|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& A% r" H# C$ V! v+ `! v( w0 U
% R$ d5 N- @( Y一.准备工作
+ j4 v$ `: w% o U9 P$ X$ m6 z5 s, Z7 F- _2 y" a. j1 p
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
" ?8 ^4 W3 ]% x! l. L5 @# k- E
- u* i) I6 e, B; V8 L# Gtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
/ M$ D/ w" w9 k, O- c8 j. w0 ]4 ~4 J8 r; w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz5 w- ]* \" a0 m0 X# y
9 _) L2 k1 o! g0 p/ _& GOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
) d U& T' E% M' b( f. Z. u: }- R. n4 X7 K, H9 h
依赖关系:
7 ?7 k! W- l# ?5 Mtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ J3 T9 V1 x a' U- |! X, W' j t
& D. w4 {9 M% k: P/ c$ L. Y. p, _yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel5 l( R j0 E& `3 F' j9 u- W
modsecurty依赖的包:pcre httpd-devel libxml2 apr T* h7 H4 E* b8 c
/ a: J% w; p. ~: i$ ]6 x
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel3 _ P( W) ]$ R6 `: A
二.启用standalone模块并编译9 g8 a* H e2 O. y+ p, P
" P$ w0 a3 v0 B9 k下载modsecurity for nginx 解压,进入解压后目录执行:
7 E: ` Q9 v/ z. P) [
! P$ M$ r( Z+ I5 n* E+ k7 {./autogen.sh# |% q& D% K( j+ c
./configure --enable-standalone-module --disable-mlogc
2 q8 R! D- g. W+ e! F: ?9 Ymake : b! x3 _2 P6 X
三.nginx添加modsecurity模块
$ q2 g5 n( W7 w Y" ^* Z1 G; @0 L% l. F) U3 Z9 t- ? Y
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
9 s; I9 b8 V" G9 x/ d! t! k" A; U( K% y$ o; @; W1 ^
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine: x7 P" r- w3 H
make && make install1 X! Z5 A) A! `8 j& m
四.添加规则
9 O; ?! f, D h2 P- _1 m
, W# M# X2 J& U/ y' Y$ }) tmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。; f" L9 m: S5 D. g1 j! w# _
0 D1 P- m& R7 h1 [ F- \+ @! |7 y& |
1.下载OWASP规则:) b8 w' f1 |$ E. H% P6 U
4 Z- Z& h0 g8 u2 xgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 M' G$ q7 d2 }; {0 O! n4 `' k" \0 K8 r0 \* R
mv owasp-modsecurity-crs /opt/tengine/conf/
. t# \7 A# W- l# ?: i3 S
5 [3 M$ Q( k8 R. c9 v6 i& R! O& h2 ccd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' o; `. u& q6 T F; h2.启用OWASP规则:
: G( \0 J# f$ \3 _9 G" Q% M0 Z. [* r; I6 }% Z* z0 Q. a% h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。" ?1 V5 ~0 X: c! }6 f5 N% n e
( E% @& r3 l. J" Y编辑modsecurity.conf 文件,将SecRuleEngine设置为 on8 X, U9 F! f1 C4 C ^! L, [
2 y% x9 Y3 ^9 u5 dowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
, K) R: u0 K$ x. a
: R( D ]$ Z0 U" {4 q0 ZInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
% Z) a8 k: E# X; M# B* \Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ r' O% f( {% L% [' U5 U1 J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
G# e! `, H! G: m$ u6 qInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf {# z# y/ B- ~( w! {9 y5 D
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf7 R. V! O2 Q1 c& h' v
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
