Otu esi etinye ModSecurity na Nginx na Rocky Linux 8

ModSecurity, mgbe mgbe kwuru na Modsec, bụ firewall ngwa weebụ mepere emepe n'efu (WAF). Emebere ModSecurity dị ka modul maka sava HTTP Apache. Agbanyeghị, kemgbe mmalite ya, WAF etoola ma ugbu a na-ekpuchi ọtụtụ arịrịọ Transfer Protocol HyperText yana ike nzacha azịza maka nyiwe dị iche iche dị ka Microsoft IIS, Nginx, na n'ezie Apache.

Otu WAF si arụ ọrụ, a na-etinye engine ModSecurity n'ihu ngwa weebụ, na-enye ohere ka engine nyochaa njikọ HTTP na-abata na nke na-apụ apụ. A na-ejikarị ModSecurity na njikọ Ntọala Iwu Isi OWASP (CRS), usoro iwu mepere emepe edere n'asụsụ ModSecurity's SecRules ma bụrụ nke a na-akwanyere ùgwù n'etiti ụlọ ọrụ nchekwa.

Iwu OWASP na ModSecurity nwere ike inye aka chebe ihe nkesa gị ozugbo megide:

  • Ndị ọrụ ọrụ ọjọọ
  • DDOS
  • Gafee ederede webụsaịtị
  • Ọgwụ SQL
  • Ighapu oge
  • Ihe iyi egwu ndị ọzọ

N'ime nkuzi a, ị ga-amụta Otu esi etinye ModSecurity na Nginx na Rocky Linux 8.

Prerequisites

  • OS akwadoro: Rocky Linux 8.+.
  • Akaụntụ onye ọrụ: Akaụntụ onye ọrụ nwere sudo ma ọ bụ ohere mgbọrọgwụ.

Melite Sistemụ Ọrụ

Melite gi Nkume linux Sistemụ arụmọrụ iji hụ na ngwugwu niile dị adị adịla ugbu a:

sudo dnf upgrade --refresh -y

Nkuzi a ga-eji ya sudo iwu na na-eche na ị nwere ọnọdụ sudo.

Iji nyochaa ọkwa sudo na akaụntụ gị:

sudo whoami

Ihe atụ na-egosi ọkwa sudo:

[joshua@rockylinux ~]$ sudo whoami
root

Ka ịtọlite ​​akaụntụ sudo dị adị ma ọ bụ ọhụrụ, gaa na nkuzi anyị na Otu esi etinye onye ọrụ na Sudoers na Rocky Linux.

Iji mgbọrọgwụ akaụntụ, jiri iwu na-esonụ na paswọọdụ mgbọrọgwụ banye.

su

Kwado ebe nchekwa EPEL

Iji tinye ModSecurity nke ọma na Rocky Linux 8, ị ga-achọ ka ị mee ka ebe nchekwa EPEL mechaa nrụnye nke Modsecurity.

Wụnye ebe nchekwa EPEL:

sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y

Advertisement


Wụnye Nginx kacha ọhụrụ na Rocky Linux 8

Site na ndabara, ị nwere ike idowe ụdị Nginx gị dị ugbu a ma ọ bụrụ na ị nwere ike ịchọta isi iyi nke dabara adaba maka ya. Ọ bụrụ na ọ bụghị, a na-atụ aro ka ịwụnye ma ọ bụ ihe nrụpụta kacha ọhụrụ ma ọ bụ ihe nrụpụta nke Nginx, dịka nkuzi ga-agafe n'okpuru.

Wepu nwụnye Nginx dị adị

Kwụsị ọrụ Nginx dị ugbu a:

sudo systemctl stop nginx

Ugbu a wepu nwụnye Nginx dị ka ndị a:

sudo dnf remove nginx

Na-agbakwụnye ebe nchekwa Ngnix

Ugbu a ị wepụrụ ụdị Nginx ochie nke ọma, ọ bụrụ na etinyere ya, iji wụnye Nginx mainline, ị ga-ebu ụzọ wụnye ndabere maka ya, nke bụ. dnf-utilities site na iwu a:

sudo dnf install dnf-utils -y

Ozugbo etinyere ya, jiri editọ ederede ọkacha mmasị gị, mepụta faịlụ a:

sudo nano /etc/yum.repos.d/nginx.repo

Na-esote, ịkwesịrị ịgbakwunye koodu na-esonụ, nke na-akọwapụta Nginx repositories nke ị nwere ike iwunye ma kwụsiri ike ma ọ bụ isi site na:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Ka ịchekwaa ojiji (Ctrl+O), wee pụọ (CTRL+X).

