|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
/ @% D( S1 m1 P: I) W9 o& i# t
! H" z! i& r5 b/ {3 ~一.准备工作: _3 l+ \/ _ n# l j' X/ n
8 C8 ?2 h* J6 v0 q+ w
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
( y$ x9 J$ e* N% b% m X' h5 n& T% ]5 X9 P5 d
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
4 I8 W" i& f7 `, S. c9 d0 u+ g
2 D" k$ x6 ? m, Jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz7 @- }$ l) V& [9 ^
% r! X6 k+ N- v: B- u" SOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs3 ^0 K' ?5 A4 Y+ ]- h
3 f4 }3 A9 s2 }7 J
依赖关系:9 P) {! S1 t/ C1 F
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
& e) z. k# r" B, }; M
% z4 C. m7 ? t/ T+ z3 w3 Ayum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% T$ i Z. |# E8 |! l, n
modsecurty依赖的包:pcre httpd-devel libxml2 apr
- }3 E6 I H. b2 p3 O" f
3 Y% i3 T6 @3 M' V$ }" Fyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel V$ G* b' j3 K$ O( l
二.启用standalone模块并编译! \4 y3 @* x0 A0 b1 a
3 C- H" e: ]) m* _) Q下载modsecurity for nginx 解压,进入解压后目录执行:! T* H# a& c" f6 V$ a
. e5 B! p8 B$ ?* i# r" |$ ^: ]./autogen.sh/ H- {* K1 m! m7 I, t
./configure --enable-standalone-module --disable-mlogc
! X" B1 w5 J! R4 Umake
& w2 \. [+ \( _) Z. b0 ~8 I0 [三.nginx添加modsecurity模块/ K/ I7 G1 b2 n+ ~9 g c
# M9 t# r& Z3 J; L t
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
4 |; L* @7 o/ I9 Z8 ^7 U3 o
4 T! D; P: K+ T2 A9 [) T5 p& M5 ^./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine3 c0 z5 `. d" w. u
make && make install
9 Z6 S: p$ B6 v$ H& v7 W' J p) {6 r四.添加规则
5 R* ^5 [7 x9 g* ?4 \0 q; `- h. H( p2 r# `) q6 s/ H- A
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) L% e* T* l: f% Z
7 Z s; i4 h; U9 }. h g6 o1.下载OWASP规则:
" x8 d7 C7 F; k3 X U. i. p4 q, R* o$ l1 L+ j6 q
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs( C( ]; [$ U6 {3 C+ `6 |7 ^' h+ Y
4 Q/ [* i/ W4 ?6 f+ @
mv owasp-modsecurity-crs /opt/tengine/conf// E/ F9 u# b1 F& O2 \ `5 v8 d' i
7 b2 D* S! Q |* Zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf* m9 y) X Z) z% f7 t, B1 ^5 Q
2.启用OWASP规则:
" z; l' r8 L6 C" C U5 B
+ t- ], {3 _. x+ j% v( V复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。9 r, y( w) J g+ p& X" Z* v
' N0 q( D" [+ B1 e V( n
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on) V; I6 }3 J7 \+ D" s5 e% {) q
$ g' j w9 C% d* ~) l
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。3 _# `$ f1 i x% g& E8 Z
" `) @! _, p4 x6 J$ kInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf8 z0 R1 Y% Y0 i0 y4 v. I
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
6 Q) y2 ~$ A' bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf" N5 K$ S3 n. b, s: H
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
" {/ t, A1 @( j2 k9 p# M4 ^4 YInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf" c" U$ y) t0 {% I6 K% g. n! @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf6 I6 z3 [. z5 {5 B5 D3 [$ b; w" e
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf. l* d& r3 q# p6 F4 j
