nginx配合modsecurity实现WAF功能

一、准备工作

系统：centos 7.2 64位、nginx1.10.2， modsecurity2.9.1 owasp3.0

1、nginx：http://nginx.org/download/nginx-1.10.2.tar.gz

2、modsecurity for Nginx: https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz

3、OWASP规则集：https://github.com/SpiderLabs/owasp-modsecurity-crs

4、OWASP规则集下载地址：https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0/master.zip

(yum install unzip && unzip master.zip)

依赖关系：

 nginx依赖： pcre 、zlib、 openssl

yum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel（均已安装好）

modsecurty依赖的包：pcre httpd-devel libxml2 apr

yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel

二、启用standalone模块并编译

下载modsecurity for nginx 解压，进入解压后目录执行：

tar zxvf modsecurity-2.9.1.tar.gz

cd modsecurity-2.9.1

./autogen.sh

./configure --enable-standalone-module --disable-mlogc

make （没有make install）

三、nginx添加modsecurity模块

在编译standalone后，nginx编译时可以通过"--add-module"添加modsecurity模块：

./configure （nginx –V得到的参数） --add-module=/usr/local/src/modsecurity-2.9.1/nginx/modsecurity/

make 

make install(若是nginx已经安装过，看nginx平滑升级的文章解决，不用执行 make install)

四、添加规则

modsecurity倾向于过滤和阻止web危险，之所以强大就在于规则，OWASP提供的规则是于社区志愿者维护的，被称为核心规则CRS（corerules）,规则可靠强大，当然也可以自定义规则来满足各种需求。

1.下载OWASP规则

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs

（wget　https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0/master.zip　&& unzip master.zip　）

cp -r owasp-modsecurity-crs-3.0-master/ /usr/local/nginx/conf/owasp-modsecurity-crs #移动到nginx配置目录下

cd /usr/loca/nginx/conf/owasp-modsecurity-crs 

cp crs-setup.conf.example  crs-setup.conf   #拷贝模板配置文件

cp /usr/local/src/modsecurity-2.9.1/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf  #拷贝并重命名配置文件

cp /usr/local/src/modsecurity-2.9.1/unicode.mapping /usr/local/nginx/conf/  #拷贝配置文件

2.启用OWASP规则

owasp-modsecurity-crs下有很多存放规则的文件夹，里面的规则按需要启用，需要启用的规则使用Include进来即可。

vi /usr/local/nginx/conf/modsecurity.conf   #修改添加

SecRuleEngine DetectionOnly #修改为SecRuleEngine On

#Include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf

#Include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

#Include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf

#Include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf

#Include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf

#Include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf

Include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

Include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf

Include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

Include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

Include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

Include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

Include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

Include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf

Include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf

Include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

Include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf

#Include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf

Include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf

Include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf

Include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf

:wq! #保存退出

五、 配置nginx支持Modsecurity

在需要启用modsecurity的主机的location下面加入下面两行即可：

ModSecurityEnabled on;  

ModSecurityConfig modsecurity.conf;

下面是两个示例配置，php虚拟主机：

server {

      listen      80;

      server_name localhost;

      location ~ \.php$ {

          ModSecurityEnabled on;  

           ModSecurityConfig modsecurity.conf;

 　　　　　　 root /web/wordpress;

          index index.php index.html index.htm;

 　　　　　　 fastcgi_pass   127.0.0.1:9000;

          fastcgi_index  index.php;

          fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;

          include        fastcgi_params;

      }

  }

    server {

        listen       80;

        server_name  localhost;        

        location / {

            root   html;

            index  index.php index.html index.htm;

        }

        location / {

            root   html;

            index  index.php index.html index.htm;

        }

        location ~ \.php$ {

            ModSecurityEnabled on;  

            ModSecurityConfig modsecurity.conf;

            root           html;

            fastcgi_pass   127.0.0.1:9000;

            fastcgi_index  index.php;

            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

            include        fastcgi_params;

        }

upstream负载均衡：

upstream 52os.net {

    server 192.168.1.100:8080;

    server 192.168.1.101:8080 backup;

}

server {

listen 80;

server_name 52os.net www.52os.net;

location / {

    ModSecurityEnabled on;  