Wụnye Nginx

Site na ndabara, a na-ebu ụzọ were ebe nchekwa kacha ọhụrụ maka ngwugwu Nginx kwụsiri ike. Otú ọ dị, nkuzi ga-arụnye Nginx mainline, yabụ ị ga-emerịrị iwu a iji mee ka ebe nchekwa isi dị ka ndị a:

sudo yum-config-manager --enable nginx-mainline

Rịba ama ma ọ bụrụ na-amasị gị kwụsie ike, ejila iwu dị n'elu wee gaa n'akụkụ nke ọzọ nke nkuzi.

Ọzọ, wụnye Nginx mainline dị ka ndị a:

sudo dnf install nginx
Otu esi etinye ModSecurity na Nginx na Rocky Linux 8

Rịba ama na ị ga-ahụ mmapụta na-agwa gị maka ibubata ihe ahụ Igodo GPG n'oge nrụnye. Nke a adịghị mma ime ma achọrọ ya ka ọ rụchaa wụnye Nginx mainline nke ọma. Ụdị "Y" na pịa “B EN”.

Otu esi etinye ModSecurity na Nginx na Rocky Linux 8

Site na ndabara, Nginx adịghị enyere ya aka ma gbanyụọ ya na nwụnye. Iji mee ka ọrụ Nginx gị rụọ ọrụ, jiri:

sudo systemctl start nginx

Iji mee ka Nginx malite na buut, jiri iwu a:

sudo systemctl enable nginx

Iji nyochaa ụdị Nginx gị, ikpe anyị bụ ụdị Nginx Mainline, jiri iwu a iji kwado:

nginx -v

Ihe atụ mmepụta:

Otu esi etinye ModSecurity na Nginx na Rocky Linux 8

Wụnye Firewall

Ọ bụrụ na ị naghị edochi ọrụ Nginx dị ugbu a wee wụnye Nginx maka oge mbụ, ị nwere ike hazie firewall maka okporo ụzọ HTTP na HTTPS. Ihe atụ nke otu esi eme nke a bụ n'okpuru:

Iji kwe ka okporo ụzọ HTTP jiri iwu a:

sudo firewall-cmd --permanent --zone=public --add-service=http

Iji kwe ka okporo ụzọ HTTPS jiri iwu a:

sudo firewall-cmd --permanent --zone=public --add-service=https

Ozugbo emechara, ịkwesịrị ịme mgbanwe ndị ahụ dị irè site na ibugharị firewall:

sudo firewall-cmd --reload

Advertisement


Nhọrọ. Chekwaa Nginx na ka anyị zoo SSL Asambodo efu

Dị ka o kwesịrị, ị ga-achọ ịgba ọsọ Nginx gị HTTPS na-eji asambodo SSL. Ụzọ kacha mma isi mee nke a bụ iji Ka anyị zoo, ikike asambodo efu, akpaaka na mepere emepe nke ndị Otu nyocha nchekwa ịntanetị anaghị akwụ ụgwọ (ISRG).

Mbụ, wụnye EPEL ebe nchekwa na mod_ssl ngwugwu maka ngwungwu emelitere nke ọma na nchekwa.

sudo dnf install epel-release mod_ssl -y

Na-esote, wụnye ngwugwu certbot dị ka ndị a:

sudo dnf install python3-certbot-nginx -y

Ozugbo arụnyere, gbanye iwu a ka ịmalite imepụta asambodo gị:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d www.example.com

Nke a bụ ezigbo ntọala nke gụnyere ike HTTPS 301 redirects, Strict-Transport-Security nkụnye eji isi mee, na OCSP Stapling. Naanị jide n'aka na ịhazigharịa e-mail na ngalaba aha na ihe ị chọrọ.

Ugbu a URL gị ga-abụ HTTPS://www.example.com kama HTTP://www.example.com.

