|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。+ C' }4 q9 ^! f* C
7 a$ ]; Q- P' A% O! W& {3 K一.准备工作
: M2 y" _8 z" d
: ]+ y: [7 P% i系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.07 _0 L9 @. E4 n+ n0 o3 w$ g
1 |' C: n' ^! \" n4 ^$ b @* T$ L3 ~tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
! P+ J6 m( n$ t7 I5 I2 F, ~( v0 p2 q5 Q/ a0 P5 t, D
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz( Y% ~; l; {" K+ K. |
5 O5 Y5 O9 m, S' `
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs4 A: T9 G. B: ~9 E4 P" p1 S2 @. b
8 d! [+ B! G3 {5 F/ M7 `- ~2 [
依赖关系:- q( x# `% w, m, _
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:$ X1 }0 y6 ] \0 |8 r5 M
* ]' v: }' i7 @/ t. Vyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# e* G, N# s) P% p2 W* u) t; hmodsecurty依赖的包:pcre httpd-devel libxml2 apr
# r/ K N6 G, ?9 f8 H7 |2 n4 k
3 d4 m: ^9 T0 n9 [) v; D4 ryum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel% g6 t" ^+ X5 q6 Y3 {. o
二.启用standalone模块并编译
4 X, Q" }* v! g) o2 |) @5 W% q* E' [, X
下载modsecurity for nginx 解压,进入解压后目录执行:
6 p; p& w7 A2 c6 s2 C
9 k- c9 l1 Q2 @./autogen.sh/ u" K( | }) y
./configure --enable-standalone-module --disable-mlogc
! i* Y( k2 l/ A# m. G% ]6 t9 Tmake
3 a1 m' J- z( v5 w) W三.nginx添加modsecurity模块: d( J: w4 H- T( D l6 Z1 R( C4 \
2 b( k( U& v0 H; Z在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 ]( f0 R- ?: p: { y
# X6 U# _! P% c0 |( H
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
- j: {* T0 U; @* M; pmake && make install2 R: j5 b, A" N% P& v
四.添加规则
1 }0 C; B8 A( ?1 S9 `% }& C1 G: B9 x! N
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
6 N8 f+ W) [$ [% R4 v
- S K0 e9 \! q! N( X7 x1.下载OWASP规则:0 T$ c; k& Y9 K) }2 q
9 ?0 F0 a; T/ _7 G( o1 Z9 bgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs$ D8 f# H; d' O4 w3 H7 `
4 U2 \& n+ V) v: ]1 z( [/ f- [& R& O" C
mv owasp-modsecurity-crs /opt/tengine/conf/
# U0 J0 h: l& o/ |% F6 \' j+ z6 Z$ o+ e9 _" t1 N. p
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf U; `: T! n5 A: v% n+ B8 l
2.启用OWASP规则:' i6 B0 d4 C8 T# m8 U6 t* E
* q& r; v7 n! b; A/ G. j5 I
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* a7 d5 O! ]) c* A# w$ N
- T; Q& L, ^6 e A9 [编辑modsecurity.conf 文件,将SecRuleEngine设置为 on6 Y$ b, N1 e1 N$ C
# ]! B0 Y7 w0 q5 n2 ^$ P+ Fowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。" P: w4 Z/ {5 L5 K8 I0 |
- h+ B9 O) A$ L: \7 ]
