuditLogFileMode 0550
: N6 z8 C" }- Y$ z% @; TSecAuditLogStorageDir /var/log/modsecurity) k4 f i3 C+ V) ~3 S
SecAuditLogType Concurrent
/ b2 q' k+ ]" I% c1 O0 a参考文章:& E$ ]) `6 z3 l3 K
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX, D8 \7 c7 G# g7 S* s- }8 n) Q
http://drops.wooyun.org/tips/2614 |
|