|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& g3 t( ?6 {: u a$ g1 l1 \
! K1 m% R' q! n {- ?$ N一.准备工作
0 u8 X2 V! F. f, s
: f4 }4 i$ E; H) F" A( S D" J& D. ]系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0! j+ a) @" ^. B3 ?
; F. Z4 N) [: G* {6 h
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz: H! q' [6 Z$ Q
; e) c1 M: t/ J2 n
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
5 Z7 [; z6 S: m1 w* a) T" t) |4 b! {1 p
5 P$ Q9 x* B9 k0 G2 O6 WOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
" m, c$ n3 t2 U
4 A2 B2 K# ~/ A8 h( {依赖关系:
9 i& s3 v7 K. t& o% h3 dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 ^0 J1 D1 X' k$ ] k1 e# l3 A8 Z% @* X, s9 c# Q
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel# G) _0 Y4 R! ~ t* A- ^
modsecurty依赖的包:pcre httpd-devel libxml2 apr4 ]. v6 ~9 F; {" L. I" d
# ^7 R6 r8 ~# Vyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel" E1 S+ l6 T# h- {, l
二.启用standalone模块并编译, l/ K: M6 N3 }4 l& F( Q
V s( T# p7 @! n& E
下载modsecurity for nginx 解压,进入解压后目录执行:
& T* x- p; C D- `+ Z* g* c% @4 z
1 w6 t/ f+ o) ~# P./autogen.sh
# p4 \% S" q3 I: C% T./configure --enable-standalone-module --disable-mlogc1 L: N$ w. y% M# ^: q* s: P+ \
make " W. b' j3 c2 C& v$ G. A: M
三.nginx添加modsecurity模块$ v0 m# `& f: r$ ?3 J
! J o- f. U1 C+ J在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
; D9 G. k0 h8 l2 j+ a+ ?- i4 [4 X4 i7 }. ~0 X; R7 @: a1 P
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
7 x8 C& [& ~: I8 }make && make install' q9 \# x e! U7 V. Q
四.添加规则 ?( w; N0 v0 B' `, f
& \4 `/ v T' G W4 omodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
* _2 y& q7 U- ?" R5 d6 z) ?" H# ^3 K9 g @% y
1.下载OWASP规则:
" L- H( J( B. _: f0 ^
9 g' k3 f4 P+ n3 P9 B+ sgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs+ h+ H8 ^* l" z5 [
# @/ V& L2 ^' c% L6 w8 @9 }mv owasp-modsecurity-crs /opt/tengine/conf/: |$ A9 {$ f, ?" K2 }' p
, j5 L' c- J6 j, |9 U5 C8 O3 E' ncd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf8 J( j: e. N+ D* m5 @0 x9 \+ V0 E
2.启用OWASP规则:
8 D* k% S! h' o
+ D! w7 [! D' I" s5 s8 v复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ R$ S, e) `0 W
" O; m1 \0 C+ D' H/ k3 s编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
! n& |; v6 g; ?- ? {2 s' s8 R/ ^2 n
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
4 Q; s: u7 v2 o* r) {4 c% I7 `1 s9 b( Z1 G" C
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
$ m+ c* S1 T, ~Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
O. x5 o/ K1 c2 N* l/ j w8 L/ MInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
7 |5 f2 b* G; }" f% m2 pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
' K6 f) w2 A }' O- V9 |Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf/ N8 l* U' I& k1 z) {
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
D; a5 Q5 P0 bInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
. G5 {& \. F9 h五.配置nginx
/ s, o6 U0 q% @( K G' L/ Y$ f' R% G# L$ d
在需要启用modsecurity的主机的location下面加入下面两行即可:3 ?. j! p+ i+ D5 c3 l7 z
