|
|
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" s% D0 _( X1 B: R0 r
# D& y7 v; ?. `$ W. I( Z/ q# `一.准备工作$ _) j) z, ~( C( V [5 G) ~
& i: O9 j1 z/ [; T
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0& Y& {: H. Z. k' P3 x; V! v
8 i5 \+ B4 U( u4 H9 z4 n
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
& G! W/ {8 n( N: q, i, s4 l5 G1 d& y' t5 c! w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. X2 a! v+ ~ s7 Q+ v/ r# v1 V' o2 q" [5 @ ^
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
2 J: U m- U/ h
; \& Y7 Q8 @- P3 R1 B" S, C依赖关系:. k# s" H+ L- y. @- e1 T
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, A9 D: {( r. z1 ]3 j7 D
. `/ n% G3 V$ K+ \3 G( g; U. }. Gyum install zlib zlib-devel openssl openssl-devel pcre pcre-devel* {% J! M9 B Z7 w" h
modsecurty依赖的包:pcre httpd-devel libxml2 apr) P' E+ e7 h! T
5 X1 U6 R8 E% S9 k! ]
yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel
2 a* A1 h( a0 ?! A9 u; J; h二.启用standalone模块并编译" q' Q4 |1 [) ]5 i
& L& o- ?$ X: w% [6 H& a下载modsecurity for nginx 解压,进入解压后目录执行: L; V% L: J! ?9 ?4 R7 W
1 G* [9 _* q& m; [, A: [- s./autogen.sh
7 b; H- E- y& g2 G& \( U: m./configure --enable-standalone-module --disable-mlogc+ @/ S/ F5 X) f5 t2 u
make 4 e# W8 i" O* V, K
三.nginx添加modsecurity模块
$ D; ]- @$ b6 B8 y4 b& F9 ?7 l |7 a' Q- B$ u9 I
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) |7 ?4 |7 S) h, E' x9 |; q' A A/ F
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/ --prefix=/opt/tengine
]' ~1 I3 p7 o' [9 fmake && make install
% B( A" m: Q+ _: |四.添加规则
9 A9 R" R' R) H2 `7 V) `3 [2 R8 c& V$ G$ l6 A2 c% Q5 C
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: i' \) u Q2 ?; N' Q& d& }5 w
; l8 F% K8 Z3 {; O! \' N1.下载OWASP规则:8 V, b/ v. A: c: H
: X9 O( o* p& H
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# [# R9 x8 w' ?% D' I2 H0 V& A$ a* b7 f
mv owasp-modsecurity-crs /opt/tengine/conf/
" ]) M+ }# Y9 k1 f0 Y9 D8 f0 v
6 e' g# k: f% z1 p z( scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf' y- ?, u2 ~& d3 j
2.启用OWASP规则:
+ P5 w; k, K" g0 T$ v" k4 y) v7 u5 f) S
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ L7 I1 L- D1 s) r" @* z9 ]3 o+ r7 v/ I8 c/ [3 T1 G! U
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
T8 Z) q3 Z G1 Z# v' N- T; @5 T" N* r- @+ Q K4 ?0 |
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; b- x7 E9 b% p
6 t) k! S o5 X! g( j# G8 z hInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 e& P# e3 `% g5 o. q' OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf1 s& H" q3 k; X; M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
! _6 o% R. D5 c, i. o% e2 VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 N/ M& [+ { Y( j4 d1 EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" g: C- `/ q- e; S" ~Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf, x, n; C/ t9 p. D/ Q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf2 S z! D8 p F. l O: n0 q
五.配置nginx
1 u; Z. y( q; A3 `( J }6 a7 w s* t; S* @ \
在需要启用modsecurity的主机的location下面加入下面两行即可:1 d5 t9 }+ p6 x4 U1 x8 a