    ModSecurityConfig modsecurity.conf;  

        proxy_pass http://online;

        proxy_redirect         off;

        proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;

    }

}

配置好候需要重启nginx

出现“ModSecurity: Loaded PCRE do not match with compiled!”兼容性的解决方法，详看文章《ningx配置ModSecurity重启出现兼容性问题:ModSecurity： Loaded PCRE do not match with compiled!的解决方法》地址：http://www.cnblogs.com/sanduzxcvbnm/p/6128174.html

六、测试

我们启用了xss和sql注入的过滤，不正常的请求会直接返回403。以php环境为例，新建一个phpinfo.php内容为：

<?php

    phpinfo();    

?>

在浏览器中访问：

http://ip/phpinfo.php／?id=1 正常显示。

http://ip/phpinfo.php／?id=1 and 1=1  返回403。

http://ip/phpinfo.php／?search=<scritp>alert('xss');</script>  返回403。

说明sql注入和xss已经被过滤了,查看日志：/var/log/modsec_audit.log里面有详细的拦截信息

七、安装过程中排错

1.缺少APXS会报错

configure: looking for Apache module support via DSO through APXS

configure: error: couldn't find APXS

apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具，用于编译一个或多个源程序或目标代码文件为动态共享对象。
解决方法：

yum install httpd-devel

2.没有pcre（注意版本问题，最好是源码安装最新版）

configure: *** pcre library not found.

configure: error: pcre library is required

解决方法：

yum install pcre pcre-devel

3.没有libxml2

configure: *** xml library not found.

configure: error: libxml2 is required

解决方法：

yum install  libxml2 libxml2-devel

4.执行/usr/local/nginx/sbin/nginx –ｔ时有警告

Tengine version: Tengine/2.1.0 (nginx/1.6.2)

nginx: [warn] ModSecurity: Loaded APR do not match with compiled!

原因：modsecurity编译时和加载时的apr版本不一致造成的，并且会有以下error.log

2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.

2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"

2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!

2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"

2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"

2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.

解决方法，移除低版本的APR (1.3.9)

yum remove apr

5.Error.log中有: Audit log: Failed to lock global mutex

2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     

global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]

解决方法：
编辑modsecurity.conf，注释掉默认的SecAuditLogType和SecAuditLog，添加以下内容：

SecAuditLogDirMode 0777

SecAuditLogFileMode 0550

SecAuditLogStorageDir /var/log/modsecurity

SecAuditLogType Concurrent

 

八、官方说明

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

The Core Rule Set provides protection against many common attack categories, including:

SQL Injection (SQLi) Cross Site Scripting (XSS) Local File Inclusion (LFI) Remote File Inclusion (RFI) Remote Code Execution (RCE) PHP Code Injection HTTP Protocol Violations

HTTPoxy Shellshock Session Fixation Scanner Detection Metadata/Error Leakages Project Honey Pot Blacklist GeoIP Country Blocking

The Core Rule Set is free software, distributed under Apache Software License version 2.

New Features in CRS 3

CRS 3 includes many coverage improvements, plus the following new features:

• Over 90% reduction of false alerts in a default install
• A user-defined Paranoia Level to enable additional strict checks
• Application-specific exclusions for WordPress Core and Drupal
• Sampling mode runs the CRS on a user-defined percentage of traffic
• SQLi/XSS parsing using libinjection embedded in ModSecurity

For a full list of changes in this release, see the CHANGES document.

Installation

CRS 3 requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or higher.

Our GitHub repository is the preferred way to download and update CRS.

HTTPS	git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
SSH	git clone git@github.com:SpiderLabs/owasp-modsecurity-crs.git

After download, copy crs-setup.conf.example to crs-setup.conf. Optionally edit this file to configure your CRS settings. Then include the files in your webserver configuration:

Include /.../crs-setup.conf

Include /.../rules/*.conf

For detailed installation instructions, see the INSTALL document. Also review the CHANGES and KNOWN_BUGS documents.

You can update the rule set using the included script util/upgrade.py.

Handling False Positives and Advanced Features

Advanced features are explained in the crs-setup.conf and the rule files themselves. The crs-setup.conf file is generally a very good entry point to explore the features of the CRS.

We are trying hard to reduce the number of false positives (false alerts) in the default installation. But sooner or later, you may encounter false positives nevertheless.