/ w% Z2 U% m5 I- ]3 I
ModSecurityEnabled on; , b. ]7 W7 t) ?$ Z2 F
ModSecurityConfig modsecurity.conf;
G6 M$ \" Y( p: u9 A( h9 X下面是两个示例配置,php虚拟主机:$ l r1 A- g+ E
- b. y/ J7 a, b# z8 f( Q) f2 t* q
server {
- p( H% R- T- p listen 80;
2 I! x8 w3 ~7 { ^& c server_name 52os.net www.52os.net;5 x) |' y0 m8 x/ r& t
' s+ D" k0 b1 n% V1 ^8 ]$ z1 r location ~ \.php$ {
# o/ F5 @* g, L& m5 _! f ModSecurityEnabled on; 7 m1 E! ?+ n; r
ModSecurityConfig modsecurity.conf;5 |! w" w7 u# V0 y5 {; U
Q ]) ^; b$ V( a) ]
root /web/wordpress;
C! t0 U7 n, C/ ?6 }* t index index.php index.html index.htm;) D) k% X/ i1 D0 M5 a
8 p% b# m3 u0 i! w
fastcgi_pass 127.0.0.1:9000;4 U0 s8 S' T! n
fastcgi_index index.php;
* b- {; f3 u1 H2 P; ]. ] fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;6 u I3 ]9 |- E; J/ k$ C3 A0 |
include fastcgi_params;1 s9 u6 y% s1 l! U4 u. P* T
}0 `8 u- X9 v1 S+ h$ ^' W4 J
}# t& Q3 N4 V. `7 k& B( |
upstream负载均衡:
8 }( u+ H! [: a9 Q) ]
* u, T! i5 {, h0 F5 E+ Bupstream 52os.net {! O, p( q. @6 `: \: C
server 192.168.1.100:8080;
( a; }5 \0 m* O server 192.168.1.101:8080 backup;
) n0 i8 v* h! Z( w}$ [- U( z* h7 J( i [8 f
$ C7 [5 `$ U% Z% w V
server {% l; y5 v0 t z% r4 P& _
listen 80;% ], ]6 W" @5 }" r- w- v$ W5 s
server_name 52os.net www.52os.net;
9 L% |# e0 z7 f. }1 ~* m
6 T9 R+ _2 }( b" z8 ^( Llocation / {. D6 t7 S3 X: A ?
ModSecurityEnabled on; ; a( M6 Q% Q6 Q4 w4 h
ModSecurityConfig modsecurity.conf; 9 M- n3 G- c! I0 f/ T N& X
% ?' J) [1 I6 Y proxy_pass http://online;
" y& F; t; O2 i$ ^; A, y; R proxy_redirect off;
, O7 c. M! ?2 l9 l proxy_set_header Host $host;2 `8 v2 O$ d+ X. H7 u8 n5 S6 a
proxy_set_header X-Real-IP $remote_addr;
" H5 q! U% u$ T proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
, W1 q7 U+ U2 x% X- q" @ }+ |% ^6 S' H7 j) R
}/ v% e$ S9 ]" T$ t& O
六.测试
2 p$ L$ \0 a' ?# A- J% F8 T& m+ S
' u& v, q1 `: b我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:# v! U( f) ^8 I- A- M: _9 B
; Y& \% D: p! @: O<?php+ m' y1 c7 |. Q7 F9 P1 O
phpinfo();
: h3 ]) v0 s' ?0 P5 o+ N0 d1 P( w?>
) M1 w3 N5 f ~1 D0 Y在浏览器中访问:
" G f! U$ z0 M/ W" D( k- ~
# e& w* j* I+ G7 v' v6 }http://www.52os.net/phpinfo.php?id=1 正常显示。* U6 K) E. C1 w- {2 O0 y) d
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。$ p: _4 Y9 j& Q5 ^7 `
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。7 C' s( \ v* H& X- |! b0 L9 I: ]
说明sql注入和xss已经被过滤了
6 _6 ?1 Q2 z! V( M# R# _$ Y& G! r9 W+ x
七、安装过程中排错( r2 }3 Z3 T6 B: [( ]3 W, Q% [% h
: H; I/ c6 E* g9 r- E2 g% d- W) D1.缺少APXS会报错
$ q6 K( Y( ~8 l9 v
9 o" H* X S. X, v, Rconfigure: looking for Apache module support via DSO through APXS1 T; j' d8 }) n( A3 o
configure: error: couldn't find APXS3 \7 x3 N" A0 l% i J
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。9 Q k$ i# M! N3 H8 m! M
解决方法:- \* H. N( l6 L7 \# F
) @) `8 ?) G+ F; x, P
yum install httpd-devel D8 x9 F3 d4 }( g0 r* [
2.没有pcre3 I) q, k3 ?# A% v( ]0 M
4 y6 K$ X5 }0 J$ {7 B+ Q4 Q' @4 T3 T
configure: *** pcre library not found.
