|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
7 U) a; b5 h, X/ P; }5 E7 D" D1 h1 W7 _
. e, m$ {9 z8 O+ {3 E0 S一.准备工作" R7 \) k1 p7 D) f$ O
; ?$ S2 I* m' e
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0/ `0 T ~1 K. g& @* ~
/ t* a+ [6 j. ~# y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 \' _, C4 l4 |; d5 n* s# n; B% g Q4 M+ o
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
# I# h; [; W6 C# g! F- j. H
8 E# A' O7 @" f* l/ x/ y6 D; BOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- P/ l2 E/ j- C* Q* r' U. Q: B' Z% e
依赖关系:
5 C2 t9 @4 r6 z; v8 qtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 ^4 c( g0 q0 W0 h
& v* L: s! I3 S+ a* ?: m6 Cyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# Q# _! ]2 D) Y( K' e; W# Z5 smodsecurty依赖的包:pcre httpd-devel libxml2 apr
$ \6 t- L" r+ R* X$ {/ k( m( B! V- O4 X' m' J
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
$ J! [1 _% `1 r/ y: i二.启用standalone模块并编译
: y8 m" B% @5 P8 ~5 e6 w( E# d( p# \6 t4 C) }% R* y
下载modsecurity for nginx 解压,进入解压后目录执行:
* u! i, z& X7 Q( a) J
( M' g: t8 f) `6 A; |8 f! }./autogen.sh& i% e9 `& Q M( w
./configure --enable-standalone-module --disable-mlogc
) D, g( O9 x& i) Gmake & F" w' }& z* I6 W4 n- g+ }
三.nginx添加modsecurity模块
, d8 p' [2 ^6 O' J! W
% ]# a9 D( q' p% |3 P) ?在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* d! Q4 y5 u! ^
2 P1 ]! ~" Q$ C; L' X: _* G
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
7 O* }1 F$ R% e4 ^# Bmake && make install
4 m$ D: w& F! w* x: Y1 t四.添加规则1 H2 y. A9 u3 I% p: P6 }- [5 i
" b9 Y: Y6 `# B. `0 emodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。# `6 R ]/ g1 @ Y& Y; E
5 b# H; O9 q1 ?* `1 V2 |3 N
1.下载OWASP规则:
9 ~+ I8 s! Y5 d& U2 B# l
; }# t1 }5 x( z# c5 X5 t5 Xgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs7 G/ y5 O, _5 _) b, e g* U# i
4 X. w# H4 K: \& n: p4 b" Wmv owasp-modsecurity-crs /opt/tengine/conf/
% n: v* S2 d& J3 R
! m2 y7 U c2 b( W) A* G" w# Wcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
, z% n0 V6 j0 ^/ o; v2.启用OWASP规则:
) J0 A4 }1 v5 ^. z. o) {# i3 ^1 ~2 l9 X" |% R) D; w/ z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
, X+ I/ K7 q0 q/ N1 ]. O7 O$ ?2 J* ^3 n |! D B$ ]4 \2 U
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
9 z( O- E9 J" c- D( [, f6 ?/ }8 z
2 B4 {% ?/ ^. ]9 _5 {" v& howasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
`* t# F( o' |6 O- _5 [/ F
% Y0 t4 x( o' z- w, s3 ]Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf, s' [! Z' ^! j: W7 ^5 E
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
- v7 J- a- _4 [9 mInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ D7 M* k7 ~( {0 EInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf5 a" r* p1 p; I, |5 t9 Q& x
