|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。. H' }" O( h+ N% g& h. O G1 O4 y
: d% ~( G4 o2 P7 h
一.准备工作
( |3 z+ l$ Q: p, t% d/ z- G* m6 W9 r" j( f& j8 v$ f# G
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
. b8 P& c1 p8 ^8 e; v3 D' C: Z8 |6 x
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
. `8 U0 K# T0 o5 q/ P! \
: ]- P* f Q3 W$ C8 E2 ?modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz& I7 O O5 o4 w7 T" K% g. p, |
- A/ ~/ I& L4 n' G! H ]) ^" @OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, ^+ n* i2 d8 p; b
4 p6 _. i1 Z! m- t
依赖关系:6 R1 n: R6 M& w6 t2 a
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
3 K& O; c# \5 i4 f& n& _& B: E, X/ y3 {8 z
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel% V3 K" o+ ^4 k8 n4 I& l. B
modsecurty依赖的包:pcre httpd-devel libxml2 apr
& o- ~. ?% k8 H+ V: ^$ ^. b o h
) a" u4 Y7 g3 A Q5 Yyum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel4 W! c. @3 ^: k! {
二.启用standalone模块并编译! E" Q2 Y' ^% b) _: i
" g# \# f* O3 K) o
下载modsecurity for nginx 解压,进入解压后目录执行:
, [' {) Z: u \; E7 P' | t Z( v) s/ N
./autogen.sh3 E+ r9 O/ J* N- _
./configure --enable-standalone-module --disable-mlogc
. D1 B( W6 w+ z2 R6 n" amake
8 K, |+ T7 h# w" `; z三.nginx添加modsecurity模块" r$ z, `& z+ Q& ?( D
^5 o4 J/ Q# l
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:/ k- O2 z/ k7 W* W e4 k! n. _" h
; |1 X/ Z" B- q3 E ~./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
$ H( O2 ?$ i2 w* p% bmake && make install2 P% f, V; {6 K' o
四.添加规则' x( O2 [9 W0 t
: w( O) I; q4 q& U! h
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) u4 S5 X5 l @
9 N( f/ \2 q: O+ V; } D1 V
1.下载OWASP规则:
: X0 d8 g: M; j0 N" R0 X
3 A) B/ \$ M* t( e' zgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
G6 A' S5 M4 ~: Y( y& ?) i) ]6 m# I7 c+ T9 P; @' `
mv owasp-modsecurity-crs /opt/tengine/conf/3 T" f& f+ A7 ~9 p9 X
' t( m7 r8 o7 N+ f4 g
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. ~: n" V N: R6 O! M H8 I7 W; c
2.启用OWASP规则:
w/ V4 D6 ~- z: d- R. ]: i. z& ]' h
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
9 b) m2 N$ F7 d5 A5 |7 O. B( p
9 E* T6 g- n3 J% A+ A" \0 ]编辑modsecurity.conf 文件,将SecRuleEngine设置为 on. o; ]% k& n: I* [0 N
: s# s6 Q) h5 Q0 S, iowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。# ]. g: B1 ~8 U( p) _
2 B5 N/ |2 y, J0 g* u$ F1 @, B
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" l$ t9 L0 I1 T; GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" v! h( n J' T+ Y! R: {+ w3 cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
1 R. y4 K4 j: a# Z; X& IInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf. I& r, I0 Y5 T! s" {# f) v3 Q2 p/ F
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# b% c$ y& `, d& _- G0 W# BInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 s( o+ z0 z6 y! h5 T
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf' F( U9 L3 b4 u2 c
五.配置nginx: `) w7 \* b1 c. O6 q# r% f
+ ~ P2 y; r% _3 V3 h
在需要启用modsecurity的主机的location下面加入下面两行即可:
