|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 U# A; m7 _2 d% S) }$ q
* ]7 n/ l* Y6 J; G9 e f4 }% j
一.准备工作. e4 y+ H& X( ?2 v) \" O
2 h2 E3 |6 S: @( _
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
' G" W6 ?" \. [& \2 D) x( [1 T. ^: O
% r0 U) ], @& Z* f" Wtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
) }1 C) J. D4 p4 g
3 q) t; \# e" @) n Rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz- B: f. j9 M. q9 p& p$ ?
7 r; P9 t+ e7 U7 g8 Y d9 |3 dOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
* A, k+ Q; n( T, {/ _. K6 l9 b& h5 @7 v. C+ d
依赖关系:, v6 h* t4 Z3 W ~8 A
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:( T1 i" {* K: h) ^
( S2 L! o- h; `
yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel7 @: n \9 E5 y+ M! `: C8 V
modsecurty依赖的包:pcre httpd-devel libxml2 apr
T( K- @2 K# I7 h/ e" }- R0 L8 e) e* q
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel: _% P0 j* e3 r; R( M# v' _- a
二.启用standalone模块并编译 k/ l Q/ D% P2 x
# p' d$ ?* p) _, u8 t# R" i下载modsecurity for nginx 解压,进入解压后目录执行:
. ]2 a: K E. a! Q6 Z$ g7 k& t* u/ r- P
./autogen.sh
; ~8 i% |4 U% A- o$ \: h- q& Z./configure --enable-standalone-module --disable-mlogc+ p/ W" p- N* A9 u+ D1 g* d
make 4 l' X6 j) {" H1 a0 D, p
三.nginx添加modsecurity模块
# h) w9 P9 z8 h5 \9 j, h8 j8 ]. P
' z8 ^+ E3 P! ?) B在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* d/ n) Z* w7 }) ^% N4 o3 G$ ~5 G, T: g
6 k1 x0 Y8 t3 L" ]! O
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
1 [$ \! K! Q+ lmake && make install
. Q& H4 c2 i( V$ y- h- Y0 B四.添加规则5 H; A) B9 [$ w5 W
7 u( v9 h, R% P/ K) m a' ?0 J
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
# S, ~( S0 W! ?1 T9 M4 F/ k6 Q$ B6 t5 @/ \6 b( a# O3 K
1.下载OWASP规则:
) B6 G: z, C1 l# ^) S
5 [; Q9 l R: l) Wgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs8 @8 k6 k. o# U6 k! \7 M9 s
- a& x" ]6 W$ C# m, @& T: X0 ]mv owasp-modsecurity-crs /opt/tengine/conf/ X# z, U* p) \' u. |* `3 m
$ i6 Q$ d, f8 H1 c; ?7 i
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf0 k+ R. b5 y( L
2.启用OWASP规则:
! w$ C- ~) z9 o6 i! I
5 P+ E ]9 `) P, T9 L' @复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。3 @$ `) L2 Z8 {- ?) A. [+ w. d
0 v [" \' h3 Z( @7 l' W编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& J. t% N$ a' \ B" w5 t- A1 a
+ v: Y3 V+ x6 j; c( L+ e6 V
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
2 E% x& o4 K; q& u: z p3 j8 g; w. t( _ E9 _% K6 Z
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf; Q% c0 E6 q0 N2 ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
" A5 E5 _7 m, D- [" \- IInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
9 Z8 Q7 K# G* J' I" @. j# eInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
4 S& U# g2 B% R2 [2 [7 z7 oInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf* H: ? v6 L+ M
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
