|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
2 }) u7 L! f( G3 o# p
( G2 e; ^# N) s; r- v6 y" N一.准备工作! `: f5 K* G8 F, E+ y
% R: p. P& F* j系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
% m7 V/ [. d$ [2 }
5 A( O) F9 W. C$ D! g, {tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz9 M" g- P$ r7 }2 b' q
2 q! }' U* l: Qmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz' l- Q" e5 p7 W, d: k
) B& J& P3 }7 o( V9 H0 aOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
0 y, f7 V3 E& G+ ~
1 G: ^+ J, X: a依赖关系:
3 s0 ]" F" S z7 J/ ttengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
4 o. I, i' ^7 ]9 U& k
( ?- D# p/ e! c0 k: n" h2 P) b2 iyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel' D! z7 B/ P% h# D
modsecurty依赖的包:pcre httpd-devel libxml2 apr
, k0 c6 r5 x+ I+ T
5 a1 g' W+ G a0 d$ W/ A0 Tyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
9 {9 G% `) P" l( M4 b+ }( H) R! A: z. C二.启用standalone模块并编译. w- y- m( P& G
' j4 V0 j; f* b
下载modsecurity for nginx 解压,进入解压后目录执行:
5 t! H+ u" v2 [( m A5 u$ z$ V4 D+ |
./autogen.sh
* E% K2 D0 ?1 p) {: `& l./configure --enable-standalone-module --disable-mlogc- X. ~! B% Q& ~ e2 b! K$ n) c
make
4 W5 c( X9 z c1 Q& E% _三.nginx添加modsecurity模块' O P/ @2 }9 l6 ] E# ]
9 k. h' B+ l5 I8 G/ s在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:7 P0 z# ^( ^% ]2 t) g
4 m$ d4 U# e- w! \+ }./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine1 r: K/ p6 W: W6 m4 B, `
make && make install
3 I7 R2 e0 n( B7 Y- i四.添加规则
4 @, u. q+ q+ i3 w3 D7 w. `. X, a1 G2 G) e0 Y0 f+ k6 p
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
% w3 F7 H2 H5 b A. U5 Y- A" M2 {) E" t8 n5 m3 {
1.下载OWASP规则:& y& a* [3 `- n0 Q: E z _
) X: L5 ]& x( Z" {. l j. k1 B
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs4 t1 l7 t ]8 e' T& w9 c
2 O$ F+ X" u. y: e4 s. T! K
mv owasp-modsecurity-crs /opt/tengine/conf/
( C% H+ @& e0 y1 W! t1 i4 Z6 m- ^8 M8 B/ [8 p# p% M
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( y$ |/ P) X3 p, T/ A T
2.启用OWASP规则:: @1 Z, I [0 P1 V& D
4 R" @4 V3 g- z) @( L( Z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
Y% H/ N" f( [1 y& Y0 O/ k
/ q O9 e) l4 t: Y5 o3 r- o编辑modsecurity.conf 文件,将SecRuleEngine设置为 on% A8 \# C! N5 k0 U9 @3 v
' D' G0 B& B* i- Q& `7 ^owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。8 c8 G5 i2 `$ Y" L! V
5 R+ i+ O7 E4 \: V6 B8 [- G" p3 `0 SInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
0 Y* r' o/ J) u# g7 VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf: @9 Z+ x" H" H7 \- u; g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
' |9 z0 @- A4 r2 WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf3 K6 a Y, Q5 z. M; d
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
6 x9 p$ v2 @6 `7 q" h: P9 HInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, G- @- f; d3 w! c% bInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' ^1 t! \- U7 I) q3 j$ a
五.配置nginx
1 R1 a/ s9 u6 J$ ]( n' j, l$ T9 X9 W& P
在需要启用modsecurity的主机的location下面加入下面两行即可:( \. j5 A$ k4 o& T {
9 I# u( A0 {. d2 f; Q4 HModSecurityEnabled on;
+ c" ]( d2 o$ {! d4 TModSecurityConfig modsecurity.conf;
6 ]! H. o1 q3 K- o下面是两个示例配置,php虚拟主机:
. N, [3 C3 `/ K, C5 c! k- ~6 C) r8 R8 X" q) A
server {% V" P, @/ x& P M
listen 80;
9 V o) H; Z I' M+ P: O# U4 d server_name 52os.net www.52os.net;, u% P& l: f$ B, J0 V
9 Y0 | d/ b; B& K4 |3 s) \
location ~ \.php$ {# Y0 A# w; [2 _0 o; o, b
ModSecurityEnabled on;
. @8 m& i1 L0 t6 P% d* X ModSecurityConfig modsecurity.conf;$ {9 }! |3 K8 p' n1 L) @' e$ \
' q l# |/ B( R5 r- I. Q5 F root /web/wordpress;
9 f" \, a0 o0 J- g5 P; C index index.php index.html index.htm;
9 c8 W; q( u+ e' i
1 {- N- f j. m/ Q fastcgi_pass 127.0.0.1:9000;: b) a! l X9 {* f# ?; h
fastcgi_index index.php;
& c: E$ P9 F* g% J. \3 V1 j, i2 g fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;. ~" a( p/ s& X' j) q
include fastcgi_params;
( \ I- P' T0 r4 Y$ O6 F: v! y1 ^* n }4 f2 m7 Y t ?' }* i+ ]
}/ t8 U( s5 i: u' |; X
upstream负载均衡:
7 d" _5 q: f I! F! F" e6 f M: H& b
upstream 52os.net {
