|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
6 T- `& C9 V8 k5 P ~" x$ B L+ w; m' G7 f& ~
一.准备工作% k4 R2 W2 `# B* j
6 M) R. A/ ~) e
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0% P# r3 q: s2 n p I+ t
% }: r8 s3 o& P) D# w
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz T) U7 Y) v$ \3 @
/ `% ^1 S u* g5 u. c
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ b% h8 h9 c$ ]; l2 P. t
0 D6 Y7 y# X# c1 O8 hOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
: L7 o! T6 r9 K+ b- T4 T% u, |3 k9 O, ^! U2 R' f
依赖关系:
: S' S/ H2 `" N, G5 ptengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 a: r6 ]4 T3 Q! A7 V1 t" e+ S6 U+ ]: E5 O
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel8 f9 F$ O" q" S4 u" E, @8 i
modsecurty依赖的包:pcre httpd-devel libxml2 apr; e/ N# D7 Q" M2 ~, @
* @1 o) U C( i" s8 c0 T4 i. H% V
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel- q$ \' A! p# f
二.启用standalone模块并编译
& }) F# g. Z( s) @. I% W- @) p8 x: M8 K9 Z) u
下载modsecurity for nginx 解压,进入解压后目录执行:
* T Z9 @: m; Y( ~, G2 e& z4 u2 u* L9 V* _" O
./autogen.sh
* l4 E& l9 v- x) }7 ^./configure --enable-standalone-module --disable-mlogc: ]( ?, T5 @* I9 J- M9 T' K
make
# J+ r' F3 v# L4 S9 p g! p三.nginx添加modsecurity模块
. @0 g0 B9 x5 a' h8 W/ _/ r' f+ c; f# u# J1 J9 H5 g
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块: F! c4 O0 {9 |3 g5 p1 V' B! X$ M
) [! v/ A `2 }- f. m* W6 {7 ~
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
* S+ V# T: r: }" {- N9 Y7 `make && make install
( K6 B$ X6 k' Z5 }! i0 ] F四.添加规则
$ x3 \. c" K9 @1 a
! f, v- z8 L4 E3 V; J% V" B8 u8 rmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( N8 f1 x( N8 J
; {6 a$ }. {# ]- |. S9 G, U
1.下载OWASP规则:
9 y7 u4 T- D3 o
1 G4 i2 m/ O' w: V# N8 T' S pgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 R2 N8 z# f' f5 f3 C8 A4 ?) S% w$ l% `; M) D/ @- k3 H% L, [
mv owasp-modsecurity-crs /opt/tengine/conf/
0 n8 I4 R1 L6 K0 L
3 {/ u; v8 _& Xcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf9 H) `7 ?7 s4 h; K; F9 I+ O# B
2.启用OWASP规则:+ R+ a s$ K; u! Y. p0 I) i
! ~* ~5 `4 {' B* I0 @复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。) T9 ?* r6 {1 R& G3 {
+ L% A% z7 u/ |5 G K( l/ B* @编辑modsecurity.conf 文件,将SecRuleEngine设置为 on9 i3 i, F$ J/ C- ~+ e& D6 ]
- w( b" C4 S- F6 ?1 U; z* nowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" S& v2 x& N1 J: f& k$ L
% t1 i- g# S! `! WInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 B, ?5 t# p- M3 A! WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf! ]7 i3 B0 P5 D$ v; j2 m: W: v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
# j7 O6 \( J* T9 O6 F: YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf9 H4 P8 ~/ Y3 R$ D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf E2 P7 ?% z" ~! C( \5 C$ ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
5 ?/ h/ T9 b+ W( B8 u' |6 DInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf0 i8 \, {" k/ f4 k
五.配置nginx
, _8 m0 `. G: ]$ U) V8 q. C& p5 f. v( g2 [
在需要启用modsecurity的主机的location下面加入下面两行即可:5 c) c4 V' S; {- }
H) ?4 t! a4 k y/ c* U% d3 VModSecurityEnabled on; 2 [$ n0 A# ~) f) r
ModSecurityConfig modsecurity.conf;0 `4 n. ]* s6 n5 U
下面是两个示例配置,php虚拟主机:9 `0 U F( E) y6 Y
2 m; q5 X! u0 {; I8 L$ H5 l: w8 Jserver { f2 C& X9 r( y1 w W" w5 L
listen 80;; Y# S; X3 N J, }+ F/ \6 w1 v
server_name 52os.net www.52os.net;
- n* z s `$ t, j
: b9 {" p$ P- t location ~ \.php$ {
) c) C$ j0 j }" s+ N$ J ModSecurityEnabled on;
8 n) Z3 j Y# @# O6 v { ModSecurityConfig modsecurity.conf;5 q5 Z2 J6 k' q6 b9 Y% u5 D1 ~: K
7 R$ \7 K1 a! k4 g! h root /web/wordpress;; E; K6 i, _3 ~( a* v
index index.php index.html index.htm; w9 R1 P, E/ |* W
0 v2 ?0 Z+ P" Y5 _$ R S2 s fastcgi_pass 127.0.0.1:9000;
9 I* w2 i' K |$ A I4 S6 X) k fastcgi_index index.php;9 c0 [3 v" F8 s3 I
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
; s1 \$ U) E* X1 X! ?* ~' s include fastcgi_params;6 j" Y; V9 C; {! t
}
d7 W8 m. L# s5 o }; K- R" s3 t$ W" x, x
upstream负载均衡:7 o! q0 M P, @' M" @' {
, u; w+ N8 u' k
upstream 52os.net {
" h# p4 e$ @ V# O }3 X7 } server 192.168.1.100:8080;