2 Z6 D: d# N; [' s' d0 w, {Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf/ V( n9 w; a d0 V, X* Z3 ^& q
五.配置nginx3 T. g! \1 ~; `) D5 b
& s) L& W0 l% H) P2 T
在需要启用modsecurity的主机的location下面加入下面两行即可:
' L% W: S5 s0 P6 O% m s
0 V: I3 }8 A; fModSecurityEnabled on; 0 r. B4 ^0 ]0 n6 S: X0 b
ModSecurityConfig modsecurity.conf;6 B1 s+ \ f. k- U' ~" P
下面是两个示例配置,php虚拟主机:. E; i3 W4 l6 \5 f% U E
+ _% w, `3 k. l5 k* Wserver {
- m1 \1 m# E1 I; ~: r P* g& K listen 80;
/ j$ Y* i3 v' k% G- } server_name 52os.net www.52os.net;3 | Z( j2 M0 H
$ J. \ j8 S% J9 v
location ~ \.php$ {
r' E% b2 r, | ModSecurityEnabled on;
+ \, p, d5 K5 X) i+ D( Q' P ModSecurityConfig modsecurity.conf; w; f% C, V/ R7 G l- w
6 [# }# I1 V f0 U4 r5 i$ J
root /web/wordpress;
) T3 f0 r0 p* c5 b+ A5 A0 g index index.php index.html index.htm;3 f! ^1 V6 g0 K' p8 s6 w
1 I1 @ t- d7 h% w/ p9 K: F8 U fastcgi_pass 127.0.0.1:9000;; ?: n) @7 U3 q2 `$ t, I7 ^
fastcgi_index index.php;- ~. l5 f; S. I& v
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;# I1 w/ Z: ]) b, o0 b# u
include fastcgi_params;1 I3 @+ a5 Z2 |' M/ P
}
& w, r3 j Z$ B7 [. V- D& t }( ` F6 P! ?( J, Z- }# ^' q; u
upstream负载均衡:/ c a, V- x; ]1 C% }/ o4 W Q" Q
& R8 o4 d9 r* T/ x
upstream 52os.net {
4 w, b( l& N9 v) @$ g, h* ` server 192.168.1.100:8080;
2 ^% d' H) x6 Y3 ` server 192.168.1.101:8080 backup;* Q2 e5 U* q$ h3 Q# L7 t- f1 U& M1 _
}
9 k: M }0 o; U! c( {
J1 t/ U3 j( ~: p% |* ~server {8 i& h G' H4 z- j# {) G6 t; u" z
listen 80;( i- M/ ~. R7 z/ X( T) C
server_name 52os.net www.52os.net;
+ {# s* T5 U. L2 q: [6 r
+ @& i$ [4 r$ X1 w% j% S: alocation / {. H: R+ ]4 u }
ModSecurityEnabled on; 8 Z% l7 B" l3 `) A; b& V. {# o
ModSecurityConfig modsecurity.conf;
. Y3 p! A# X- a! ]( ?; e; g- {% D& W* l3 [& Q- Z+ G2 e
proxy_pass http://online;
" V7 X5 S, ` j* [2 Q proxy_redirect off;$ l g1 e3 q" o- T0 l* A
proxy_set_header Host $host;3 n" C$ ?7 Q& V4 o
proxy_set_header X-Real-IP $remote_addr;
j1 a- T. \+ K1 R; ~6 J6 M- g+ L' R9 O proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;: w+ r8 i: I! l. J& D& V" b
}
' G, V# _3 R1 h- v6 n}
6 f* ?) u7 z( l6 ]: }3 {6 t六.测试, S0 b; B' `( F" f$ Q9 V; h
1 h* d1 ]9 R7 ^* t+ ~, _我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:% k; V* ?+ A V+ S+ m
h7 H3 Z8 ]* d<?php, b# j9 | g$ t- _
phpinfo(); 9 ~+ G: h3 b/ x& x; i, C( ~$ A0 r
?>9 m- Y1 y& r0 I) P/ ~
在浏览器中访问:% x4 M, T' {- b" ?7 }, i) w0 K
4 }& w* G7 x# _8 f/ ehttp://www.52os.net/phpinfo.php?id=1 正常显示。( N6 K, S9 H0 U8 t
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。3 _ ^$ f- V- m8 {( w$ s
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。. X$ {# b8 s# S: t' Q
说明sql注入和xss已经被过滤了) n3 X+ a- |. g. [
. i$ p7 `( P; j8 l4 A七、安装过程中排错
; G( m. u" b% ~% V6 w/ G$ t2 r/ z4 H
1.缺少APXS会报错
6 P/ y2 l$ Y( {: b% J& ^8 Q4 C+ g0 c k: o
configure: looking for Apache module support via DSO through APXS7 _" A5 D/ c; ?
