|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。$ M2 {2 y+ b* X" d
& K4 N3 ~4 g& L8 g2 R# d+ H一.准备工作
' z- g% W6 I0 l. o) ~" d5 ^( \4 s& { @4 r3 ]8 J) |0 n
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0; C- B0 r8 K/ T4 @% c7 ]
% j- A: x9 {8 r4 Q& J7 ?+ _1 B) {. stengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
0 n5 ^% ?& t* }' V0 s
) ~$ N3 {. c, G& F- mmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz7 A2 @& q" }) k* w. Q9 e% r
& f+ I* o5 S4 |; }( {. [5 T6 z6 d
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; M+ L- t' q0 `3 {8 S
# l. p* g$ \/ m1 ?9 A6 r
依赖关系:
- X9 \5 f. @# Q& ntengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
7 ?, d/ C9 H! j2 V; j8 Z; J: U/ A! s! i( H
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
) X) l1 P4 ^3 Y, {modsecurty依赖的包:pcre httpd-devel libxml2 apr) U6 n+ y2 m" y+ I7 E
% b+ `1 K2 f: l! h* @
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel( B. {7 w D- b# z
二.启用standalone模块并编译2 `. u3 S) v$ s" T
+ V0 | Y: }9 Q$ e% \7 e" J' {" H
下载modsecurity for nginx 解压,进入解压后目录执行:6 C% N* x0 D9 c8 y* F! v) W
8 t% X/ D) \3 A9 k# L, n./autogen.sh3 z/ R5 B8 N8 r" Q. V! k
./configure --enable-standalone-module --disable-mlogc" q/ ^# y+ y( A( m2 Z; K
make
$ k$ o1 O# {1 s( H三.nginx添加modsecurity模块
+ D! ^) D+ _2 c2 D
% q. o4 i E6 N# n, \6 x' e在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; [+ B& v( c% @$ Z5 Z8 y. ?' |* }9 X* G; ~- u0 q- ~2 ]7 I! t& ~
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine" X% K( X0 a' o/ Z: a$ V. y0 w
make && make install u% @$ I; Y& U" C W" q
四.添加规则
& m7 ]$ E$ x, _
) E" D1 ^: v$ c+ R- smodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: L, q* E5 J: K7 H
1 { y: ~( J$ i& V1.下载OWASP规则:
) p, j) N/ ^& J: y$ S/ k5 ^) W" e+ y* N. h: r
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
4 D3 Z% L! o6 V
: A* n, S m+ n0 P( Nmv owasp-modsecurity-crs /opt/tengine/conf/
0 K4 B1 {5 g2 L+ t4 }! }9 R$ E% m" y( }) m5 j
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf( |( T1 F j5 _
2.启用OWASP规则:
R5 N9 I, C5 F( o N* u- |7 l$ o8 W
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。% x8 I1 `" X" L
5 b" O R' W5 A! @" T3 ^" B5 M( B, A% B编辑modsecurity.conf 文件,将SecRuleEngine设置为 on0 A! m6 M% B Z J1 \
" u9 c( C4 Q9 m6 ?1 |8 b. iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ `2 b( O: L- i9 J8 ]7 l. I
$ Y# O+ x$ D1 i: k& [( S
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf6 B" f9 n: p" j$ d
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
& q W( H9 @& Z6 eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf. X1 f5 l* z+ M! w5 j
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf7 T6 j4 r& Z+ z
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
/ H6 i/ ]! C z7 g- @Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, w5 O0 N$ z7 s, ^Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- _$ M2 L7 F6 x* X五.配置nginx
. f: |" K1 T, h2 {+ j% X& X/ L" ^2 z+ M: t
在需要启用modsecurity的主机的location下面加入下面两行即可:- z) Y8 h$ @5 H9 T/ \1 x7 Q
, L- v4 [9 p, I r3 f4 |ModSecurityEnabled on;
