|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
. N! X) d$ q6 i; C" I$ U! X8 t( L2 Z6 a: R0 Y6 h
一.准备工作
8 c3 Q5 [ I$ ]: G2 ~1 `; x/ y
( \' m* I9 }/ Z" |系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.07 J! x" g0 P @7 E
4 I% S2 V/ O. I! N( ttengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
1 ^( D& z" t9 s y
) w/ V# B9 K8 z4 J) A7 ?# Dmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ {' \& R" T: E, Q& S" @
1 ]! }3 F0 c" cOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
' O5 j' j: I }: t* R
7 w/ ^1 j& C* K9 ?8 t依赖关系:2 a6 l2 I; k, F! S1 h
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
( D: D4 }) ?" w. z0 E7 O
" Z6 e! Y: T) w( C/ e) j" z" Fyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
0 }! J$ J. W" v% J, n8 e! hmodsecurty依赖的包:pcre httpd-devel libxml2 apr
; O6 Z1 i4 f0 | l" B. [
+ w# L; k% r4 B. W+ q1 }* Eyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
" l6 Y9 P) U; q% s9 f1 Q二.启用standalone模块并编译
* _( _1 L! Y. b$ T2 F" C
# W# e0 t" @. T" }& s下载modsecurity for nginx 解压,进入解压后目录执行:9 Q: B' L. ^ u+ i
3 `8 K. [2 q: c6 E6 ^3 ]
./autogen.sh
U* e9 k! l/ [' i& d9 `' f' ^./configure --enable-standalone-module --disable-mlogc
* w8 ~0 @& t; @ A7 R) E* Amake
6 }, X8 V1 Y ?* Z3 [* Q三.nginx添加modsecurity模块
+ t5 m8 S9 J0 x6 J
( X- v3 G; |% h: s在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 `0 t: `9 h0 f9 z d; M" z3 a* m
* V. j4 A* T4 c./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
6 \2 q& t; Q" K V8 _5 Vmake && make install6 D9 D6 v8 P: ^# y+ G4 W
四.添加规则7 ~9 m8 k- G I: I6 z ^
4 O- R/ Z/ B& Z4 i, J+ l4 c( l6 p
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。, e% N4 u: L1 w
( a- u1 a$ X- P. G7 Y+ M1.下载OWASP规则:% N$ c) s; _% A& _" b* O
6 `& F6 B9 q8 l- v z0 X" kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' [: }5 \* j+ O7 r8 }( j! I5 q# [2 Y: u; | k( K& v& W) Y1 s! H. {
mv owasp-modsecurity-crs /opt/tengine/conf/0 m. r0 Q- y' R* ?9 |7 o7 `# x
3 i+ f, P# `( K5 \6 T
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf2 z o0 Y2 x$ t# ]
2.启用OWASP规则:+ a, M2 M) q3 O) B7 m+ A; I, @
+ Q1 k" X: a6 _, t; K9 o0 R复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。 O4 k# @, G( H: O. J# o6 s1 w6 g
6 K, w$ Q& t" n* A
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on+ ~) q; b# n a' w9 N
% G# g3 w$ W9 J% }# }2 uowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。% B% z$ l# R, y6 w- l& B2 ]' W' E
8 M1 D0 ]1 T6 c6 p. I9 t
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf% m4 F: G% E2 q2 d5 F& h