# E. f/ N' z0 C" K3 o9 R4 y' ^
" u0 a6 k, B# ?ModSecurityEnabled on; : ]) N# o- l B
ModSecurityConfig modsecurity.conf;
$ C- `3 }' E" j; M' I2 L下面是两个示例配置,php虚拟主机:; K: D ?1 T: W; S. V5 I; p( E
7 w9 G* y1 Y4 G) k+ g' M
server {) J9 b5 }2 _. l( a1 t: X7 k4 d) A5 P
listen 80;
1 ^* B# {+ S& s; f server_name 52os.net www.52os.net;0 R* L5 T7 `7 q9 l2 ?1 u6 Y1 @$ e
5 T; }/ e3 q- H" g, Q+ _# x location ~ \.php$ {, ~: L4 T: a- y5 `. y
ModSecurityEnabled on; * u" a9 L! `4 v" [
ModSecurityConfig modsecurity.conf;
: [& d$ Q1 W7 w" f) g7 n. P3 I
6 Q) s9 c, z" B7 O root /web/wordpress;
9 a- h8 ~7 b5 U, Y4 o, P index index.php index.html index.htm;* y' H3 b5 f1 |2 w
7 k7 G: N' R* U7 h0 t B# U6 w fastcgi_pass 127.0.0.1:9000;
5 P7 _( x. ^) }- S2 y fastcgi_index index.php;
: _% L1 z( @ Z4 p- ^! h fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
- @" ~8 h; ]! s include fastcgi_params;# x2 l6 `" o2 T0 @5 E
}
9 j7 D d& |4 U+ Z0 D3 B* f }! I& s( R; ?$ R1 R' ?
upstream负载均衡:1 n/ z3 {9 ^: Y4 ]' A
M8 n, b1 }- ^8 P& [8 m# P. Q% r
upstream 52os.net {' m! p3 F/ a# Y
server 192.168.1.100:8080;5 o3 D# T3 S8 w; n+ f
server 192.168.1.101:8080 backup;0 l' m v# X# b- P+ D
}; m* N* Y3 V$ J6 N3 r& x2 b. G
, I, `. o' m4 S2 `: d
server {2 |5 Z" U% ^2 R2 R9 u# g' b
listen 80;
7 {6 M: y% Z: s Z/ n6 T& {# xserver_name 52os.net www.52os.net;
8 m7 _! B2 j, b v1 q& O! x; k A( N4 S4 U
location / {
7 A$ @: g2 }6 i2 ?, D( D ModSecurityEnabled on; % B. G* [0 F* \, n7 ]
ModSecurityConfig modsecurity.conf; ! u9 B8 c+ {3 E9 `
& o6 Y) i5 }$ {) { proxy_pass http://online;
8 `9 K, {' W5 q7 W proxy_redirect off;
1 f3 Q, x6 }; V% H+ _# y proxy_set_header Host $host;
& p W/ o' p0 m. h% _9 V3 Q proxy_set_header X-Real-IP $remote_addr;$ G0 P7 o4 h, i$ x5 J! h. e
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;2 G3 G. n+ M0 ?. u
}
4 R/ V/ G9 j2 v8 Q! z- F3 q9 |}
+ p. u R: F2 x& _4 Z% `+ n六.测试
- h& ^2 x1 ?: N% U
6 p# d- I, N1 h% \; T8 Y我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) J; u! R' U7 j# B
& u$ j# t2 _$ G4 T<?php. x8 S& v& c, @0 p1 s- t
phpinfo();
1 ?1 D# M* ~, H5 d# m0 j: Y?>
& t2 ]) O& ~) N) J) B1 I在浏览器中访问:
* \! M$ p( C& [; h0 ?" h0 ~% h4 k" X. U
http://www.52os.net/phpinfo.php?id=1 正常显示。
3 c# J/ X% L, `/ ]+ Y" Ihttp://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。7 \9 O3 Q! i) K2 c: r) F4 Y' y$ ~' R
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。( L& `, z4 [1 q8 |
说明sql注入和xss已经被过滤了. A9 h) K6 P& q( Y
8 X1 W+ i7 H# C, _( L: _# Z. E
七、安装过程中排错2 M O/ |4 T9 a6 y$ t
! s: L* g! P! t$ N1 ^9 U7 w e
1.缺少APXS会报错/ b+ j) F+ K# }
: L7 s D; g5 _* I
configure: looking for Apache module support via DSO through APXS
$ D3 i4 g1 |4 E$ k9 Lconfigure: error: couldn't find APXS# H) ]" _; v' ~/ h P4 D
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。2 | ?9 K G, p7 E O$ Z) i
解决方法:
% q6 i' O( d! V& C8 k! B& k' e a8 I
yum install httpd-devel
" ?6 d9 C" \- [" q4 o6 D2.没有pcre2 @; W9 c: N5 G1 w" n, o
4 g2 S0 ^. j6 [9 h; W' Gconfigure: *** pcre library not found.