五.配置nginx( F @) `- \" R: F( d5 X2 @
( l2 y; J6 c# D" D X7 ]
在需要启用modsecurity的主机的location下面加入下面两行即可:
+ t V; Z! N! ~
+ j* X: o0 u1 }1 ]1 tModSecurityEnabled on;
" I K7 j0 J1 E, bModSecurityConfig modsecurity.conf;
- k, A4 ^! g* K* T下面是两个示例配置,php虚拟主机:8 t d/ P e1 o+ {( i( I5 V" A# I
+ P7 F7 u$ O1 d8 v/ J# }server {, `. K0 X% ^' w9 j6 g* T7 i
listen 80;6 ]+ r9 J+ m* }# E' y. d v+ m
server_name 52os.net www.52os.net;4 |% S9 W0 h- \) d
- K4 _) b9 Q7 L6 ?: y. Q; O
location ~ \.php$ {
4 R! g+ S2 R) X C" z ModSecurityEnabled on; ( I' C I7 j% S+ A* m& T
ModSecurityConfig modsecurity.conf;2 L4 ~) K& g( g8 M* ~% D! c
2 X- \* s6 _ L. I4 o/ D, [+ P
root /web/wordpress;" a4 H z% @$ h2 [1 Z y3 [
index index.php index.html index.htm;
) g7 n$ ~$ t ]: [/ ~ d
8 ?' i! b% p. v4 }) ]& M fastcgi_pass 127.0.0.1:9000;" w6 f# _/ |1 ^& C3 n* o- I
fastcgi_index index.php;
4 @" G2 g# W+ G/ M U fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
6 p1 g; m6 Y _9 R' i, T include fastcgi_params;
; a5 w: t- x5 @5 Y }
1 G2 e& q. ]8 M/ J; d }2 Q3 n% e4 e4 I( G2 A: r9 \9 }/ k( p
upstream负载均衡:
" x2 x' N2 m" d& u
% |' p | @" qupstream 52os.net {
& @. Q% Y z7 @/ e8 W3 X server 192.168.1.100:8080;
+ P* ^4 q! u" W; J7 | server 192.168.1.101:8080 backup;1 k7 h$ o! O% B
} Z, {' b& I6 D0 c0 P
* S) _4 p) m8 _
server {3 a4 b7 C& _8 v# y, K# z/ i
listen 80;- m& {& O- N. j
server_name 52os.net www.52os.net;1 B2 I3 l4 E6 |4 j
8 p& c- Q8 |7 x8 ?" L1 ^0 ]
location / {
. [1 Q9 k4 g9 E: c; z. A ModSecurityEnabled on; ( x$ h9 Z$ i" n/ f
ModSecurityConfig modsecurity.conf; ; G5 g6 P+ j; H; w1 E; K$ ^: ]
8 C1 i K7 u8 C$ n
proxy_pass http://online;
! @; }& N& m5 @6 \. n0 N! M& J" c proxy_redirect off;- L) C1 K$ i1 V: K: x1 [
proxy_set_header Host $host;
' K ^+ S2 a, i. u: {4 I proxy_set_header X-Real-IP $remote_addr;& a7 k5 ~# i0 t+ c1 m; f
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;; c$ Z( ], _: W
}& @2 {) n/ x: P9 J9 P
}
6 }' O" V- U X# `8 i六.测试1 o) W. K% N# _+ l# ?! {
; j) N" X5 y I: R
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ q& W; e* \; M& @! Z. n, n9 Z8 K% I2 n. s
<?php; K; p* ?7 v6 x
phpinfo();
( d% R+ p3 Y6 B?>8 S) {' b" d, T9 P, t7 `
在浏览器中访问: k' I( I5 |. P" L/ h' D4 K
/ ?4 N3 \; j9 N+ Q2 N* R
http://www.52os.net/phpinfo.php?id=1 正常显示。/ j. S- z7 f5 v, J4 }: n1 g
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。3 V8 B# n" V7 h8 _
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. O; W' \# c6 v; E2 k7 T' `. `4 W
说明sql注入和xss已经被过滤了 k0 U& ^0 F7 a
1 X% } o3 ~2 z# W3 l' W9 ?3 A7 l七、安装过程中排错
+ ?( N' i& v7 R% Z3 D
/ p `! ^9 n, Q9 J1.缺少APXS会报错 a1 w& ~9 a3 q( {
- i1 T0 G) c' q! w6 |6 ^
configure: looking for Apache module support via DSO through APXS
( t0 P" G- w- J" g7 I7 }2 ?. zconfigure: error: couldn't find APXS7 y. ^0 e" I" k1 R0 Z$ @ X2 O/ H
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
/ q5 j+ m0 W( Z9 b ]解决方法:/ N. u" O* c, z+ t
" P% C4 g7 G" Qyum install httpd-devel
' U1 P4 q. G5 l2.没有pcre! W' S# E2 m' C6 K
" ^1 @4 \0 Y0 {' @
configure: *** pcre library not found.