Rịba ama, ọ bụrụ na ị na-eji nke ochie URL HTTP, ọ ga-akpaghị aka redirect gaa na HTTPS.

Nhọrọ, ị nwere ike ịtọ ọrụ cron iji megharịa asambodo na-akpaghị aka. Certbot na-enye edemede nke na-eme nke a na-akpaghị aka, ma ị nwere ike ibu ụzọ nwalee iji jide n'aka na ihe niile na-arụ ọrụ site na ịme ọkụ ọkụ.

sudo certbot renew --dry-run

Ọ bụrụ na ihe niile na-arụ ọrụ, mepee windo crontab gị site na iji iwu njedebe na-esote.

sudo crontab -e

Na-esote, kọwaa oge mgbe ọ ga-emeghari onwe ya. Ekwesịrị ịlele nke a kwa ụbọchị na opekempe, ma ọ bụrụ na achọrọ ka emegharịa asambodo ahụ, edemede ahụ agaghị emelite asambodo ahụ. Ọ bụrụ na ịchọrọ enyemaka na ịchọta ezigbo oge ịtọ, jiri ya crontab.guru ngwá ọrụ efu.

00 00 */1 * * /usr/sbin/certbot-auto renew

Save (CTRL+O) wee pụọ (CTRL+X), na cronjob ga-enyere aka na-akpaghị aka.

Budata Nginx Isi mmalite

Ị ga-achọ ibudata koodu Nginx iji chịkọta ModSecurity modul ike. Iji mee nke a, ị ga-achọ ibudata ma chekwaa ngwungwu isi na ebe ndekọ /etc/local/src/nginx.

Mepụta ma hazie akwụkwọ ndekọ aha

Mepụta ebe a dị ka ndị a:

sudo mkdir /usr/local/src/nginx && cd /usr/local/src/nginx

Nhọrọ - Nyefee ikike na ndekọ ma ọ bụrụ na achọrọ ya dị ka n'okpuru:

sudo chown username:username /usr/local/src/ -R

Budata ebe nchekwa isi mmalite

Na-esote, budata ebe nchekwa isi Nginx site na ibe nbudata ka ọ dabara ụdị Nginx nke ị chọpụtara na mbụ. Ọbụlagodi na ị melitebeghị na ụdị kwụ ọtọ ma ọ bụ mainline Nginx kachasị ọhụrụ wee jiri ụdị ochie, ị ga-enwe ike ịchọta isi iyi dabara nke gị.

Budata isi mmalite site na iji wget iwu ka ndị a (naanị ọmụmaatụ):

wget http://nginx.org/download/nginx-1.21.1.tar.gz

Ọzọ, wepụta Archive dị ka ndị a:

tar -xvzf nginx-1.21.1.tar.gz

Nyochaa ụdị isi mmalite

Na-esote, depụta faịlụ ndekọ aha na ya ls nye iwu dika ndi a:

ls

Ihe atụ dị na gị /usr/src/local/nginx ndekọ:

jjames@rockylinux:/usr/local/src/nginx$ ls
nginx-1.21.1

nginx_1.21.1.orig.tar.gz

Na-esote, gosi na ngwungwu isi mmalite bụ otu ụdị Nginx gị arụnyere na sistemụ arụmọrụ Rocky Linux gị.

Iji mee nke a, jiri ihe ndị a nginx -v nye iwu dika ndi a:

nginx -v

Ị ga-enweta otu mmepụta ụdị dị ka isi mmalite dị ka ndị a:

jjames@rockylinux:/usr/local/src/nginx$ nginx -v
nginx version: nginx/1.21.1

Advertisement


Wụnye libmodsecurity3 maka ModSecurity

Ngwugwu libmodsecurity3 bụ akụkụ bụ isi nke WAF na-eme HTTP nzacha maka ngwa webụ gị. Ị ga-esi na isi mmalite chịkọta.