. R" x. B* ?3 j* \; U1 Y' fconfigure: error: pcre library is required1 u4 s4 ?2 o" c3 }8 N+ W
解决方法:
6 ?7 N. x( ^6 X. j! P. e4 `- ?; q! P7 n6 M$ z
yum install pcre pcre-devel
9 `' V3 f0 ?7 `# k" P( r. n0 ~2 z3.没有libxml2
/ d( v! j; w/ N( R4 I
3 g. c4 [; g4 T9 U' R q; S9 f3 H7 p1 `5 r* Y" ~. f
configure: *** xml library not found.8 v E+ W+ i7 g U+ {4 D# Y
configure: error: libxml2 is required* a1 ?' }3 x" Y4 q2 {6 v" q5 d
解决方法:
; j' r, @+ m t# X7 _- [1 E5 s; G7 h$ X8 p7 r
yum install libxml2 libxml2-devel. p; @8 f4 Q; E9 u' M# q9 l, ^, E
4.执行 /opt/tengine/sbin/nginx -m 时有警告. z$ n1 F* h6 a4 q K
+ E% {$ o9 d0 W2 _Tengine version: Tengine/2.1.0 (nginx/1.6.2)2 d* k0 ]3 c& ^7 B' u
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!9 `$ x/ w- S+ @ Z
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log. t6 ~% j+ d; f* U1 N6 _# o* Q
C1 p' I+ `5 _% B7 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; z" Z2 t& y" I# L
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
8 ^4 \3 F% x7 ~9 }! U: A2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 s& ^! I: p! p8 K' S+ G7 z2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"3 v; p8 F4 i9 b. o! G
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
0 o4 A4 P+ M. I2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 V+ ]& \* z* N解决方法,移除低版本的APR (1.3.9)
2 C& X' V. N1 u# U
" U! l/ M$ z" m2 R3 X* G- r8 d1 Cyum remove apr
: ]) T5 q+ D5 f5 H1 m5.Error.log中有: Audit log: Failed to lock global mutex' Y# B. N& U# K, l2 ]
^- K* c; a) T6 ~4 |
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
9 j1 b% U v! V( D5 Rglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
. h- M4 ^* \+ y1 i* i# T解决方法:0 z5 Y9 o7 F0 j1 ^+ @2 G S7 R
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:: u! v! b3 {/ }0 _: M2 V
* w1 J( d+ V c' J" y) g
SecAuditLogDirMode 0777
) B f4 s2 r, Z0 l. ]SecAuditLogFileMode 0550
( C! W& U3 d& ]# S& @, YSecAuditLogStorageDir /var/log/modsecurity
1 e& g( b8 ~# Y0 B; FSecAuditLogType Concurrent
1 h7 t9 p) m& C/ ]! N- j" X参考文章:0 U+ v5 Q: `2 D: ?
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
6 E& h8 w' a2 q0 ?4 X+ H0 p1 P2 \# Xhttp://drops.wooyun.org/tips/2614 |
|