configure: error: couldn't find APXS) Q. A# w. h( }' B5 h
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。; Y$ N4 K4 l4 J1 u) j3 W0 C
解决方法:
0 b Z9 ^( B8 e7 a# v, Z
1 L p. {% y/ J% R# C9 Y2 Oyum install httpd-devel
, E! O" ^( M$ k: ^' n* P: \2.没有pcre
/ f' M* B$ l T
3 R8 y" y* ?+ L' Pconfigure: *** pcre library not found.
X8 t5 O, G1 ?) a: [- Uconfigure: error: pcre library is required
3 x2 Y0 P9 I6 x6 p- h, u5 c7 ]) t解决方法:! D4 C5 f( T. w2 S6 i! v( B- b( H
1 r, c! H- E$ G# ~9 o2 eyum install pcre pcre-devel
% u& G% H C( S! `) }+ \3.没有libxml2
% O- t/ ^1 B' z5 A* [( p( X) F2 L' [5 \0 `
, h! }8 f2 J( ~( Q5 v. E+ ]& e+ econfigure: *** xml library not found.# k) h @2 _2 a u
configure: error: libxml2 is required
4 I( d: ]/ _3 v: m解决方法:# g+ x: a) p0 f" h* w' B7 B, u
- L0 F2 }$ f; E# g: T" i. M8 k' F: ~yum install libxml2 libxml2-devel" Q" [& r6 ]$ u- M0 p% X6 j5 H
4.执行 /opt/tengine/sbin/nginx -m 时有警告
: C0 ?: F: C& Y! |* N) G3 H7 y) S% C" q0 u5 z
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; v6 m# O- r2 Onginx: [warn] ModSecurity: Loaded APR do not match with compiled!6 |# ^! u* M( u x8 b# ^& W
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
. E& @9 \& O- m# u& O
( C: x- ^# \1 m7 T+ u' n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
2 O- j$ X, e0 B5 i1 X, v2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"
; \- Y+ y2 t0 B% i2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
& F w. O l$ x. \+ T2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"! x8 H; m b9 Q5 d1 w D E% ]+ h1 }- O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
" C' X3 R5 v$ H5 _2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.5 e/ @! `# [/ J! y9 w. i
解决方法,移除低版本的APR (1.3.9)
8 o; o7 k w5 o& F
/ e, k- p; k; ^$ ~8 w8 jyum remove apr
' b, ?: X" t) o2 b7 Z: F5.Error.log中有: Audit log: Failed to lock global mutex
# t0 }* K0 m) H+ E( x- Z6 H7 r$ s: W% |9 |
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock a. d) K7 L0 A0 |; b# b& ?7 O
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# _4 Y* S8 r, H* K4 p4 b& V3 n! A" @
解决方法:
6 X) p+ }6 W( \; e M编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
* E. w3 P! K9 E9 R+ t4 X% J6 y3 L' h* X% ~9 Q
SecAuditLogDirMode 0777
2 B1 x: u( Q% ^# bSecAuditLogFileMode 0550- e1 S8 H g9 I0 U0 V
SecAuditLogStorageDir /var/log/modsecurity
8 T+ c4 U9 V6 P Q) x& sSecAuditLogType Concurrent
7 |' R% ?) s" G! S7 S' R5 g1 h参考文章:
2 e, s6 ]7 Z6 w f; ghttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* F* _% |' d; J& |# H* V& L
http://drops.wooyun.org/tips/2614 |
|