/ g8 Z6 `4 U" D9 N# T" A8 m. [
ModSecurityEnabled on; & Z- S0 s! m& |4 \( f6 S
ModSecurityConfig modsecurity.conf;0 n# W5 B& I9 T* }1 {) V
下面是两个示例配置,php虚拟主机:
A, @8 d0 S m
4 E! A( R( W$ x* q7 o( _4 H- `: G, R7 Lserver {+ Y& k$ E, ?7 I5 q
listen 80;! ?4 Q$ }1 c7 f+ t
server_name 52os.net www.52os.net;
' D2 F6 u) B; P6 N 0 {$ o" O6 i1 e7 p% \0 u N1 s8 @
location ~ \.php$ {+ K6 |0 [+ s0 c2 _5 k' h; [
ModSecurityEnabled on; % v* {1 u+ r8 D5 \- K+ x& ?6 s
ModSecurityConfig modsecurity.conf;6 h ]0 p. D% y' |* U) _- e
: e8 f2 _* G7 C) j) n, z9 c7 O; a$ ^
root /web/wordpress;
5 p- }& q( t# h index index.php index.html index.htm;6 R9 c9 W' }" p' { H! ~
( S% b' [' e- w( T$ t) l
fastcgi_pass 127.0.0.1:9000;4 f* r( p W/ ]& R& {% H
fastcgi_index index.php;/ u" `9 v l/ ^$ P# H
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
$ x& [. h [% p2 ? include fastcgi_params;& g( ?. _9 Q4 p! n/ c
}2 ^' |4 |/ ]" J: B% s3 F1 l# k+ F4 @
}; ` a T' ~8 ]3 g J, Y( B( y
upstream负载均衡:4 S/ {( j# d; R( Z4 F
3 t# j5 H& V7 \+ B* c0 e( I; u) v
upstream 52os.net {8 S. B2 R9 k) K! u- G
server 192.168.1.100:8080;
! n9 D7 X! O* Y) l# F server 192.168.1.101:8080 backup;
5 G: |% \ }- f: I' u}
& ~' W* v* o: [+ A0 n- Z# Y( r/ @0 U( b S6 `1 S
server {! L6 Z ~& K3 Q: U9 t( }, q
listen 80;
; c- q V: F% z8 W: l! rserver_name 52os.net www.52os.net;% q+ | l% t# q, B
) c. W6 J0 ^: `" llocation / {
4 Y6 a; b. c1 S3 \0 {! ~* g9 P ModSecurityEnabled on; " Y5 c: E* H2 N% j& E: V
ModSecurityConfig modsecurity.conf;
4 O6 @% ~; `4 y5 o k6 Y0 _( `' h) r3 s: G0 a
proxy_pass http://online;: W5 p; J" n3 ?. F1 Q% n( U
proxy_redirect off;" K. [+ J& l$ a6 Q) y: P
proxy_set_header Host $host;
( F; V0 F6 k u/ E/ D& x; h: Y proxy_set_header X-Real-IP $remote_addr; W& O* \! X5 K* L6 E- G
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
. @0 U# z" b: Z& D x }
* d2 a# ~, f5 D/ Y3 X5 ~} D3 T7 [) T- e8 J% G1 ?( o
六.测试
7 v/ L) i; P5 b7 @, F2 S# W
/ S3 Z8 M% R$ S5 {' l3 u. h9 r$ B我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' P/ |/ J: Z1 C( N5 Q
8 v# m G+ K' V, G3 c<?php
4 Z5 _. i. ^9 S9 I& ]7 R, c) n phpinfo();
9 d- O% J' L( x# i3 \?>
/ o& U, r1 n1 D! Z在浏览器中访问:! }( A( S: `/ x! d( E T$ I
' W6 e% E! q% t Xhttp://www.52os.net/phpinfo.php?id=1 正常显示。. m& Y# M% Z) _8 Y5 H: m* u
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。* z6 Q5 H* \0 r
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
1 z$ l; f, p2 ]; c5 Y) W$ L说明sql注入和xss已经被过滤了6 v# O2 g; I/ ]) g) b. j
R* P; T+ ~$ Y# \- o3 C6 @1 V
七、安装过程中排错. q1 U `! F! i: i3 u; z) S
4 k4 H" m9 x: R, O% H1.缺少APXS会报错1 N2 V c2 M$ I* c. E
2 A$ d! i* I8 O- m$ A U
configure: looking for Apache module support via DSO through APXS7 e' c- W9 }8 Z& E7 H Z) E6 d
configure: error: couldn't find APXS3 [" c0 r7 x0 E$ T
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。; ?* |* v; T! i2 t; ~3 ^. i
解决方法:
- Z& Y5 {. \8 ^. q5 _, [% }8 B: @, E1 q2 H; Z9 l
yum install httpd-devel
7 V( C: ~. ]- n8 n+ t2.没有pcre
3 ?/ }( S; F9 O1 ^1 f. L, ]1 |8 J) N; Y* N5 _4 L1 `% y
configure: *** pcre library not found.