Ebe nchekwa Clone ModSecurity sitere na Github

Nzọụkwụ mbụ bụ clone sitere na Github, ma ọ bụrụ na i tinyebeghị git, ị ga-achọ ime iwu ndị a:

sudo dnf install git -y

Na-esote, mechie libmodsecurity3 GIT repository dị ka ndị a:

sudo git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/

Ozugbo cloned, ị ga-mkpa CD gaa na ndekọ:

cd /usr/local/src/ModSecurity/

Wụnye libmodsecurity3 dabere

Iji chịkọta, ị ga-achọ ịwụnye ndabere ndị a dị ka ndị a:

sudo dnf install gcc-c++ flex bison yajl curl-devel zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config wget openssl openssl-devel nano

Na-esote, wụnye ndabere ndị ọzọ site na iji ebe nchekwa PowerTool:

sudo dnf --enablerepo=powertools install doxygen yajl-devel

Ugbu a tinye GeoIP site na iji ebe nchekwa REMI ị gbakwunyere na mmalite nkuzi:

sudo dnf --enablerepo=remi install GeoIP-devel

Ugbu a ka imechaa, wụnye GIT submodules dị ka ndị a:

sudo git submodule init

Mgbe ahụ melite submodules:

sudo git submodule update

Iwulite gburugburu ModSecurity

Nzọụkwụ ọzọ bụ ugbu a n'ezie iji wuo gburugburu ebe obibi. Jiri iwu a:

sudo ./build.sh

Na-esote, gbaa iwu nhazi:

sudo ./configure

Mara, ị ga-ahụ mperi na-esote

fatal: No names found, cannot describe anything.

Ị nwere ike ileghara nke a anya nke ọma wee gaa n'ihu na nzọụkwụ ọzọ.

Na-achịkọta koodu isi iyi ModSecurity

Ugbu a ị wuru ma hazie gburugburu maka libmodsecurity3, ọ bụ oge iji chịkọta ya na iwu ahụ. -eme ka.

sudo make

Aghụghọ dị mma bụ ịkọwapụta ya -j n'ihi na nke a nwere ike ịbawanye ọsọ nke mkpokọta ma ọ bụrụ na ị nwere ihe nkesa dị ike. Dịka ọmụmaatụ, LinuxCapable nkesa nwere 6 CPUs, enwere m ike iji 6 niile ma ọ bụ opekata mpe jiri 4 ruo 5 mee ka ọsọ ọsọ.

sudo make -j 6

Mgbe ị chịkọtachara koodu mmalite, tinye iwu nwụnye na ọdụ gị:

sudo make install

Rịba ama, a na-eme ntinye n'ime /usr/local/modsecurity/, nke ị ga-ezo aka ma emechaa na ntuziaka.

Wụnye njikọ ModSecurity-nginx

The ModSecurity-nginx njikọ bụ njikọ dị n'etiti Nginx na libmodsecurity. Ọ bụ akụrụngwa na-akpakọrịta n'etiti Nginx na ModSecurity (libmodsecurity3).

Clone ModSecurity-nginx Repsoitory sitere na Github

Yiri nzọụkwụ gara aga na-emechi ebe nchekwa libmodsecurity3, ị ga-achọ imechi ebe nchekwa njikọ ọzọ site na iji iwu a:

sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/

Wụnye ModSecurity-nginx

Na-esote, ndekọ CD n'ime akwụkwọ ndekọ aha Nginx dị ka ndị a:

cd /usr/local/src/nginx/nginx-1.21.1

Mara, dochie ụdị ntuziaka ahụ na ụdị Nginx dị ugbu a na sistemụ gị.

Ọzọ, ị ga-achịkọta ihe ModSecurity-nginx njikọ modul naanị na ya -Eji-compat ọkọlọtọ dị ka ndị a:

sudo ./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx

ugbu a -eme ka (mepụta) modul dị ike na iwu a:

sudo make modules

Na-esote, mgbe ị nọ na akwụkwọ ndekọ aha Nginx, jiri iwu na-esonụ iji bugharịa modul ike ị mepụtara nke echekwara na ebe ahụ. objs/ngx_http_modsecurity_module.so ma detuo ya na ya /usr/lib64/usr/modul ndekọ.

sudo cp objs/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/

Advertisement


Ibu ma hazie ModSecurity-nginx Njikọ na Nginx

Ugbu a ị chịkọtara modul dị ike wee chọta ya nke ọma, ịkwesịrị idezi gị /etc/nginx/nginx.conf faịlụ nhazi iji nweta ModSecurity na-arụ ọrụ na sava weebụ Nginx gị.

