|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
, o: y8 i! e) M- p+ O$ D! [5 K
" y t% \ E ]) c+ P一.准备工作
) j8 z6 x3 Z" N* ]" r& s6 H
& d. ~/ g: a2 r$ m系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0! u& U& P/ L3 _2 t" c1 p B* J
% O( I+ g, O: Q8 l, jtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz F; E" r( S. z& x# i+ A
/ S' R2 _% W8 O* O0 u2 Jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
- U1 M S2 w, x8 R' D% [1 K# r
# R9 n1 p" E. L6 u4 I2 j* COWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs7 J- b: | I; B# \- y
3 l9 w3 O& Q/ [& \9 @依赖关系:( V! {# A8 g, v
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 R O5 f1 r0 H# X1 N/ K3 b" F6 I) b% V: w" k# }5 l
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel# Q; X) W, p! n( ~3 {
modsecurty依赖的包:pcre httpd-devel libxml2 apr. l" S; ^! I6 k. c8 ?7 Z8 M
, u- k: A( J# r& wyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ }& ?: `& G4 R* C* z二.启用standalone模块并编译4 c! S7 B8 o1 t! ]7 w: l
& V) T- f# N$ S, P$ J' ?9 i# K
下载modsecurity for nginx 解压,进入解压后目录执行:2 `# \ k% K$ o5 v& x3 M; s8 f
+ H t) }: ]0 F' H6 y" a. {./autogen.sh, `4 `' n7 I* \4 S" o1 |# e; D9 E
./configure --enable-standalone-module --disable-mlogc% C( A9 {1 ?: v$ e8 ^. {# V* G
make $ O% y4 u7 S: G" v
三.nginx添加modsecurity模块
7 E' R) g: k5 @
/ C, P, a1 c k) n6 U. b4 b, S在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
& [- I; u/ r; U5 J
/ x! ?& a) v# B' K./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine" l' E/ c5 A s2 J, N& a/ D0 ~
make && make install
+ F0 K& |# O, M) e' r0 w四.添加规则
; m9 u9 I/ P# ?3 p0 {2 Z
8 n; f" X3 n* j5 J& nmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, ]6 ]- D3 q" x3 z! C6 }
" Q7 G+ d, ]6 m1 b* q% s2 K1.下载OWASP规则:7 }( Z7 I$ H& h) e" [; B7 ^4 Z
4 C0 P, P9 x( N$ T- t8 y* ~git clone https://github.com/SpiderLabs/owasp-modsecurity-crs' L* J L; M5 w T( @3 D+ l
- n5 I) ]- d% Y
mv owasp-modsecurity-crs /opt/tengine/conf/5 m4 y7 R0 e; y6 E2 \
% \1 o7 Q2 I% Ccd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' _+ L' p/ p# O9 L+ z% ^2.启用OWASP规则:
3 Y" `2 |1 x& H6 _; C' z
7 z3 ^! S7 j0 Q! D5 Z* ^3 k复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 P) n) t: x% c. m; ^. M5 p }( B" Z3 I, R, g" J" E
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& ]1 G8 o( o( ]8 d# V. j6 }8 D& n% O3 o5 }
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
. x# [/ u D# c% E N" y0 } C. _) v1 d6 Z1 h7 K% s
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf T* C" P4 f- L8 G$ x+ G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& X, i# t* Z0 Q$ m/ ^) w3 @& RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
9 T9 b. g" ?+ [Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" H) h7 v( G& Q0 F3 }' m! ZInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
