|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。: X) t( B' v& C- A1 x" s4 s
0 }3 ]: v5 u. \6 W4 z一.准备工作
4 r3 {$ H W+ {3 V6 g% S( m+ j! @1 f& w/ h3 f- B" r" _( u
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0" E2 u% z6 v0 P' @* ^1 m% s6 n
1 a5 V a% [ j6 Q7 Itengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz- U+ n/ x4 ?4 i7 [# @
% Y8 n% R9 c* Z( u# nmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
; s7 B/ E- h7 @' w* D- T. c% X2 t( B) A
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs8 b) f/ \( @3 v2 A: H5 B
. s, d0 b2 S1 ]7 I
依赖关系:. U3 b* f* ?8 o9 {& z; t8 l! c
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 R) _, o5 u4 y: P; P
) C) J6 {; f6 ?8 ~yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
8 l: ^. e9 U* c& G5 jmodsecurty依赖的包:pcre httpd-devel libxml2 apr
* _$ G( Z' p# t. t( U% \7 D- l. A. ]3 E3 P/ {! Z; E
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel, S$ ~/ [* \% T3 q$ V1 B. p
二.启用standalone模块并编译/ [: _# s2 ~' C
" T+ Y, e3 Y5 t3 G! b' j# m9 e
下载modsecurity for nginx 解压,进入解压后目录执行:- v- J3 r ^4 y! ^$ Y
% s( D* h1 V* w* m% c8 ^
./autogen.sh
1 w/ k/ t R& p2 l5 F, J9 J+ @% _./configure --enable-standalone-module --disable-mlogc" G$ L) O# [: k" K) f0 }
make ! m* z/ N, f3 K% g5 M) i! L
三.nginx添加modsecurity模块
: [$ _8 \4 l+ K2 q: R: w
& _3 q6 x) Y; [4 `* g在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
* q! T R+ h$ G7 U T' v5 @2 y+ W( q- c8 u
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
% \, D8 L& [* ] i3 @/ {) y. fmake && make install1 g" Z X K p, O" D, A4 j1 T# j
四.添加规则 O6 P) u, s/ j6 X4 r
1 D3 k. C; L3 y) K7 k9 C8 Z: w
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) ~" w# ]$ o; H9 B v! d% l
1 k$ m+ w. e" P$ j1.下载OWASP规则:
' k: f1 j/ V6 X0 x" V: ?
( s- `) g, ]3 w0 ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
' N0 U# k5 Y+ y [0 ^3 g/ E s+ A M. q0 l0 P" t# T/ h( e
mv owasp-modsecurity-crs /opt/tengine/conf/9 N8 }3 l' g+ J/ U
) p- _- E' n: v0 e: O+ X/ n# I
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
* y% r6 J3 ~9 f) p2 h2 x9 b2.启用OWASP规则:
9 G4 Y9 F$ }# u. l5 O; E9 E
) b; @5 [: R1 |复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。4 i+ ^% [$ W) f: V$ q
}& n' a* V/ t编辑modsecurity.conf 文件,将SecRuleEngine设置为 on1 J* O$ j$ n1 q( O4 U( z# x
" |( j& Q8 V/ j) i; d1 P7 S8 qowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。! R; w4 o( I d6 u1 M: Z6 O( x8 O& h
8 W8 G3 c7 m7 B1 m2 O
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 J) f) @4 v2 y5 Q$ OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