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) ^* S& q( j( k# s; _& b9 ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf" }6 a( }/ p1 a1 o' V
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
1 Q/ n7 `, p5 M( x6 Q, g' I- [五.配置nginx
* h3 B# l) G& h/ |7 S l
! y% J1 V) B" ~2 E; _1 s+ t0 l在需要启用modsecurity的主机的location下面加入下面两行即可:
; u* E& G7 w( z# q8 h( q& u) ?( L
# E& a! I! G/ K5 `1 vModSecurityEnabled on;
2 c9 ?& a, f' p$ O- I1 AModSecurityConfig modsecurity.conf;& |: s, C3 {3 i" g$ M( k
下面是两个示例配置,php虚拟主机:
9 c+ j' x4 N+ `0 N; A2 N" {& {5 [% N- ?* v) Z7 m; `1 W
server {3 X( E* t# I) Y/ p
listen 80;
, w+ n, H4 o! S( L/ O& S8 j6 H server_name 52os.net www.52os.net;
5 i( A) X, y% [3 L ; W( g/ f9 r: J* p+ g1 l
location ~ \.php$ {
( V# p4 y+ \. h$ h5 a ModSecurityEnabled on; 3 w* q: I2 _9 Z6 h! Q- f3 V& Z
ModSecurityConfig modsecurity.conf;# H5 d5 C9 E+ k5 G
! { ?; @" o, f
root /web/wordpress;( O4 z* y; V" B, Z) t
index index.php index.html index.htm;
4 r# Z1 g5 I! a' Y7 E( K: Y 5 ^! k7 m+ ~0 J; b1 W# N' f* b
fastcgi_pass 127.0.0.1:9000;! F. u0 B* n! {7 L0 w8 x0 t; h1 E! j
fastcgi_index index.php;: R7 |0 c2 }; f" F, z
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
+ N) C' e4 O7 m; e9 Z$ |0 f$ ~ include fastcgi_params;
/ n- B3 Z7 s! e" B }
5 K4 \0 {* @9 M2 c3 Z1 A }
+ e) h; P' L5 D, u! gupstream负载均衡:. `& ^# v; A3 Q
( v3 ^( I- ~; d5 J! k# C( i
upstream 52os.net {& q! h* p+ F) m5 I2 W: p
server 192.168.1.100:8080;6 P5 k: [) K6 `7 ~
server 192.168.1.101:8080 backup;9 D# p6 h8 Y, C! s! G, ~
}
+ W- I j' m! D4 p' t# L' D3 t8 v8 g% y# V" S
server {
" M1 l0 n" @* X4 Wlisten 80;: K3 s5 F B! [/ \# N ~' U
server_name 52os.net www.52os.net;4 f- l: ^0 H; i( Z/ w
5 A. k. G; |% c4 w5 C' {1 [# O
location / {
. N! n7 Z# B5 a- n ModSecurityEnabled on;
1 y7 l6 q9 x; o3 N2 l' ^8 ~ ModSecurityConfig modsecurity.conf;
4 g3 }+ m/ x3 I8 Z5 i# N8 V( y5 W; M s
proxy_pass http://online;
# u' c- l$ K; d' x& x; H8 f6 }/ i2 P7 P proxy_redirect off;
9 O# o, Y6 E n proxy_set_header Host $host;" _6 b$ p/ B4 {3 f; z
proxy_set_header X-Real-IP $remote_addr;
c( |/ ]1 Y$ V. o proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
* [0 I, k' P) C K3 P }
: `: F+ x* ^. C# ^ o& a# j}
1 C" i3 Z; A2 g6 d$ W六.测试- F7 _; S3 Z3 ~' N6 \5 B& S* r$ v
% F H- k9 j2 G
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) s9 K4 {+ v* u) ^) L3 Z9 C2 b) K$ u
: t; _5 |. F" {; L$ O+ ]- Q<?php
! V/ T& g6 G0 s6 e) ~0 o phpinfo(); 5 e5 @6 J: K2 y* Y
?>% Y1 a, Y2 V" S! z
在浏览器中访问:+ C5 p* o# l* Q( X, z) F# r
" ]6 \" ?0 o3 Z Z- \+ ~3 bhttp://www.52os.net/phpinfo.php?id=1 正常显示。 v: h, j) G4 n* ]. }/ d
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
5 i- f% M5 O0 |+ g' Ohttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