. n& D% U5 r/ p6 [- z3 UInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf- U3 C! G% U5 \- v
五.配置nginx
p1 }8 H! V. B. T2 }
6 b$ W" ~: R) a4 W) a在需要启用modsecurity的主机的location下面加入下面两行即可:+ o9 U+ k# |* _
( e' B# K s( w6 h. s
ModSecurityEnabled on; 8 a4 p+ x1 E. [3 G( I& z5 L3 }
ModSecurityConfig modsecurity.conf;$ e8 I$ |# L2 ^2 s0 B
下面是两个示例配置,php虚拟主机:+ @- J8 q, d, ` b
$ @/ Y5 k6 W& X
server {/ I: g! W; o$ h1 G- G ~
listen 80;
$ w6 M: _5 u8 A# R8 g server_name 52os.net www.52os.net;4 L9 f9 R, O9 ~7 m* p# W
9 a+ G. p) f; ?/ ]5 ?( W; n6 a location ~ \.php$ {0 {6 d( X# \8 [) Q" w/ h, \! ?) w
ModSecurityEnabled on;
; o" O! J/ G) S ModSecurityConfig modsecurity.conf;
5 e$ C& b k7 P) e9 }) \; z3 B0 U4 ?" N
root /web/wordpress;3 i% `( t8 X! e8 D: D+ K) o2 b9 Z
index index.php index.html index.htm;" z: F- _' Z' c/ S$ B) R1 q
' B2 j8 ~1 v/ q/ X& b
fastcgi_pass 127.0.0.1:9000;
2 C7 b! w, a3 p, O fastcgi_index index.php;
, r7 }# \) P; C9 r+ n: g fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# j& [; o0 M, B7 ^6 g
include fastcgi_params;
) e6 k' Q4 ` A. T' Q( Y }' p; k% j- c) K- s/ _
}
& y% s) }- j! V1 A# ?$ U: H* nupstream负载均衡:
; j: E$ I. n( z. G' R: I4 m7 J/ [3 B% Y$ e3 ^2 U: {1 X
upstream 52os.net {2 ~( q1 O/ E" l3 P
server 192.168.1.100:8080;6 A; f! N* }! n6 _9 e! p3 H% l
server 192.168.1.101:8080 backup;
$ k) i/ U ]. p2 ~- V}: F( ?' n! s! E. y5 s9 [+ A
* S9 `: A: G' S1 \; C; eserver {! Z H5 K; M& ^- I1 T
listen 80;
/ J9 J- W+ e4 A, k) |server_name 52os.net www.52os.net;( L- X+ z; o. C# y6 P
- i* Q+ L C" q; L. ]location / {
0 F7 c Q; J, c) i! H ModSecurityEnabled on; 3 x) ]+ g. E, F6 V' f+ H9 D; }
ModSecurityConfig modsecurity.conf; 0 ^* y4 O+ N0 y4 a' o
5 v) m( I) o+ z! U proxy_pass http://online;0 e0 x9 `5 y$ z# k" J
proxy_redirect off;# u. z; x$ b; H8 d
proxy_set_header Host $host;& l- ^5 |' N4 X3 Z& d5 o
proxy_set_header X-Real-IP $remote_addr;
4 D" D9 I" M8 g( [# l proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;8 B* J5 x1 ~2 Y" j
}
9 C# z- `9 x! q4 ^* l) M# u/ s3 Z}6 G- {, _" x5 ]0 X8 J& V1 |2 M
六.测试4 z+ M0 e8 t* Y
C( f5 m: v/ a$ \1 G
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) F7 I6 p: ?: W& |5 `, w1 f# p5 T6 a- W2 H/ o3 z7 @
<?php
/ r2 G+ c' B7 ?% D" z+ s \8 ] phpinfo(); , X) M6 b- n4 u. M5 H! N1 n
?>
# c( p& [+ Y3 \! r @3 n在浏览器中访问:
2 S: [1 @: ?: {' t7 a
( r; }' W5 H+ Z4 ohttp://www.52os.net/phpinfo.php?id=1 正常显示。
2 S9 L6 w& k5 l6 q7 q( d% Fhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。/ q0 C# J( f1 h: U; C n
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
9 ]) a) y8 B0 J5 K }& {$ b说明sql注入和xss已经被过滤了9 m! O4 b) M. J
; M, Y8 I+ x3 {七、安装过程中排错/ @. @4 V, W! n) Q* C! i
. v, Z6 H1 H5 W8 o
1.缺少APXS会报错7 `+ J: r C0 B, v
5 i3 {6 x. E. X* \, o6 p
configure: looking for Apache module support via DSO through APXS* @) I( S8 h. x0 U# ?: T' g# b$ ?