8 [, O, A# z6 \- a) x1 A2 G RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
; x- N; F. I7 m* R! pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
5 V0 K- p. v3 K! N8 S( Q% O9 U2 s0 ~Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 C6 E5 ]% a, ?. r$ W, t [
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
e4 `1 U; U7 k X5 e' x1 IInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf0 d5 Q: W2 w1 ^$ \( K, B
五.配置nginx6 h* x0 O, Q6 Y5 u7 u7 p
- x/ p Z- {, `& P' G
在需要启用modsecurity的主机的location下面加入下面两行即可:
! \0 V- B! }6 r6 E3 e. N+ H! U* @; P+ S
ModSecurityEnabled on;
; E9 m' r |: a+ X& W8 ?4 tModSecurityConfig modsecurity.conf;
v% H4 ^# P* f3 U' y/ ^% a下面是两个示例配置,php虚拟主机:
- o! L3 f, d r' r( |7 [9 E# D
1 i. Q4 [. b6 A h' t; ?server {/ ~+ R; Q$ G. t C. u& u
listen 80;" I0 U- g/ Z, ?0 r
server_name 52os.net www.52os.net;4 G: D2 t3 J# \% O( q
4 S. f% u* u; {, {; v location ~ \.php$ {. i3 Y9 ^# ?) _( a( U
ModSecurityEnabled on;
# n0 }4 S7 I; d. { ModSecurityConfig modsecurity.conf;
: L8 t: k5 m" U$ v
2 g( P& S# @6 F2 Y5 N! J# N root /web/wordpress;
+ W2 s: I8 n0 c$ e index index.php index.html index.htm;
7 [- M" u' P# @' {: } ' q' c; Z" \4 l# b9 z" t. v" I
fastcgi_pass 127.0.0.1:9000;
6 ?1 C3 \2 X% u" X8 a* w fastcgi_index index.php;5 v' f0 h, f7 u) N
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;7 M# r! W5 q% H/ ]7 z) ]
include fastcgi_params;
2 E" q: F3 h2 I8 @+ g$ q; U }3 O" W2 x5 d1 \; u2 D2 J. A+ ?
}0 C$ j' e& F0 J* L
upstream负载均衡:
( X( T" X! n; p3 J8 B% h/ |$ H% V2 x! U- f
upstream 52os.net {' v* s' ] W8 X
server 192.168.1.100:8080;. w# M4 h8 {$ J. w
server 192.168.1.101:8080 backup;
. W! c" L: n9 w7 Q& C: Z}- I& S) x u: R% Z3 \$ F" p
' ?. Z. A6 m7 u+ p, P
server {3 ^! O8 q! |$ S5 |
listen 80;# E8 _/ }1 B5 ?* g% x! J0 c, Y
server_name 52os.net www.52os.net;
% J [: y: R& l3 z/ g3 z# m
x' s* P! Y# j3 n5 A% Plocation / {
' A3 P/ B" R* _7 t" _ ModSecurityEnabled on;
9 d+ d) x; a& Y" M$ u ModSecurityConfig modsecurity.conf; 5 _8 u0 l7 U' a% O9 v% c2 v
# c3 g7 @' o1 c" T! V9 L. g8 i$ W V
proxy_pass http://online;
* ^5 n+ p8 E6 [* I* g4 n proxy_redirect off;# {. r5 y F+ P8 t+ L
proxy_set_header Host $host;
9 _1 k2 W/ e6 z2 V proxy_set_header X-Real-IP $remote_addr;
4 \& e, C* }& S proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
7 d, U, d* e6 f% t, d+ k: t }
; }* D! t* i3 g' h. s, \$ t4 U}
8 O; R6 a+ e7 N+ N4 V六.测试
. g1 m; `2 C4 ^$ T q+ h7 X( y0 q1 o" K# B4 ^ ?
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; L9 b2 q) o5 K0 [" d4 c; z+ E) e5 p/ J, D% ?