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ f) B) a, k% ^
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf R" ^' r5 y( \0 e7 R1 D, v
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
) V$ c% {3 l7 u2 V/ PInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! e+ W/ e& O7 X% \! z& m E9 hInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf6 H5 n, S( _- L
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
/ l( d- B( v: _3 {. |Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
7 |: }& a9 V) k五.配置nginx
5 U. N. n; z( k+ m( O3 R$ m" F' I3 T+ {" o* d
在需要启用modsecurity的主机的location下面加入下面两行即可:& k9 b* T2 ^$ _) V0 E$ f
2 r) l: z' x* I, V% F2 U0 J- k8 V
ModSecurityEnabled on; ) |5 Y- y" u# j' A# Y
ModSecurityConfig modsecurity.conf;
* s# j) G# [7 C下面是两个示例配置,php虚拟主机:& ~9 ^+ M, s, b8 J/ Z: Z
+ ~% H* z2 D$ b. i6 }! rserver {
: C$ q' A. P9 ?) g6 |0 k5 w: h listen 80;
/ e1 h; {# D8 x: v7 N5 E server_name 52os.net www.52os.net;
) g \$ m' ~2 F/ X9 @ 4 Y% a; \& J; F+ G
location ~ \.php$ {
, `* K9 [+ ~, |8 y7 W* | ModSecurityEnabled on;
+ F Y3 ^5 s! N& K. B. i0 A ModSecurityConfig modsecurity.conf;
* v7 d3 o# e/ L0 b# t' P
8 t' I- R X# O1 \$ v8 c6 x& j root /web/wordpress;. a* G! A5 y7 r! }, E6 H" O# Q9 ^+ r
index index.php index.html index.htm;
5 E( K, U" I- S" L1 L
4 [0 r! S0 p6 A fastcgi_pass 127.0.0.1:9000;
/ K5 H4 w! y# l, o! e& s2 }9 p fastcgi_index index.php;6 D* B& E: f, s3 P ^
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
' I% T0 e& H' Z& X& {7 b" p include fastcgi_params;# ^7 O7 k8 c# I& \# d
}. F, _6 i6 T; T' B
}# Y' w0 f6 r% W. q. f
upstream负载均衡:5 _, i, [2 u# K
8 n- H2 t/ E4 e/ v l( T
upstream 52os.net {
; P, u0 ~% ~; d3 v) h' I, \5 { server 192.168.1.100:8080;
" M4 w" D2 |, R* }6 s& A( O4 S server 192.168.1.101:8080 backup;4 v. u* d( z3 s4 i; S- h! ]& \* `
}) x% W) }% p$ v) G. c
( N, M' M7 G5 I) v5 o
server {* L: _+ s0 `! H' ?" F
listen 80; ?. t) N0 D& T6 d4 n- u3 @+ a
server_name 52os.net www.52os.net;
, }8 p/ ]4 I, Y. c a2 U9 V8 e8 T1 W
location / {
# B8 n- T2 h0 U4 n2 Q. x+ g ModSecurityEnabled on; 6 `( X) U9 a- }) t( ~% p7 W
ModSecurityConfig modsecurity.conf;
7 G/ q6 n# S2 E( L$ M( }, L" \ C B! V3 A& a9 V2 R
proxy_pass http://online;
5 F- G% R C" h: G- i proxy_redirect off;$ I+ O: ]( a3 W% E
proxy_set_header Host $host;- Z/ r5 W/ o: }6 ?