1 g& v/ P! B, P( yInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf; l9 }; _% S2 A+ ~ Z$ x
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. Q% C5 d* H% j3 M( |
五.配置nginx0 ^3 P, E7 L; |! I0 a: `
G+ T) b. W/ l. h9 [, c+ H
在需要启用modsecurity的主机的location下面加入下面两行即可:
& p% p! X% ]% L1 Z; C9 {, Y/ W' q' W* {
ModSecurityEnabled on; ) j& u7 b! d, |% D0 w% Y: f( z
ModSecurityConfig modsecurity.conf;: s8 H" S0 l4 s6 a' c
下面是两个示例配置,php虚拟主机:. Z) n: D0 l5 O( U* v. i2 x5 m
( y( @, v, D, T. S; y/ `server {
, n X* l2 p j$ Y5 ?) ^8 P listen 80;
% G8 [- e8 G' Z" N" i, x server_name 52os.net www.52os.net;
5 \* P4 z- O3 e h$ h% h8 p, A , N- `! `3 O! c4 ^( O! E
location ~ \.php$ {
( ~7 l) ~8 _: n6 C/ C; r$ R1 ~ ModSecurityEnabled on;
6 K( p$ P6 l7 C# O ModSecurityConfig modsecurity.conf;
$ V3 F$ v: `4 j8 K% z# e. _6 y) W3 {6 |: d ]% X2 F- H1 W
root /web/wordpress;9 K* R# ], X; e, k- k7 m5 ^! R
index index.php index.html index.htm;
+ b5 w+ \2 Y% D* M$ i
/ f- F4 |. ?* c2 | fastcgi_pass 127.0.0.1:9000;
! x' r, V4 v) s% C/ j) P, `9 i fastcgi_index index.php;7 o5 l+ P! g0 ?* _& {. C' h
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
# f" B, r! c! \6 m S1 O5 | include fastcgi_params;
$ G% ]+ E$ d2 j& J$ W* ? }" @" f: W' t; ~' t
}
1 V, |: [7 b- bupstream负载均衡:$ \/ q0 i5 K5 `9 E. ]5 w
" i" O8 w5 W& W' Z; M
upstream 52os.net {' ?8 Z1 p) j0 `$ K( i2 T8 S# @; g9 `
server 192.168.1.100:8080;% v. e0 t, v' N( o0 _
server 192.168.1.101:8080 backup;
# E' _ z) v: S# T( n6 v6 N, {}) w) X2 \9 X7 ^1 l9 \2 h/ V
1 D. F2 F1 J! H2 _4 Yserver {' n+ Y6 G: }0 Q) A
listen 80;
7 D- C- o# S) U( h& cserver_name 52os.net www.52os.net;
" C. W' Y5 S' C3 U# Y6 J
+ d5 f, `0 R5 w* ^4 O" I/ Z* d$ ?location / {
+ Q) m' m% T0 ? W/ T ModSecurityEnabled on; / w& s' D" y4 I) d; T6 n: t# F
ModSecurityConfig modsecurity.conf; 2 b9 ]5 z0 ^0 v/ j" t
" ]6 y2 f" n5 m/ | proxy_pass http://online;
1 S8 e+ ]8 q( y3 c. n( b. W5 t9 } m proxy_redirect off;+ g Y+ u; z& w+ t
proxy_set_header Host $host;
M# ?1 U% E* C9 g$ _ proxy_set_header X-Real-IP $remote_addr;
9 }+ }1 h' K8 g- Z proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
! L- `) V: d | }; y. [8 p# S' T Y! t( N
}
( P! l# O6 g1 N, z- C- G: x六.测试
' D2 G+ x2 y) u2 H9 A5 g
5 k5 A" N. M, d, @% \1 x; Q我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:% a6 j8 }' P$ J4 H
! N" U3 A& V3 p& ^% ~
<?php% M; f. W& @) m1 T& |. X+ u5 U3 L
phpinfo(); + M6 i$ ]' h2 M3 Q# J
?>
7 }, d6 i" d- T7 |/ z0 K C+ Q在浏览器中访问:
5 ^7 ~ A/ J* t( q3 q) k7 l. l6 T; P
http://www.52os.net/phpinfo.php?id=1 正常显示。
9 P. \2 S6 a9 D: [9 shttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。7 Y% I; U3 R' E2 L' H$ H( S
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。# h& e% b. t8 D& E( ~2 m) k( ^