- e8 i" v2 r5 ]/ w+ ~9 _. hconfigure: error: pcre library is required, g1 k/ O& O) {; K7 ` I) ~
解决方法:
" B. Z( p4 Z. O1 j2 e) K& l& N
3 P3 V- i6 I: _7 Lyum install pcre pcre-devel
. _$ K' W* ~% T% ?; O3.没有libxml28 s1 e5 G- z( ]) v
& w/ o- i& |+ Z; n% h/ v2 H! Q# u; {. E9 [ g1 [& D. w
configure: *** xml library not found.; D8 S6 H2 m3 o2 S2 ~5 C
configure: error: libxml2 is required
, r9 a0 n! H+ Q$ E/ O; H" h& I9 R4 B解决方法:
+ O3 J) F7 t& E( C" O! N S0 p& N
$ p. T' v' N( |3 w) I4 ryum install libxml2 libxml2-devel
3 z! ~5 @- w8 n. B; Y; L5 { D4.执行 /opt/tengine/sbin/nginx -m 时有警告8 a: D5 S, ^8 E" q4 m |" ]0 a& ~2 ?
: Q4 B4 a5 S; o# l
Tengine version: Tengine/2.1.0 (nginx/1.6.2)8 r" l3 t) |5 O+ l. e' b* [
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!! R; ^; B2 \- r
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log9 m5 U1 c) M- \+ S. m5 ~0 Q+ ]
; \1 q5 d, v ]- e, [0 D, Y$ d2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
: `+ ]0 d- w! ?% ~8 c2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"6 F! r! q& c+ {+ M L; z
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
" f0 }- y- X3 E4 a9 C$ N M2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! L5 n4 A5 F4 g! _% P
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"" c+ t1 r3 x; z7 X s
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
' m3 v# k( T8 h解决方法,移除低版本的APR (1.3.9)
' q0 a% W: m# `0 J+ ^1 C/ K7 t- w. u8 i% @+ ?
yum remove apr% e5 ^4 S7 q) @+ X' Z6 e
5.Error.log中有: Audit log: Failed to lock global mutex
. t+ F( @* C) Q% d3 i: G
8 j: o1 a1 E/ }* B) {# B+ `3 B2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
3 ^: s, X% G" vglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]0 a! M! o/ N1 k( `
解决方法:
) M- u9 i) N0 @( W# @' ^7 \3 e编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 H+ V' f2 }% a7 N: C: V! X8 `! C# O; ~7 Z
SecAuditLogDirMode 07772 g1 ~( R) j! v* Z) j. z
SecAuditLogFileMode 0550
) g8 Y* e3 _, E% f* tSecAuditLogStorageDir /var/log/modsecurity& d/ L; c Y) ]
SecAuditLogType Concurrent
. {, r9 g4 [& X+ a. T参考文章:) V$ v# u1 {9 h
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
) M' `% T* Y R* ]6 W7 ?) N# I! lhttp://drops.wooyun.org/tips/2614 |
|