configure: error: couldn't find APXS# _# H" J# e& R2 Q+ x$ J
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。4 d- t+ u3 J: o- e, J& Y
解决方法:0 j3 c- D" e" u% {5 }
% A& A: u1 u; Y$ f2 C% ~0 `) R
yum install httpd-devel+ D& ~) m/ J$ H3 J+ j6 E- o0 h
2.没有pcre
) c8 n/ e3 I* H7 e: a2 }+ d8 j$ d6 g$ ~' E2 v0 B3 X. f
configure: *** pcre library not found.7 ?: i" u# y! x+ q
configure: error: pcre library is required
) \- s f* y% f- w% ^解决方法:
" @' @% Q0 A. ^8 p) q3 I! A- |( g; b1 e0 U: p, t( n' K
yum install pcre pcre-devel3 p3 b9 B. }: O( l- k
3.没有libxml2; ^2 p+ k1 C, ]' J
# w( a2 U: m) n9 ]
* N2 r, i* _: l: n6 f" B; x. o
configure: *** xml library not found.# z/ L: f( j1 ~% @8 q( ^4 B) b
configure: error: libxml2 is required( T6 W5 B7 q1 U, D: g
解决方法:
- F/ M" ?. N% u K+ C* W9 K: G* D0 a" ` z: m& c' Z0 _* C4 u) w
yum install libxml2 libxml2-devel
; v/ O* V( \3 ]* N5 P: M5 p( [4.执行 /opt/tengine/sbin/nginx -m 时有警告% {* w9 z' s( @2 N
. s& N' Q0 S% [) _- {: w- KTengine version: Tengine/2.1.0 (nginx/1.6.2)
) c' @; W" J! X+ K9 y0 o9 Ynginx: [warn] ModSecurity: Loaded APR do not match with compiled! J3 t8 ^# k) c3 f2 I9 e# _
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log7 N% c( |/ O D' m8 u8 V
0 _2 z; K' d: }
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
( c- F5 x; }* u) T V2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
1 o. ]3 F/ i- h: e# Y, A- Z0 G2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
0 \3 I; G0 W. A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# z3 A: D* Y9 a/ K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6" q( ]- d" Q( u. B5 s
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.( n5 ?0 O+ f. r) a B: a
解决方法,移除低版本的APR (1.3.9)6 n0 {0 e5 ]! I$ [+ d v
0 l. e" H& z; D0 a
yum remove apr' U( @$ t' P9 n. j; h
5.Error.log中有: Audit log: Failed to lock global mutex, f& ~; z3 c" w) s
1 x, r$ f& K/ q% A* m& @1 F2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 h+ o& A, D" S2 \' A( N& p7 n; nglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 _! L; S' e. v$ ~2 b" d, A H
解决方法:
$ M4 k2 I! W9 W. ~2 C编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( x. {; d( I Q q
) t! L/ L& s* ySecAuditLogDirMode 0777
5 M6 f$ v0 d7 H- DSecAuditLogFileMode 0550
( g" Q+ W. o% E3 x6 d# i5 xSecAuditLogStorageDir /var/log/modsecurity4 r" F* a( s/ @' r7 f+ q, p
SecAuditLogType Concurrent
) `0 ~- ~# Q* L' Y1 ?. L) }参考文章:, R( }- M1 Z1 _
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX& h; B/ C$ W% I0 ]: F% ]5 k7 N$ }# }5 R
http://drops.wooyun.org/tips/2614 |
|