|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- a$ Q! M' T; d4 P; q
7 F4 |! j/ T4 k一.准备工作
. P1 }, j( s+ T2 a) ~1 q/ E( Q$ g' m: [6 V
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0, {" ^8 J7 ?" J4 l
8 Y+ y9 V- s, ~3 Etengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz9 `6 r- k: z: x$ v
* u0 W$ x+ o3 p
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
+ D( K: ]: v( |# S' q- ?
' k, K, _* r- `( y; ZOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 B$ ?4 P3 {; h7 @2 j; j9 _& X8 K3 U7 B( A0 a3 J
依赖关系:8 V7 O' D8 u$ I8 f: D, D4 V+ R
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
" x0 l- p( X+ `, w" E1 e7 C/ Y B& D1 d$ o# b0 y
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
" Y2 j/ Z; q8 j1 Qmodsecurty依赖的包:pcre httpd-devel libxml2 apr
" a' x% k; v% M. C, u7 t/ m6 L$ |( p5 x
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel& m% ?' q0 w/ n" y" i% Q( Q, W3 k
二.启用standalone模块并编译
! r, N$ ]$ x" w. Z6 _& W, R& O: V* ~: x9 p
下载modsecurity for nginx 解压,进入解压后目录执行:
2 N V _1 m2 ^; n3 n- _" F: l5 M' w/ m( ?( e8 G+ t; Z
./autogen.sh
1 J9 T) Z) `; m# b; a0 @, a& [; ~& x./configure --enable-standalone-module --disable-mlogc+ X5 M: B$ U: O& X8 S
make
8 A" B3 N$ p, S- ^* B三.nginx添加modsecurity模块5 Q. z" O q5 ^6 U) Y5 B! G, M# l
, `; b+ e6 H- b/ N) c1 ~
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 P: I' H9 _# R( F6 v; X7 v7 a4 E3 u- Q8 H6 t
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine: t- @* j2 s8 C+ ]
make && make install. _' D, p5 e u$ u \+ f
四.添加规则
, T6 U2 _5 M/ ?1 _& `6 H9 F. c
& A0 }- ~, a& k- H/ ^modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
$ m; [) R! G' e3 d6 G8 S- F7 ]7 W8 ]: k7 j, Y: _$ s# n8 B; U' @
1.下载OWASP规则:! ~! Z, ^) C& r6 A( O' j, @7 T1 r
* p. B8 p2 s9 Ygit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# h' r; a2 b9 \4 M& E+ g. j. y! Q
2 D9 u8 b0 V8 ?" Zmv owasp-modsecurity-crs /opt/tengine/conf/, P7 B% j7 E$ V+ s- Z$ P
: Y8 k3 `9 o! J$ t Z" Kcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf: `2 [$ c8 N! ?2 `2 l
2.启用OWASP规则:
" s( N+ F: U" c* J# g+ L
$ \( h" h3 n# e" H复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。& L6 B& W! z; t1 ~9 r6 X
; y" _" m( c4 B3 F编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& E/ W- w7 z, q% [# K9 p. u0 _% T( l4 c. G3 z2 E" N
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。1 u! Q7 u& }3 g9 E% i7 s
0 L/ d+ H& ? T' ], n6 j! wInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( H, I# v6 K7 Q+ F4 o, ]Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" v8 O4 j8 T( h1 t! {Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf) B; E c1 w0 j5 B/ V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf4 w* ^% a* S) Z6 K4 _3 ]0 d
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf0 L/ `/ j) |& ^6 ?