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf. c2 C4 u: ], \2 f# X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
- u; \5 W& k3 A3 w7 h& WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf& L% ?# b) z! K# D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
y V; }3 C: @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
' ~: |8 K' u3 @Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
( l- W O- z' J五.配置nginx
. O1 y! V, y, x& w8 \6 f, ~; d( _9 D. P$ }9 m8 d
在需要启用modsecurity的主机的location下面加入下面两行即可:/ @: e' Y% v9 K F
8 ^ g! ?7 b- p% g# a# VModSecurityEnabled on;
2 I$ M4 ~0 ]% Z6 P6 T: ~% OModSecurityConfig modsecurity.conf;
- |7 A* i) z% ~下面是两个示例配置,php虚拟主机:" a0 q# H8 Q4 \; X; r
( o& \/ |0 F- A3 K& p$ F& n) w6 Wserver {( S" b6 X# j8 Q
listen 80;
; k" e# C) @/ A1 y) H8 f: v) F server_name 52os.net www.52os.net;
( f# Q+ w( T: S' c7 q$ I
: r S- A) o+ Y2 s2 q7 j6 t location ~ \.php$ {6 n: Z. @1 M0 O! n, J8 W; p( G' w# p
ModSecurityEnabled on; 6 `1 @# Y4 y: I3 E
ModSecurityConfig modsecurity.conf;, o+ Z; g3 R% `7 x
f9 U& |: N' O; Y1 s8 w2 ?! d root /web/wordpress;
2 E4 G0 R' ]/ w$ o. B: b+ N H, L index index.php index.html index.htm;" S& ^ j+ d! ?% c6 x
/ P/ B7 @6 J1 K9 q% D; }; Y
fastcgi_pass 127.0.0.1:9000;
5 g3 X5 Q9 g* X% l fastcgi_index index.php;
" G7 Z+ J2 X( z fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;) D4 ]( n- v2 a6 `: A, D
include fastcgi_params;
& V. K4 p; O- ^5 w% y }
* Q7 H! D) P4 I& j% d }4 F$ a( ?! S) g Z7 l
upstream负载均衡:
8 }) ]3 c. i9 @6 L# O* ]0 i r$ j L7 D& R( a4 d i& O5 T
upstream 52os.net {5 A+ f1 @ v5 a% C% _, R% V
server 192.168.1.100:8080;! g1 B* _* p1 N2 V! u* K% B$ X4 n) P
server 192.168.1.101:8080 backup;
. M0 [4 v# }$ b- c0 z}
! c& i- ~" Y7 B( Y0 b- o4 @& S: m+ V5 w$ ^
server {
p. U1 K9 h5 _* T/ z3 h7 s6 `listen 80;
6 m% T% ]/ E* @9 \server_name 52os.net www.52os.net;
9 {, Z5 x: h5 B8 G; Q. U" m0 K) Y3 g2 V- P' z6 k* ?2 ~ U, {
location / {
# g% n8 _$ _3 c ModSecurityEnabled on; $ n8 R; ?( @4 @& M0 Z
ModSecurityConfig modsecurity.conf; 5 I, ~! ]8 W# u+ v
+ ?7 D6 ?' G I* O. q proxy_pass http://online;' T) I9 J- `" B- J
proxy_redirect off;; y5 u& Q6 a3 y ^! c0 B/ t+ [
proxy_set_header Host $host;" f2 \4 i+ w, \5 d& p8 p* h' m; j
proxy_set_header X-Real-IP $remote_addr;
5 f4 k7 C5 ~+ N0 C proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. C5 ^+ ?" Y* L! S/ R3 ] }; t Q+ y$ T0 A& ]6 F, {8 B' O
}0 x4 A% z4 A. k! C3 {/ b7 ?5 S
六.测试9 S9 A8 f1 O n: t; f2 \2 ?