Kwado ModSecurity na nginx.conf

Mbụ, ịkwesịrị ịkọwapụta load_modul na ụzọ gị modsecurity modul.

Meghee nginx.conf ya na onye ndezi ederede ọ bụla. Maka nkuzi a, a ga-eji nano:

sudo nano /etc/nginx/nginx.conf

Ọzọ, tinye ahịrị ndị a na faịlụ dị nso n'elu:

load_module modules/ngx_http_modsecurity_module.so;

Ọ bụrụ na ị chọtara modul ahụ n'ebe ọzọ, jide n'aka na ị gụnyere ụzọ zuru ezu.

Ugbu a tinye koodu a n'okpuru HTTP {} ngalaba dị ka ndị a:

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsec-config.conf;

Ọmụmaatụ naanị:

Otu esi etinye ModSecurity na Nginx na Rocky Linux 8

Ọ bụrụ na ị chọtara modul ahụ n'ebe ọzọ, jide n'aka na ị gụnyere ụzọ zuru ezu.

Zọpụta nginx.conf file (Ctrl+O), wee pụọ (CTRL+X).

Mepụta ma hazie ndekọ na faịlụ maka ModSecurity

Ị ga-achọ ịmepụta ndekọ iji chekwaa faịlụ nhazi na iwu n'ọdịnihu, OWASP CRS maka nkuzi .

Jiri iwu a ka imepụta ihe /etc/nginx/modsec ndekọ dị ka ndị a:

sudo mkdir -p /etc/nginx/modsec/

Ugbu a, ịkwesịrị iṅomi faịlụ nhazi nhazi ModSecurity azụ site na cloned anyị GIT ndekọ:

sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

Iji nchịkọta akụkọ ederede ọkacha mmasị gị na Rocky Linux, mepee ya modsecurity.conf faịlụ dị ka ndị a:

sudo nano /etc/nginx/modsec/modsecurity.conf

Site na ndabara, ModSecurity nhazi nwere usoro iwu akọwapụtara dị ka (Nchọpụta naanị), nke na okwu ndị ọzọ, na-agba ọsọ ModSecurity ma chọpụta omume ọjọọ niile mana ọ naghị egbochi ma ọ bụ machibido ma dekọọ azụmahịa HTTP niile ọ na-atụpụta. Ekwesịrị iji nke a naanị ma ọ bụrụ na ị nwere ọtụtụ ihe adịgboroja ụgha ma ọ bụ mụbaa ntọala ọkwa nchekwa na ọkwa dị oke egwu na ịnwale iji hụ ma ọ bụrụ ihe adịgboroja ọ bụla mere.

Ịgbanwe omume a ka ọ bụrụ (na), chọta ihe ndị a na ahịrị 7:

SecRuleEngine DetectionOnly

Gbanwee ahịrị na nke a ka ModSecurity nwee ike:

SecRuleEngine On

Ugbu a, ịchọrọ ịchọta ihe ndị a, nke dị na ya ahịrị 224:

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

Nke a ezighi ezi ma ọ dị mkpa ka a gbanwee ya. Gbanwee ahịrị ka ọ bụrụ ndị a:

SecAuditLogParts ABCEFHJKZ

Ugbu a, chekwaa ya modsecurity.conf faịlụ na-eji (CTRL+O) wee pụọ (CTRL+X).

Akụkụ ọzọ bụ ịmepụta faịlụ na-esonụ modsec-config.conf. Ebe ị ga-agbakwunye modsecurity.conf faịlụ tinyere na emesia na iwu ndị ọzọ dị ka OWASP CRS, ma ọ bụrụ na ị na-eji WordPress, na Ọnụ ego nke WPRS CRS usoro iwu.

Jiri iwu a ka imepụta faịlụ wee mepee ya:

sudo nano /etc/nginx/modsec/modsec-config.conf

Ozugbo ịbanye na faịlụ ahụ, tinye ahịrị ndị a:

Include /etc/nginx/modsec/modsecurity.conf

Zọpụta modsec-config.conf faịlụ na (CTRL+O) mgbe ahụ (CTRL+X) ịpụ apụ.