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf* e8 y' d( b" \- i* \8 i
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf( K g; {" [$ D; Z! q
五.配置nginx' T1 h- Q6 I2 D$ b5 M
% W& b% E7 i/ n
在需要启用modsecurity的主机的location下面加入下面两行即可:6 e- B9 R6 a5 O/ q. I) s6 U. S* V
' z8 c" H" X3 y( {. E) LModSecurityEnabled on; 7 Y- c6 l$ ^% I+ N1 O. ?" D
ModSecurityConfig modsecurity.conf;
( w9 L, e% T/ M4 ]: \0 W* Y& V下面是两个示例配置,php虚拟主机:* ]: O- r7 V# U* s, J9 S
. r$ p3 J& ~) {& {
server {; x4 ? a5 Z5 ~( G
listen 80;1 h, A2 O! f3 v8 V7 G+ l
server_name 52os.net www.52os.net;
( B9 | @$ M4 l! U3 R
, b' t6 S- z# e4 }6 {/ v8 I; U% H location ~ \.php$ {% Z! A+ P5 W _) v* t" B
ModSecurityEnabled on;
/ ^' O }0 }+ p- k+ G4 l. X ModSecurityConfig modsecurity.conf;5 c6 O2 _' y9 t4 [$ Z, m' R
9 u0 f; ~ p: O( @5 }2 \ root /web/wordpress;
7 X! a" E! O/ [ index index.php index.html index.htm;! g6 }7 i, x. U/ d8 w; d: m
! R9 `; A' x9 ]4 y- v! L
fastcgi_pass 127.0.0.1:9000;' a" v1 O* ^+ W3 |+ H# D
fastcgi_index index.php;
# `0 p! K7 y( T fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;2 @+ N+ T& z( _) ~# g
include fastcgi_params;8 V2 z+ L) x P* q* w1 P5 O
}" c8 {" J3 o5 J+ C3 m1 l6 I6 A
}
2 e" ?* f' v& Wupstream负载均衡:
9 Z. D6 `: z y8 R- A- m' G
7 \6 [/ o8 o2 fupstream 52os.net {0 V" U$ v0 u2 _6 N4 y6 v1 j
server 192.168.1.100:8080;
: e& C3 c+ R+ r N7 k* g {, ~ server 192.168.1.101:8080 backup;3 H& c6 J/ ?: \7 x* B+ t
}
( X4 e. c4 k! X% g2 S' A- E
1 Y+ {9 J) P& Bserver {$ k) P @2 }; N3 x
listen 80;+ {! v/ E7 F6 @ t5 w9 s+ k$ r
server_name 52os.net www.52os.net;+ D5 w) v" A5 @8 W! v7 ~
& ?" [; A9 Z8 Y" @location / {+ z; N$ p& Q2 k2 N$ s& `- N" @! v
ModSecurityEnabled on; 4 I8 G. `& ^! ?) N
ModSecurityConfig modsecurity.conf; : s7 z* U ^; \$ n
6 R! m+ c8 ]. c) V$ @ proxy_pass http://online;
, ^; \2 h1 M) [9 W- |+ _$ w proxy_redirect off;( c1 e& s5 \- c5 }: k
proxy_set_header Host $host;3 z) r$ f* |6 F+ t. i. r0 v
proxy_set_header X-Real-IP $remote_addr;: |, G, q& N# A
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;$ Y1 N5 r% O- d1 L
}
9 i7 B- |3 j" _6 ^6 R}
) _5 D$ B" w& K2 b六.测试: T0 q3 y" O: t1 f3 s) V8 U* H) T. P
' j8 _" r% E( E0 f7 T% T我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' w( {" g- r$ O! W; ^/ @
+ m$ Y4 }3 D( V$ U<?php
" F( ?: t! M/ {; ` phpinfo();
5 i$ j# v* k4 X1 j& O# d% s?>
/ J0 |, P1 V$ @. D在浏览器中访问:+ l' T- b, Z& H1 @# G% z; u+ W3 h
9 O. Q& S1 r2 y/ z7 y
http://www.52os.net/phpinfo.php?id=1 正常显示。
3 @. R2 I0 D, `; rhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
. w1 d! }: ]! ?- r5 p4 p ~7 Whttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
% m' N" e$ w# e说明sql注入和xss已经被过滤了
6 k! m- J) \# o( z$ F' D: d' v6 y* v1 X* I+ g- x. S: r
七、安装过程中排错