proxy_set_header X-Real-IP $remote_addr;, J* _9 q3 M6 C& J, M4 x" @
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;& E! a5 v8 h# H2 j6 |' W- [
}
, i% U+ |* `0 P$ r- e* c}; j9 n2 r+ |2 p' @2 E
六.测试
' _ v3 f: t" F' V- v9 @
( ?9 ~3 V- `, P- b: x- d我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:9 T! O0 d& F& }' N, v( o& o
0 |: M7 I n5 M
<?php
0 [( ?0 Y# W2 Q5 Y& h0 _ phpinfo();
' {; y }+ {/ G4 a3 A?>
" C) y% ~8 I4 U: X在浏览器中访问:$ l o" g0 K# l1 s# a$ w5 i+ L
: v0 i4 m! B) |" P* r9 @) {% |* R
http://www.52os.net/phpinfo.php?id=1 正常显示。
7 n* w4 w( N1 D! B# H/ Bhttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。- O( C8 K0 l/ H% S5 q
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
7 D x5 o! S+ c2 l& u% {) O/ E说明sql注入和xss已经被过滤了6 Y7 ^' k: ~( f9 F( Y
7 Z6 a3 O) x r9 c8 r- n' p
七、安装过程中排错0 s+ }# n% I% z1 R5 A, P: S3 c
% x) z! R4 N; }
1.缺少APXS会报错
* d1 H6 H/ ^# t) l' J2 Y7 E) E" d$ C- ~) B- j0 `* @
configure: looking for Apache module support via DSO through APXS9 f8 O: C& f; F9 [. s$ J4 z
configure: error: couldn't find APXS
9 T4 Z' g4 z' S: Uapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
. r" u5 d, S) k9 G/ B4 K) r, p! u解决方法:1 H$ A& S2 Y# l) B: ^. }
: E) S2 {5 H4 k2 |yum install httpd-devel
y6 D5 b$ D* M( L2.没有pcre6 m& b' `& v* ~+ X: Y I* t* ?6 u
- A: j% o5 l+ O1 Q0 i- s
configure: *** pcre library not found., a3 _# U) P- ?; E5 `$ _
configure: error: pcre library is required3 Y+ C0 A" O8 R4 n: P/ W# u. F
解决方法:
) ?- N& T0 \4 g& H3 [8 }
, ~1 Y3 Z, Q3 S% Nyum install pcre pcre-devel7 s$ C5 n4 D: ]& F$ j- ?; a: Z
3.没有libxml2. {/ J: w5 `9 ]3 C
" M% N; p" m, v" ^9 U
0 C% ~7 P+ C2 N1 g! m4 F8 wconfigure: *** xml library not found.
: p2 X% }3 Z! L1 Z8 K9 `( W# ? Fconfigure: error: libxml2 is required+ V. X' w. a. j. g" o) @& k
解决方法:
3 h' U, w; i- |6 _* n6 [: m
$ X1 K! [2 w p: G6 I8 Uyum install libxml2 libxml2-devel& g+ c8 Z# L" f
4.执行 /opt/tengine/sbin/nginx -m 时有警告
, k; z1 s) @: ?% @9 [! N( o$ e- ?
$ F% J7 F) X& Y& O7 K5 k. pTengine version: Tengine/2.1.0 (nginx/1.6.2)
( |. S" `6 b1 l' d7 v; A. ~9 Qnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
# ?" D( f4 r2 ^原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log( J8 I/ ^$ m R" U. S
% R% _5 Z- |6 W1 v- M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
7 Z1 O+ }* a% h( K" H& ]8 t3 t% \2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
: k2 z/ Z! e: K2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!2 [* I4 A( m3 N |& t
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"/ a4 c& j4 L8 P% J7 k) d; |
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"0 Y5 {6 o5 m, U3 K" k
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
0 }. C. \9 x( I, G& d; F, y" k解决方法,移除低版本的APR (1.3.9)
# J7 q! u3 e+ ~1 w6 i
0 O% X$ [5 G+ t4 [! D! Y, ~yum remove apr; @# a" O% |( n. [1 _% e: U
5.Error.log中有: Audit log: Failed to lock global mutex/ F, ]0 c' j) l2 k
$ H7 K& }- x' z7 R# k2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
0 e/ \3 d3 f& Lglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
4 ]) O/ C$ S# b( A% P+ e9 S/ G& Y解决方法:" \ b$ i: z- r4 C) D5 L" ^! |- {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:2 L6 M/ n4 t* c
7 ~% e. m. u* A) P5 P5 ISecAuditLogDirMode 0777
! N8 q; w [) ]4 MSecAuditLogFileMode 0550
/ Y9 c$ ]/ `" Q% C$ iSecAuditLogStorageDir /var/log/modsecurity$ n$ {, I# N' n) D8 }7 U" D
SecAuditLogType Concurrent
% Q: v4 _1 ]1 {: Y" h* s; |8 o参考文章:# ~# J, p' n6 l3 T
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX o9 B& J3 Y& l) R: M6 o4 D
http://drops.wooyun.org/tips/2614 |
|