7 K8 o8 M; I4 z5 G0 y) X' F说明sql注入和xss已经被过滤了
z {! L# @$ j, O, G2 j0 T; ]" ?: x; }0 i
七、安装过程中排错1 [9 N/ L) N/ J; U& Q
8 o! {2 d( m. r- D& a5 @: V1.缺少APXS会报错1 x' d2 i; }" B$ I$ e( P; a
! g) m# E$ N. Z3 g1 ~" m' Iconfigure: looking for Apache module support via DSO through APXS, O! p9 J8 m" h. k- n
configure: error: couldn't find APXS
+ f; H% R6 B, ]9 Qapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) f* j0 u/ J8 K6 I! `% b' d
解决方法:9 ^. ~3 p5 o- K
. }9 V6 [5 T% x( G
yum install httpd-devel
f) C: X+ H+ w$ Y: k: v& c; s2.没有pcre
/ [8 T+ l# A8 }4 E7 y& y* b7 e- s" `6 f. n% S: G- ^& R
configure: *** pcre library not found.8 z/ O: z% ]9 Y' z7 T) X
configure: error: pcre library is required
* k5 x0 E' m" @% H5 E" b解决方法:+ j+ p5 v/ o ?1 K3 G
6 h3 Q6 B s8 E9 [3 @yum install pcre pcre-devel
5 v5 ^3 o6 r3 l1 F& i8 V7 S3.没有libxml28 r c/ d1 t) a& x
$ a8 }% N0 R M# u/ q9 z, M: K" R( {" ~
configure: *** xml library not found.
' {2 J# k* Q+ y* n, V, x% \7 wconfigure: error: libxml2 is required: e+ X/ J* t. p! g- ]
解决方法:
4 W, h# j# l3 h* W$ x
* W6 o6 f+ _1 }yum install libxml2 libxml2-devel( H( q, U0 |. K& q& O
4.执行 /opt/tengine/sbin/nginx -m 时有警告
! J3 Z, c9 r4 `, a8 T$ ?) |* Y( I4 \. { W# \/ U7 g
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
2 p, V) E. M) ?nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
1 d% I! h' a0 L) [/ m/ ~3 O) N7 b$ `. Z原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log3 q- E/ I# D: ~9 f z V, [
& b; m8 @( X! ?( ~$ Z, E4 ?4 E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.# f) F+ o$ w. x5 q5 j8 y
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
9 ~3 U' S2 N) N( ?2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
. h) @( k) `9 G7 p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: d2 l0 \8 ?: e% t' o& T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"$ w* O/ D, b& o2 n2 |: A
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' O* I4 f. }$ \7 K解决方法,移除低版本的APR (1.3.9)$ r# l' j2 E# m7 D" q( {! H
$ M4 B* u7 t; C6 ?' E4 f( f7 Dyum remove apr' E( U: i/ u. V6 t
5.Error.log中有: Audit log: Failed to lock global mutex' }4 r8 T1 ^$ G! U: l; Z' ?; C
\- M2 S# p* ~5 e8 U. Z0 {$ b2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock }# C ~* o7 c, ?4 [0 v
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 v% h7 l3 T5 ]4 W, f9 z解决方法:
{# a# f. ^) P编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容: |6 h. e4 q g* O8 S
3 d! L% O" N% [; h o
SecAuditLogDirMode 0777) c1 ~ ~ n) S
SecAuditLogFileMode 0550
$ `0 k" m( r2 L- oSecAuditLogStorageDir /var/log/modsecurity, ^; U3 k/ Q5 D7 W2 E! g
SecAuditLogType Concurrent
* c+ l3 ~. |5 a( n t7 K参考文章:3 T# d6 h- t- h" M% N
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) X/ |* \8 k" ], z" Rhttp://drops.wooyun.org/tips/2614 |
|