! R! B w) h1 T4 {& m) r7 A2 J& J( E' ]: I% S$ @: }
1.缺少APXS会报错
/ r7 Y, ]% o$ y7 r( N! k( y
7 f# u0 Q* Z* Oconfigure: looking for Apache module support via DSO through APXS
$ {. L$ o0 Y1 a. f: i6 F& q% `configure: error: couldn't find APXS6 F B3 H. H) ]4 k
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
3 k3 ?8 s. U* H! x$ r% _8 S7 v( S解决方法:
& R7 T [5 [$ j* s$ e4 U( S' D; ^ i- I9 o
yum install httpd-devel
6 {: g# k- d3 c2 ?2.没有pcre
& p- R# ~; {, M9 V7 v" D* k
! h+ Q% x/ w! b2 Z: }+ F# bconfigure: *** pcre library not found.3 m; R8 M$ _6 ]# E( W$ B6 F6 B
configure: error: pcre library is required6 _$ z* Q: G7 `! N6 A# [, V' U
解决方法:
6 N8 z [' _% q$ s. d8 h
?1 C7 Z( Z. ~( ? ~+ Byum install pcre pcre-devel) L$ k: O& z7 q% _% c4 ^
3.没有libxml2
) \9 L; j6 b, V1 p8 V! X" W7 P, p
' B' e6 R$ n8 n% {* M
configure: *** xml library not found.
* d. U; x3 a% R+ [& E7 aconfigure: error: libxml2 is required
- B. L7 J+ H* b解决方法:# u- ^% s6 l: d, w2 X
% Q) b+ J* i, c, q$ [
yum install libxml2 libxml2-devel
& l# U Y# x2 H1 Z4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 w1 U$ g$ c$ u& q4 ~
$ X4 t7 l/ e4 F) yTengine version: Tengine/2.1.0 (nginx/1.6.2)
/ K1 T6 p3 o" h) ^ m+ S7 unginx: [warn] ModSecurity: Loaded APR do not match with compiled!
2 h4 q$ K! E. Y# P& W3 b4 x) F原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
0 @4 @- d7 X& u, p9 `/ S+ @* J1 R, T1 b$ M8 B: B
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
, G" o @& ^( W1 ]3 n0 c+ L, A& H) {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"3 _- k) O7 O1 a4 _, I) ?% u
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!/ k7 w; h/ L4 E9 O* o T& h
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
6 K+ c; l5 o5 T# Q1 h3 @1 }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"0 J! D1 ?; g4 G2 w+ \
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
2 r# ?' b9 p5 U6 v8 K- ^+ e解决方法,移除低版本的APR (1.3.9)4 ~* L3 a1 N/ U4 p, y
" u F: S S8 kyum remove apr
( B' b& @5 H' y1 y5.Error.log中有: Audit log: Failed to lock global mutex& ^, H2 h$ P4 j
1 O- ^9 }8 F+ b8 O% w' ?9 A2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock t4 U' k; h G* g- k+ U& D+ m% e
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 {, I% M& k; F3 o3 Y% A, ]解决方法:! k/ E) v3 }- _! Y& m7 L& U
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:( l7 f3 A% F5 d3 |
8 l/ t* V2 L- X. K( ISecAuditLogDirMode 0777" L( A. x) u3 y8 m* f) L D2 i- H
SecAuditLogFileMode 05505 u3 e- ?6 Y- p- \' F5 c. o0 O; u
SecAuditLogStorageDir /var/log/modsecurity$ ^1 \- R \, i$ y i
SecAuditLogType Concurrent" K' _0 c, |. a9 A" |; A
参考文章:. g/ ^" m0 e8 q/ n1 e0 j
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) t4 X) E3 [# n$ S5 Ghttp://drops.wooyun.org/tips/2614 |
|