说明sql注入和xss已经被过滤了9 \( M0 {' ^% ~3 s8 X
4 D) }/ Z3 T/ C
七、安装过程中排错* t8 M3 g: P+ O& W, w- \6 x
$ Z% Q+ f1 K( k7 ]6 E, Q2 @' L/ I5 r. \
1.缺少APXS会报错6 H! d: U A9 K* S5 B& z" J, b
2 V% G; Q* \# R; J# c
configure: looking for Apache module support via DSO through APXS
" Q: n, M+ l: l6 Aconfigure: error: couldn't find APXS7 Q( i# G% Z+ }$ z e
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
$ Z Q. @% r' Q解决方法: ?- E! Y: j$ \ n# i
7 U0 l" l7 R* R g6 Y4 d- b
yum install httpd-devel; c2 z) H, b! p4 N) w. H
2.没有pcre5 q. f/ \4 l: }1 [% @
2 N; `; _7 C) i6 m }0 I
configure: *** pcre library not found.$ ^6 D6 ~" [; Z+ S7 O
configure: error: pcre library is required
# g% p. y8 V6 c7 X: }' z解决方法:
. O- v+ `8 [. G& z. \
( N0 b! c; _8 C4 Pyum install pcre pcre-devel2 S/ H. ^ U, H) F" x2 p
3.没有libxml2
+ E* y/ O- l3 p; }6 M
! f5 _4 B4 @- u* m/ r+ G- P
1 \& K) g& z7 I6 w2 W) f# zconfigure: *** xml library not found.
! o$ D J# J0 M9 Econfigure: error: libxml2 is required
9 H" { ]+ t9 ~7 c( H0 ]7 v0 o解决方法:, P1 c) A4 y8 k/ Q9 i/ |
: g8 ]9 t, \! M/ B& c
yum install libxml2 libxml2-devel
1 F) N [$ `# F; N4 i4.执行 /opt/tengine/sbin/nginx -m 时有警告
2 x8 i1 N; Y2 _: h
) Z, C T7 I. B' G, Y$ VTengine version: Tengine/2.1.0 (nginx/1.6.2)
6 B6 h: [9 E- V3 Q4 b, @) Unginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, i& w/ c Z' q原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% ?' |/ c# \1 }; I6 x% b x5 @% d9 R7 {9 m
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; I/ C. s; L: T/ x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9": A3 b$ L8 F/ _/ N; P5 R0 g
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
4 I1 t K! L' C- _1 V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"+ W. a# O; [8 l) {
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
' s- X) u2 ]2 Y: Z6 G: k+ P4 S1 i2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
$ o: ? J L* v* P解决方法,移除低版本的APR (1.3.9)& K8 K. s& L v% n1 e3 Q% A0 ?& v9 M
$ a1 j5 X' ~5 @( Lyum remove apr
' l- f6 K5 ?8 J! X, ]1 o+ i5.Error.log中有: Audit log: Failed to lock global mutex
) h3 b; |- p9 b8 f" @( W
( m2 T" Z: X, l9 @$ U0 z7 c$ I2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock & q4 z" b+ @4 {3 }0 E2 b
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
7 r- Q& z& t, k解决方法:
! A& q8 `) Y% ?. z# A5 ]8 o编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:, Z0 ]$ [2 P6 z+ _5 m; |, ?
: ^. c/ V# K% d, K2 |0 LSecAuditLogDirMode 0777- q$ j9 _ P; S
SecAuditLogFileMode 0550
% w* e: O9 o& ~+ f b' ?% FSecAuditLogStorageDir /var/log/modsecurity: I d3 C* f2 |* f g% \; E- `: w3 Y
SecAuditLogType Concurrent+ ^$ }* e0 ^: l7 l7 Y
参考文章:
, L6 Y$ y4 P# rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX7 e1 a0 u/ E7 {$ f+ D% Y8 @
http://drops.wooyun.org/tips/2614 |
|