5 g% f& R( v7 `% r5 b0 d3 X4 zconfigure: error: pcre library is required5 J8 m; X- R6 U( [8 y6 A1 G9 e! X
解决方法:
5 Q$ Y z% o2 n% ]* W+ _
) k3 D) r7 i1 U) d% d% byum install pcre pcre-devel$ V8 P) _- f* J/ O# {% n
3.没有libxml2; [$ F% r8 @, t- j! |' M. f7 s) H
/ e7 N) a! g" S' z% u0 j/ F) v; o; W# v4 c1 S9 Q$ T
configure: *** xml library not found.
/ V: ]- E+ F1 T+ D2 Zconfigure: error: libxml2 is required0 e+ q. B# E" x5 ]) e, J% @
解决方法:( w: j" b, c& m+ ?
4 R9 u- B' M+ ^yum install libxml2 libxml2-devel' ^; L/ o" g3 l8 C' b
4.执行 /opt/tengine/sbin/nginx -m 时有警告
. ]; ]6 z% P6 H/ q
2 p9 M8 ~+ }7 \) ^9 ^Tengine version: Tengine/2.1.0 (nginx/1.6.2)
6 Z) g4 v, a0 m* ?+ w! V8 K. ]' F: inginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 y' K4 u1 O3 v( r6 x2 w
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log8 z0 r3 G! q& |6 [2 g
; [/ l s- _2 h3 K* m+ ^2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
. o F: T! B- f/ [" P/ V& x2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"/ ^/ b0 m/ w- r E
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!+ `; W! d5 S: p7 `: U* N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
: Y! t, U4 N# E+ Z& e4 Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
$ C* ]2 g8 T$ `/ T- {/ ?2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
9 c% T& r( p8 Z2 v$ q解决方法,移除低版本的APR (1.3.9)/ L \4 I- ?' S
+ N, U$ }8 e" Ryum remove apr6 }' T9 X# Z2 T1 C4 n' F
5.Error.log中有: Audit log: Failed to lock global mutex
3 X9 l; l+ S4 S4 P& l' `( y
0 S! g9 M" c) ^. ]+ D! k% c2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
6 f; r8 C2 i6 Q' t1 O0 Sglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]2 j; P( N3 M0 A6 k* J
解决方法:* `0 D8 ~: i. L# j
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
/ j) r) q3 l$ E A" s5 r2 A: b% T5 I0 v5 O
SecAuditLogDirMode 0777: C; }# t2 W8 ]$ J) F
SecAuditLogFileMode 0550+ d. T5 [+ K8 m- D$ Z! W+ h/ S- S1 j; y
SecAuditLogStorageDir /var/log/modsecurity; L3 t& | |* |. |9 i* d2 i
SecAuditLogType Concurrent
2 ^ i8 ~4 W$ W* U. N7 ^! w: [参考文章:
/ m# Q6 B) f: J3 O& Nhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
: g# v) `# i- t4 N3 qhttp://drops.wooyun.org/tips/2614 |
|