' Q# e* I0 H4 A3 o! |+ m9 H6 b server 192.168.1.101:8080 backup;
' j/ l% K+ f# a5 p. y}* Z9 n3 y [: i7 y2 E
" @# o6 v& o6 Z( |4 c: i
server {
r# y0 |/ `0 S) d6 Olisten 80;5 @2 A U3 j. F4 C! A
server_name 52os.net www.52os.net;+ a D+ l& W6 E' @
0 B, V/ c, D: B0 B( `location / {
* v8 w8 O, C% j4 U. x* G$ h ModSecurityEnabled on; , I. h. L* P, v$ J' l
ModSecurityConfig modsecurity.conf; % ]. @- s4 l8 R- `0 s, H z$ ^
: L+ |% v- j, [( O0 b1 ~
proxy_pass http://online;
( @; k( b9 [, N+ m& y& M/ S( ~; j9 _ D proxy_redirect off;
+ T+ G+ b9 {4 \6 ^( b9 E* x proxy_set_header Host $host;3 Q5 b9 }( d( o/ F: u+ L1 q
proxy_set_header X-Real-IP $remote_addr;
' ^) d' ]% `* W9 E% o proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
5 w3 n8 ^' g& p* b2 r* y }5 N3 j( ]" S5 v
}
9 i+ k( W' W' e4 [8 r- \3 L% @六.测试# K: @/ T6 G+ B0 B" f
* v2 d: r9 S+ a9 {- V( D% g我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
3 _' `; Z( ?1 g$ s7 t/ [/ d
4 x3 f( Y/ H2 _) D* B& A<?php
$ H; z9 o, G+ x9 q: O2 n1 t phpinfo(); - k: a! o$ M [
?>
6 w" [0 w. F! C; `& r! J在浏览器中访问:
( _3 |9 I+ c+ X: \( c2 M; Z7 P% n- e1 P, }
http://www.52os.net/phpinfo.php?id=1 正常显示。
. G; {# u6 m: d+ t* a; ?4 l" B& lhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
1 y: {1 b8 E U v% x' bhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
Y' X' c: J' |) W5 q说明sql注入和xss已经被过滤了* }/ v5 d. {3 f. S8 n
7 C, Z9 S* b5 w7 c( _8 @七、安装过程中排错; G7 I" X) @* y" {
! i: E/ ]4 F8 W0 C) l% }
1.缺少APXS会报错) G; r0 V% m- [3 N1 l+ o
* N ^- B) @. V" }( q( u0 V/ P
configure: looking for Apache module support via DSO through APXS
7 T$ q- e- @8 R" a5 R9 Vconfigure: error: couldn't find APXS
& q( o' Z# t w3 k7 H, [6 Wapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。3 c% w$ t9 R" h4 t( Q
解决方法:+ y% s8 X; ]6 K6 O
/ x- Y& p( W' \# p! P3 i- q/ t! Vyum install httpd-devel1 Q* T& ], j, k( q/ i' ?2 t. K% u
2.没有pcre
. D3 t$ j( \. k" U# Z7 U- j- ^' c/ S) j& n5 d
configure: *** pcre library not found.
U# S" R6 J4 N/ n: Sconfigure: error: pcre library is required
7 C8 S; H% S4 s, N解决方法:* j" E! q- e1 q8 n
* G4 `6 m: b: U% `( K: u$ C7 e2 gyum install pcre pcre-devel, e1 P2 T8 ?5 {
3.没有libxml2
7 L' v3 B4 u" L/ x; t( o2 B: Q/ q6 {5 w
' c7 p) D2 L6 z4 [$ h/ M' N: Z' }. R
configure: *** xml library not found.
$ Y' i' Q5 T; N9 o$ pconfigure: error: libxml2 is required
+ T- O, X9 k! K& L5 _5 }; h解决方法:+ \7 D5 @; H' t$ ^: E4 t$ E
1 g- L: a: F- [ B, F6 U, ~( fyum install libxml2 libxml2-devel, i! Y, X, }& P0 v
4.执行 /opt/tengine/sbin/nginx -m 时有警告5 f7 ^7 u0 H' o
% }- B$ v8 e N% S. ]
Tengine version: Tengine/2.1.0 (nginx/1.6.2). [7 b" {6 O+ x. m" d% J, v
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
; x0 K2 t/ e2 ~9 X+ T9 R; w( Q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log* B7 I* y5 S& u
7 R* X. f1 F0 L z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.$ F+ `6 T2 a2 N; X0 } h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"0 }5 x$ D6 p) v t- {
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 l r' b- g+ [6 P$ C) T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"4 B U/ }5 `& m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
* c7 w; W' f% z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.& s9 [4 ?& w# N8 ~' v8 ^1 D; E$ p
解决方法,移除低版本的APR (1.3.9)
6 {+ \( k" H4 x$ l+ x7 t2 \- V: C* [
yum remove apr6 ]* x/ g# a! l! X/ e2 ^; X
5.Error.log中有: Audit log: Failed to lock global mutex
& v: E5 P1 C# L& [; ?2 ]7 _, }0 O+ S9 u
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 1 b4 }; C1 y7 f- ^
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]: s4 p1 c/ m2 C3 ]% L8 Z4 ]
解决方法:( @% B# k- ^) @! \) p
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:/ ]7 S7 ]( u! }! p
: f% v- [# |7 H9 D' u& bSecAuditLogDirMode 0777
! a* `0 t. Y0 r6 I b& DSecAuditLogFileMode 0550# Z4 |- ]/ z: M' M
SecAuditLogStorageDir /var/log/modsecurity4 z ^5 Z6 d: B2 ]( J# X. ~( k
SecAuditLogType Concurrent
+ V( }9 g4 x* i* o% p参考文章:% {; O& \0 p; `1 G0 K4 y. H
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX# x4 ~# f- R6 J+ m7 ~, E
http://drops.wooyun.org/tips/2614 |
|