<?php
# O, o: J1 q* B! R+ q. ? phpinfo(); 6 `" E# W" {( f5 l
?>9 R1 F. n6 n: p
在浏览器中访问:- O6 m6 }2 l, O% `$ r' l: X
7 G! X/ G2 _, H' e' E
http://www.52os.net/phpinfo.php?id=1 正常显示。, K, j( X! s0 Q- P
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
* e: s6 A6 x% ~; n% ]http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
- j$ z6 M4 C6 K% V' r a1 Z% _说明sql注入和xss已经被过滤了! }- z4 x4 ]* {+ y
# {$ M% Z) z0 V1 N5 ]" w" ^5 I七、安装过程中排错
# ], G$ k! N+ q0 B; Y
8 s% ]* S5 ]7 ^1.缺少APXS会报错4 G; R$ ~% U% c- B
- m1 I0 q0 I4 Z# M% c. b- o
configure: looking for Apache module support via DSO through APXS
% U' V5 V3 H. ~configure: error: couldn't find APXS
1 z( R. T7 n% g/ t$ `, Z; papxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
H' [2 m! m7 g. f+ H0 E解决方法:
: M- N) v' Z. V/ T6 ~+ o: V3 C
9 F1 Y5 ]: a! Hyum install httpd-devel: S5 j6 s7 Y! {' c6 c
2.没有pcre
1 @6 Q! [$ |. D4 s# q2 H6 ^+ V1 n: O" u2 ]& ~, K
configure: *** pcre library not found.
+ `( j3 l- Y5 X! T, pconfigure: error: pcre library is required/ `' D+ x4 ]0 f
解决方法:
7 X- ?# N4 y& Z5 c3 M
* _- l }% h% c# @8 o3 d& t R- syum install pcre pcre-devel/ v: R* [! }3 p1 E2 Y' m6 c5 }* s
3.没有libxml2
, g5 O. u- _+ Z( L% W2 L
h& C6 P( p0 l
/ [5 h9 N t: m$ ]$ jconfigure: *** xml library not found.
& @% J; K+ y1 L9 s* N7 N! G- ?configure: error: libxml2 is required
# \+ c A' Q, H6 n' a解决方法:& x& h% u3 C) J; h. L% \
/ ?: R+ I7 A/ U; e) h( wyum install libxml2 libxml2-devel
1 x; d5 Q' m$ g4.执行 /opt/tengine/sbin/nginx -m 时有警告/ W! f8 R+ F9 |& [1 }) P5 u' D1 ]
! `! x2 v: _2 X) s, Z4 KTengine version: Tengine/2.1.0 (nginx/1.6.2)
" ?5 }0 ]( ?6 m5 ]nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 G6 I! C$ W" j3 O! Z$ }原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log# Z7 Y" C) m/ c+ o9 L0 J& K$ X
H0 r W9 U+ B+ z0 x
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
& K0 p" o; U/ b, Y/ n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
# M' @2 _: g* U+ L# p2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 M$ V$ O0 U5 U) i0 m2 K% o4 U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"0 s" f! N1 d: w$ c2 d( Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
1 O( B' p, R" ?! W3 O2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 Z% ]3 }. Z0 n! s. i+ Q
解决方法,移除低版本的APR (1.3.9)0 M: O) ~) i8 M4 S4 C( w- F
& L+ Y1 i" W& x$ t1 ~0 \yum remove apr1 V) F) E. r6 W& }7 m
5.Error.log中有: Audit log: Failed to lock global mutex
6 U: ?; |0 e! T+ z
3 A* B1 O/ P# Y) `# z! }* q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 Q7 K+ c/ C$ \9 A# R. M' w& jglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]5 U8 [/ F1 v; D# e" |$ E
解决方法:6 T& F; X: V3 i
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:3 s8 n# C R$ U% b1 q# Y
# w0 I( e4 g0 qSecAuditLogDirMode 0777
6 M6 ], z) l: }0 _5 C3 |SecAuditLogFileMode 0550
1 N& K" f6 h; t4 YSecAuditLogStorageDir /var/log/modsecurity
5 k0 y- a. M/ u0 h# NSecAuditLogType Concurrent
, \! N9 K: s, M参考文章:
/ X7 S: b( X" ~1 Z2 s$ v3 rhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
" Y8 i2 }3 S9 y6 V9 ]1 jhttp://drops.wooyun.org/tips/2614 |
|