2 S w1 ~) R" `- k& i' AModSecurityConfig modsecurity.conf;
+ W { u8 u, j% t; N6 ^5 w' m" C. y下面是两个示例配置,php虚拟主机:
1 ^# l7 d0 R3 M& V! A# n! @- m7 `5 i. @2 J) o) k) C3 z
server {
* i" Z/ g" R/ Q# e7 x1 k! D listen 80;/ n/ p9 X+ a9 Y3 |- G. r1 r; m
server_name 52os.net www.52os.net;
: G' [8 m. @7 K' h7 q. s4 L1 W4 }' D9 Q
0 |1 O( O( y9 e location ~ \.php$ {7 j3 z9 v% j8 ] F2 Q' M0 {# Q7 D: s+ A
ModSecurityEnabled on; ' d% e% b3 ` P3 ]3 G# _
ModSecurityConfig modsecurity.conf;! a6 [& _5 l, \% |) G. o
- T# z) \7 s4 B' W+ W _6 d root /web/wordpress;
3 ]# H7 H9 H8 }1 _3 b3 ? index index.php index.html index.htm;
6 Y \' _6 p, C3 o$ `& U5 j F8 P! ?8 _& r& j2 o* [
fastcgi_pass 127.0.0.1:9000;8 K& _+ _! j" r0 U+ }/ e) I
fastcgi_index index.php;7 \, O( c: L3 x* t1 A+ r+ k) l
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
: A* h& U; f7 A" A. O, k& z, W include fastcgi_params;
$ W/ @0 n2 r% k5 \, o! b) L }
% O+ N, h0 g2 n }
9 q8 q2 V- L0 u- V. aupstream负载均衡:. p1 T' q4 N0 l9 K' d9 s
% _% u8 P: P/ K( ]0 W" v
upstream 52os.net {
; A( n" `" _0 ~3 B! ` server 192.168.1.100:8080;
& W* ~, D7 c. |( [. R; W( r4 s server 192.168.1.101:8080 backup;: A: Q8 g7 }; Q7 y
}" n$ c- r% U4 g. o
+ L# N8 F: ?! a7 _- r( k6 ^2 Jserver {3 F3 W6 }4 n' v
listen 80;
5 Q/ s" h- Z( hserver_name 52os.net www.52os.net;3 h9 J3 i; D% ^! \$ j, Q. a
5 N1 u. x* N2 K% [8 Z( i; R% v
location / {
' k1 h) c7 z- c5 q ModSecurityEnabled on; ! \5 T5 g# J! |7 p- {
ModSecurityConfig modsecurity.conf; 1 f! s7 v* S/ V7 _/ S* U6 o
6 K# L' `# c0 K1 i2 d8 C proxy_pass http://online;' U) i& p% B2 F; e! h
proxy_redirect off; S3 V) D1 i; C1 L4 W
proxy_set_header Host $host;8 t( p* Y6 X* p! `& U8 p: m
proxy_set_header X-Real-IP $remote_addr;5 \: w4 k; \0 T3 x; l
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
) ^0 M% J& w* G( L) x( e) z2 Q }
/ L% B# d* o% m" h; O}
& `5 y$ f0 ?0 U; x( Y; `六.测试" E, |: f; n% ~. {& K0 E; h9 Z
/ D9 v& k: u! r3 A) y, v
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:" D: E# ^6 i5 h3 x+ l9 ?& N
* U+ }/ h3 ^2 I0 {0 m
<?php# g- ]7 o) W0 b! N* a$ c
phpinfo(); # V$ N: l/ j" Q; U# M$ [. t
?>. ~) v% ?. Z2 R9 y, l
在浏览器中访问:- w \* ?" p l! c7 G& l4 V9 E
2 ` x5 h0 I. `5 h' Jhttp://www.52os.net/phpinfo.php?id=1 正常显示。! }. r" b7 l8 `( v/ e: z4 c$ N
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。) g% r6 e! c8 n0 s0 D! A/ J+ l( ]
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。, r0 d1 [) v7 [: Z) P. D# x' T! C3 b& J
说明sql注入和xss已经被过滤了: o. x2 f: k8 [" b4 w
; a- |4 V, \* K4 E; H七、安装过程中排错
# x3 e7 N& l7 l# |: A5 Y' G9 k1 P
/ n# K/ A! l: B" Z1.缺少APXS会报错# R( ]) A4 {! Z$ T' l7 N2 b1 Z
6 ^2 {. s. m1 o( J6 M
configure: looking for Apache module support via DSO through APXS
$ O8 n2 x. A2 C/ hconfigure: error: couldn't find APXS* C a! a; v# Y, l# w
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。/ b4 N5 S6 z, e( y+ M" f& h5 r2 L! N. z
解决方法:
1 W. H; E4 d& m/ I
3 {/ q. I3 U1 o3 u4 U2 D4 n1 dyum install httpd-devel# @: r" v' l- n2 p1 g
2.没有pcre" D8 d; u! z+ K. a+ h! a: E
/ V+ F4 l) K. \7 R# q- \7 U% {configure: *** pcre library not found.