0 W1 Q1 b7 ?, J' X% iconfigure: error: pcre library is required3 h0 s" [. n- P6 R1 K" l
解决方法:* K- M0 W0 T7 u) i Q; h- c% t
~# Z8 n" V' u7 @5 r5 U
yum install pcre pcre-devel9 z) o! c! F) O
3.没有libxml2
" ~2 h9 |/ n! ?( _) p/ I, R3 s4 q2 Q' T6 m0 l1 ~
5 y$ S5 R; w- v, M* _4 u2 x' o- \: N' J+ Pconfigure: *** xml library not found.1 x7 K8 b* J$ O8 B
configure: error: libxml2 is required
" h5 O8 m5 L- u解决方法:# D h5 ?; a- B3 T
" j. k: x) @$ dyum install libxml2 libxml2-devel! y1 z" i2 \5 V0 t% P' ~2 S5 A7 W! v* M
4.执行 /opt/tengine/sbin/nginx -m 时有警告
# v0 |4 M4 b' A) q
! i' }5 D$ e4 d1 Q" h- t+ y$ tTengine version: Tengine/2.1.0 (nginx/1.6.2)
; Y; V! u( g# A' a- b% tnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
Q4 l8 {3 m( H( x; W5 P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 B; j1 z: m% S) A
7 g+ M3 s; L7 `. J) M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 s- [5 q2 q. b7 B: s2 }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded version="1.3.9"+ ]: C3 @3 ~. C6 F, F
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
_4 L2 }4 s: B" Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# |$ h4 Q/ E4 e9 J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
& h! E4 o% i( a2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" y7 E+ k* Z6 _1 U解决方法,移除低版本的APR (1.3.9)
% m, @9 V% w, _& g
' @" K; t2 A- z3 |: Q) cyum remove apr
& F7 o3 ], X$ R* L& O' m5.Error.log中有: Audit log: Failed to lock global mutex
" f% Q+ _9 v- D/ g4 D* D5 j5 |& V, ?/ A0 c+ l# c
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock
+ B4 ?( o9 |6 v7 Iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 s* a1 J8 f( O# h' z解决方法:3 n, M0 K# E; Z( i. v( w1 k' }
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" Z1 s' q! }$ w- k" B1 k4 b- H0 L* E# f) ^& w4 m( F+ C
SecAuditLogDirMode 0777 B7 G# ] O3 q5 q2 F
SecAuditLogFileMode 0550
) n7 u, s8 V- _$ L- ISecAuditLogStorageDir /var/log/modsecurity8 n, F9 m {3 _% h2 B/ \
SecAuditLogType Concurrent
2 [6 R' x* A. s% Q2 `9 e- z6 g; |6 z参考文章:2 v/ c% H/ u; R
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
/ P7 O0 b+ R4 e6 N: [0 G# g1 q$ h, s0 [http://drops.wooyun.org/tips/2614 |
|