y6 C: \8 A- _6 {/ v我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ U8 `- E. X. B/ T2 _ c
6 V1 Q7 y0 Z9 s) U: l( T+ K
<?php: K$ ? \# F8 \. k5 s
phpinfo();
& k; h9 c1 Y0 M; d: `+ G0 P?>
, K& d) A8 Z0 S: J( b1 o5 q在浏览器中访问:) E, z" N9 H' h9 y, g3 Z
, N0 g* ~2 x$ ?3 `
http://www.52os.net/phpinfo.php?id=1 正常显示。
* o G, x8 \6 {9 [6 _http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。; R% z, |7 C) H+ `
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。- K2 D9 x8 } F1 R
说明sql注入和xss已经被过滤了" J/ S U5 F) z! a# u" h @: a
0 ]% E, o" T3 r/ b+ u3 _/ @七、安装过程中排错
2 X- _, }5 U6 ]) x; f* W
. b6 M7 d0 \2 s3 Y" X1.缺少APXS会报错& p% m# R1 ^4 S2 ?% S
' ^( x: H- q1 Q3 m
configure: looking for Apache module support via DSO through APXS1 o' f2 B- q: \+ C6 C$ |
configure: error: couldn't find APXS
z7 H% l8 {) [& G8 d" xapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) l# \) d0 X2 M" t0 ]6 j) e0 c
解决方法:* e" K- r3 r. }: G1 i' _+ Q6 I
( t5 z. x9 _# b' e) I# }! qyum install httpd-devel/ E9 j6 r: I0 x% c3 ~
2.没有pcre
" q; j# @# A6 t) o) P2 D
7 {3 A1 {# _3 U) v7 e* ]( F5 h" fconfigure: *** pcre library not found., O% R$ J3 V! T) x
configure: error: pcre library is required
. b: w6 `& V. D1 K( G, H解决方法:' d4 g% A" ]6 d7 O: g: l# b
% K u( L) T" m( U$ e
yum install pcre pcre-devel
( T; i+ |" C8 ~2 a$ y! [( g/ ~2 u7 B3.没有libxml2
. o/ {" G. t7 X% l% }# z3 ^3 _
: [& \2 R( I* ^- R- p) p) S5 u) b3 m e
configure: *** xml library not found.! g8 V: F$ m3 l- k; ?( @* c9 y
configure: error: libxml2 is required* o& K, [) |3 {7 C* @( V
解决方法:
) v( f+ b" P! H3 d) |- ^, o" S% [- z
) {9 i% g7 ^ lyum install libxml2 libxml2-devel0 X4 c' C5 g# u7 b8 p
4.执行 /opt/tengine/sbin/nginx -m 时有警告1 m' e8 B6 H( ? A! ]5 B7 Z
1 B$ h6 o; p) C: T' I4 @9 W
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
- b/ h3 u1 s |nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
8 g, N- Y$ L9 P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
: P( @/ h' R6 a' ~' n1 R( T1 T! \ i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.7 |7 x: s7 V4 F+ e9 P, ^# J
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
7 B. N) ]) P" N% f* _2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 \' T, k- V7 N2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
0 W# N, a/ q' @% ^& _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6") k) |) O- P9 m5 z t
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.+ c& Z% h* B# b3 M% K& {4 c
解决方法,移除低版本的APR (1.3.9)) ^9 l4 j% U% ? W9 |, R* n W% z; t
4 n' F% g8 b/ k' r/ V" d& Q5 Z; O; M
yum remove apr: S4 d! j! ?# }$ ] X' \
5.Error.log中有: Audit log: Failed to lock global mutex
/ k! A7 k3 ]8 y: d n6 w: a
$ v* b% j( o* P2 M- C" x2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
2 ]9 f; H3 w0 I, Pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
) c7 u; j9 ?, A+ D' e解决方法:1 k) `( r0 j6 b' a, y" {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 c. g8 o& |, D9 r7 C" ?
; r# y7 x8 Q2 z+ W; }! S$ u( L
SecAuditLogDirMode 0777
: i( P$ W X5 w% x5 |! _3 |' aSecAuditLogFileMode 0550
; [+ i: ?7 z' nSecAuditLogStorageDir /var/log/modsecurity
6 V/ P) |* O; _8 x$ d2 ]SecAuditLogType Concurrent
; N Z% g" f7 V% q/ v3 N3 w参考文章:
( F3 i& s: A# c& `) k9 ahttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
7 |$ ~* I4 v" L- S9 p& d7 uhttp://drops.wooyun.org/tips/2614 |
|