+ ?3 J* a. D: S( _configure: error: pcre library is required( g4 P8 D& x1 q" p' A5 b% x
解决方法:
' j6 b& x' ?% }
2 ~# p C& J/ W) E& D1 x! Myum install pcre pcre-devel
# U( f+ H) G7 J2 \8 m8 ]7 P3.没有libxml2$ |; U' q, K; H
1 `! g& J0 I" s/ ~. L
% i& F' D6 i% econfigure: *** xml library not found.
8 [$ e3 ]* O( V, wconfigure: error: libxml2 is required
( D+ j3 u# i( B; p2 {7 ^8 ?解决方法:- J7 A- ?! I# r K
1 Q$ Y( ~( v( B+ H/ l5 hyum install libxml2 libxml2-devel
. S4 v: k% g2 N" g8 n5 A! |4.执行 /opt/tengine/sbin/nginx -m 时有警告' Y( D; n9 w4 r' x0 A$ Q
$ M6 a- A$ O' T/ V! L
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
" N- X/ S7 o/ X2 ]& \$ c0 fnginx: [warn] ModSecurity: Loaded APR do not match with compiled!$ a; z7 P! Y N
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log8 v. \. X/ g/ v3 ~* ~. H f) p( [
6 v% I' L! i9 _5 _: u% v
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
O& k+ \/ i* z& M1 ]9 w2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
3 c5 ~. |2 f& a7 [ a. k2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!8 f/ A; p0 B" r
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"- b0 n, ]0 d% P3 r& g
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6": J, i- a3 u* ]; H( X
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
/ D4 |) D6 {7 i( t解决方法,移除低版本的APR (1.3.9)1 [4 q4 e" S9 M$ |: ?
# S; l6 C7 I' ?" n6 I4 b
yum remove apr
0 t5 f% d7 @8 s4 _: W% H5.Error.log中有: Audit log: Failed to lock global mutex
, x/ s* |& J8 q+ e& f! `
! E1 l# |3 E( c% T I5 e6 `2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock + g, j( r* e. n# a2 C S# v x0 C
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 R+ j4 K! K+ P5 o! R4 n解决方法:
" q- X/ A9 p, ^" U& D9 `编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
9 }" I0 u8 V. o
/ w/ |, a8 }. Z( pSecAuditLogDirMode 0777
/ l0 @6 r. m: x2 k6 g xSecAuditLogFileMode 0550
3 r) t0 ~" d) L; @9 USecAuditLogStorageDir /var/log/modsecurity
) b/ s7 Q! g+ F: c- k0 v, |SecAuditLogType Concurrent8 m6 [9 r3 E% F6 Q
参考文章:
; ]! ~ g8 D8 i1 n( F& _https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
; w' J6 R3 o. r: Xhttp://drops.wooyun.org/tips/2614 |
|