+ l% K( y+ ~% {/ u, d/ _/ K# j: ~ server 192.168.1.100:8080;2 R6 X: U$ c4 ~: P
server 192.168.1.101:8080 backup;6 X; d- x& W- ^! ~. O
}) Y4 i& t5 e+ `7 |1 u
+ \& }/ _) z7 |
server {
* g7 F) D$ w+ J* h/ j* E- n+ s- [listen 80;
c+ x6 i1 \& n, [$ |server_name 52os.net www.52os.net;
5 n9 ~+ @+ e' K+ s, [
+ m" ` d! T4 J7 r; J0 \( dlocation / {8 \: K2 u( R0 [8 u
ModSecurityEnabled on; & J$ T$ q! r; s( @4 ^( Q, b# V
ModSecurityConfig modsecurity.conf;
" x* j$ ]$ x( Z7 k7 f' F# O3 o! N; W0 c& T3 N
proxy_pass http://online;: Y' g( z5 G- w0 I+ A
proxy_redirect off;
/ V- W3 r8 Y4 V! E proxy_set_header Host $host;
1 }5 f! m" D) D" h O3 p% F, p proxy_set_header X-Real-IP $remote_addr;) ~, q) Z$ A- n+ s
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;) \1 z7 Z" @5 s( u, E
}
8 a V7 v1 Y7 j8 j. a}) S0 [& p4 k' M, H
六.测试1 ?- i7 V" m# A: r, w- [/ v
2 g: c3 S3 q$ [& p' q: [5 {我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
. u8 ^3 |5 e9 D/ m0 P3 l3 Y& d/ `: k4 A" O: _ _
<?php; K4 k$ h8 F( K2 p' s/ Z* R
phpinfo(); ( h& `" }* P6 D
?>
& h' l/ d3 m4 {1 R6 b( M在浏览器中访问:! {" D/ y$ ?- u1 V+ S
) A5 x& K) {. ?/ d; A
http://www.52os.net/phpinfo.php?id=1 正常显示。' J* i* K3 s; c8 D" b/ t
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。4 }; x" G: E' w$ @
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。1 X: h4 @# E" c8 w& m' ~
说明sql注入和xss已经被过滤了
0 a; d0 l3 `7 ~0 f9 { Y- H9 l( Z3 P9 s0 K
七、安装过程中排错
( C$ l# \; W! t6 _, ?! j" Q7 h( U" G$ W \9 v( Q
1.缺少APXS会报错. w# Z/ f# O3 t3 R$ \' {: v3 ]
& k2 r' H4 c2 E0 ~& J% q* [8 Z
configure: looking for Apache module support via DSO through APXS
7 w. W7 }' {6 Tconfigure: error: couldn't find APXS" y1 P3 C P. K0 v2 J, c. B0 y
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
' X" _) H: a7 N5 L {( t* I1 P3 p) @解决方法:
# k5 N$ U, }5 _5 k. o& L! V/ }; R2 y
yum install httpd-devel' ?; u6 a2 F" [6 |
2.没有pcre+ J" R0 I- Y/ V0 F4 s
( |' G' ]( Q8 D/ n6 b
configure: *** pcre library not found.( ~) z6 \$ P5 E, P* P3 q
configure: error: pcre library is required* }! c' ?) r8 S0 V' q) a- g
解决方法:" z1 }; n" B* X; R0 f3 n( {
- h9 }8 H. x7 _3 K! ^( |$ Myum install pcre pcre-devel
c: `! _7 m5 E4 `" \1 v8 I3 U3.没有libxml2
; g, h a+ x3 {% a0 p/ z
, V; |6 A: Y8 |6 d% y% y8 E9 Q' H+ i/ A0 C
configure: *** xml library not found.
) v4 \; J6 w& a3 l5 _# {configure: error: libxml2 is required+ k% K4 q6 c, B. T6 T
解决方法:9 b1 q. X4 p U% q( L, t D6 [
6 J! B$ B9 A4 E L& z+ o
yum install libxml2 libxml2-devel
% E8 C1 c) W$ q0 C4.执行 /opt/tengine/sbin/nginx -m 时有警告
+ k( p/ j* j8 q B
5 i/ o" ^& P# M7 m& vTengine version: Tengine/2.1.0 (nginx/1.6.2)
3 Z: _4 [' z6 B* H) ` @nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
- O U6 \# p# h/ ]: M原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log. ]/ V! n. D8 E$ P1 a, z) B- M
) Q2 i% P7 ~* k! B9 j( |, u( W2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.$ k. p3 Y! E ?- q' w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
# l( |6 N. |* \; K; X" | o/ D2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!6 h) s* p2 `1 [4 O* @$ {) Z0 `& `
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% h6 h/ e1 A. ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
2 V, o/ X/ q6 Y+ A. d; ]2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.9 }, y4 V: a' `. o
解决方法,移除低版本的APR (1.3.9)) B; w5 G. t- _
0 R: b. K7 }( P" t
yum remove apr, q. b. [' u$ H' C0 j
5.Error.log中有: Audit log: Failed to lock global mutex& \, ]2 \1 K) Y: Z
: B( U1 O5 r ^, x4 k8 w2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock 0 E8 J9 J# j$ _& ^+ J |
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
* { z9 N% z: h1 }7 d( L解决方法:7 ?; O3 _4 @. `1 A4 z+ ^
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:: T3 J3 H1 k; e* o K
) l' v/ x. O9 Z! YSecAuditLogDirMode 0777& F- I+ o6 k3 Y+ x4 ~
SecAuditLogFileMode 0550( h% r4 k8 j2 y" p- o
SecAuditLogStorageDir /var/log/modsecurity9 e3 b. r! `* v [5 t n
SecAuditLogType Concurrent7 T1 V8 Q; s0 f5 m
参考文章:
6 f8 z' ~3 N7 i9 t& U7 i" Yhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
4 P# M5 C+ W5 a* o& Ehttp://drops.wooyun.org/tips/2614 |
|