Christian Folini's tutorials on installing ModSecurity, configuring the CRS and handling false positives provide in-depth information on these topics.

Community

We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.

九、规则集说明

8.1基础规则集

modsecurity_crs_20_protocol_violations.confHTTP协议规范相关规则

modsecurity_crs_21_protocol_anomalies.confHTTP协议规范相关规则

modsecurity_crs_23_request_limits.confHTTP协议大小长度限制相关规则

modsecurity_crs_30_http_policy.confHTTP协议白名单相关规则

modsecurity_crs_35_bad_robots.conf恶意扫描器与爬虫规则

modsecurity_crs_40_generic_attacks.conf常见的攻击例如命令执行，代码执行，注入，文件包含、敏感信息泄露、会话固定、HTTP响应拆分等相关规则

modsecurity_crs_41_sql_injection_attacks.confSQL注入相关规则（竟然有一条MongoDB注入的规则，很全）

modsecurity_crs_41_xss_attacks.confXSS相关规则

modsecurity_crs_42_tight_security.conf目录遍历相关规则

modsecurity_crs_45_trojans.confwebshell相关规则

modsecurity_crs_47_common_exceptions.confApache异常相关规则

modsecurity_crs_49_inbound_blocking.conf协同防御相关规则

modsecurity_crs_50_outbound.conf检测response_body中的错误信息，警告信息，列目录信息

modsecurity_crs_59_outbound_blocking.conf协同防御相关规则

modsecurity_crs_60_correlation.conf协同防御相关规则

8.2 SLR规则集

来自确定APP的PoC，不会误报，检测方法是先检查当前请求的文件路径是否出现在data文件中，若出现再进行下一步测试，否则跳过该规则集的检测

 5.3可选规则集

modsecurity_crs_10_ignore_static.conf静态文件不过WAF检测的相关规则

modsecurity_crs_11_avs_traffic.confAVS（授权的漏洞扫描器）的IP白名单规则

modsecurity_crs_13_xml_enabler.conf请求体启用XML解析处理

modsecurity_crs_16_authentication_tracking.conf记录登陆成功与失败的请求

modsecurity_crs_16_session_hijacking.conf会话劫持检测

modsecurity_crs_16_username_tracking.conf密码复杂度检测

modsecurity_crs_25_cc_known.confCreditCard验证

modsecurity_crs_42_comment_spam.conf垃圾评论检测

modsecurity_crs_43_csrf_protection.conf与modsecurity_crs_16_session_hijacking.conf联合检测，使用内容注入动作append注入CSRF Token

modsecurity_crs_46_av_scanning.conf使用外部脚本扫描病毒

modsecurity_crs_47_skip_outbound_checks.confmodsecurity_crs_10_ignore_static.conf的补充

modsecurity_crs_49_header_tagging.conf将WAF规则命中情况配合Apache RequestHeader指令注入到请求头中，以供后续应用进一步处理

modsecurity_crs_55_marketing.conf记录MSN/Google/Yahoorobot情况

5.4实验性规则集

modsecurity_crs_11_brute_force.conf防御暴力破解相关规则

modsecurity_crs_11_dos_protection.conf防DoS攻击相关规则

modsecurity_crs_11_proxy_abuse.conf检测X-Forwarded-For是否是恶意代理IP，IP黑名单

modsecurity_crs_11_slow_dos_protection.confSlow HTTP DoS攻击规则

modsecurity_crs_25_cc_track_pan.conf检测响应体credit card信息

modsecurity_crs_40_http_parameter_pollution.conf检测参数污染

modsecurity_crs_42_csp_enforcement.confCSP安全策略设置

modsecurity_crs_48_bayes_analysis.conf使用外部脚本采取贝叶斯分析方法分析HTTP请求，区分正常与恶意请求

modsecurity_crs_55_response_profiling.conf使用外部脚本将响应体中的恶意内容替换为空

modsecurity_crs_56_pvi_checks.conf使用外部脚本检测REQUEST_FILENAME是否在osvdb漏洞库中

modsecurity_crs_61_ip_forensics.conf使用外部脚本收集IP的域名、GEO等信息

modsecurity_crs_40_appsensor_detection_point_2.0_setup.confAPPSENSOR检测设置文件