N'ikpeazụ, detuo ModSecurity's unicode.mapping faịlụ na CP nye iwu dika ndi a:

sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/

Ugbu a tupu ịga n'ihu, ị kwesịrị ịnye ọrụ Nginx gị ngwa ngwa site na iji iwu njedebe a:

sudo nginx -t

Ọ bụrụ na ị haziela ihe niile nke ọma, ị ga-enweta nsonaazụ a:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Iji mee mgbanwe ndị a dị ndụ, malitegharịa ọrụ Nginx gị site na iji sistemụ iwu:

sudo systemctl restart nginx

Wụnye Ntọala Iwu Isi OWASP maka ModSecurity

ModSecurity n'onwe ya anaghị echekwa sava weebụ gị, yana ịkwesịrị ịnwe iwu. Otu n'ime iwu ndị kacha ewu ewu, ndị a na-akwanyere ùgwù na ndị a ma ama bụ ndị OWASP CRS edobere iwu. Iwu ndị a bụ nke a na-ejikarị n'etiti sava weebụ yana WAF ndị ọzọ. N'ezie, na ọtụtụ usoro ndị ọzọ yiri ya na-adabere na ọtụtụ iwu ha na CRS a. Ịwụnye usoro iwu a ga-enye gị ezigbo nchekwa na-akpaghị aka megide ọtụtụ ihe iyi egwu na-apụta na ịntanetị site na ịchọpụta ndị na-eme ihe ọjọọ na igbochi ha.

Okwesiri iburu n'uche, OWASP CRS na-enwekarị nsụgharị kwụsiri ike, nke na-ewekarị ihe dị ka otu afọ n'etiti mwepụta. Ụdị ugbu a bụ 3.3. Ihe iseokwu a bụ na iwu ọhụrụ a na-arụ ọrụ maka ndozi, nchọpụta ọhụrụ, wepụ ihe ndị na-ezighị ezi, yana gụnyere mgbakwunye ndị ọzọ maka ngwanrọ ọkọlọtọ dịka forums phpBB ewebata na ndị mmepe 3.4. (beta) Agbanyeghi ụdịdị ya ruo mgbe ewepụtara n'uju na-esote.

Enwere ike ịhụ ndọghachi azụ n'ụzọ abụọ: jiri ngwugwu 3.3, nwee ezigbo iwu kwụsiri ike, yana ikekwe agaghị emelite ya maka iyi egwu, ndozi na nkwalite kachasị ọhụrụ site na iji ụdị 3.4 dev. Ị ga-enweta ihe a niile mana ikekwe ị nwere ike ịhụ nsogbu ndị ọzọ na-eme. Agbanyeghị, nke a dị ụkọ ebe ọ bụ na tupu ndị otu iwu OWASP Core eweghachite nkwa ọhụrụ na ebe nchekwa ndị isi, ha na-enwe nzukọ kwa ọnwa iji kparịta mgbanwe ndị ahụ ọtụtụ mgbe ọ bụghị naanị otu onye na-akpọ oku mana otu dum na-enyocha mgbanwe ndị ahụ wee kwado ya. dị ka mkpokọta na-emekarị ka ụdị dev mara mma kwụsie ike.

N'ime nkuzi a, a ga-ekpuchi ha abụọ, ọ bụkwa gị ka ị ga-esi mee ya. Jide n'aka na, n'ọnọdụ ọ bụla, ị na-enyocha ndekọ ModSecurity gị n'agbanyeghị nsogbu ọ bụla, karịsịa na gburugburu echiche ụgha.

Nhọrọ 1. Wụnye OWASP CRS 3.3 (Stable)

na iji iwu wget, budata OWASP CRS 3.3 ebe nchekwa dị ka ndị a:

wget https://github.com/coreruleset/coreruleset/archive/refs/heads/v3.3/master.zip

wụnye Wepụ ngwugwu ọ bụrụ na ị tinyebeghị nke a na sava gị:

sudo dnf install unzip -y

ugbu a tọpụ na nna ukwu.zip Archive dị ka ndị a:

sudo unzip /etc/nginx/master.zip -d /etc/nginx/modsec

Dị ka ọ dị na mbụ modsecurity.conf nhazi sample, OWASP CRS na-abịa na faịlụ nhazi nhazi nke ịchọrọ ịnyegharị aha. Ọ kacha mma iji CP iwu ma dobe ndabere maka ọdịnihu ma ọ bụrụ na ịchọrọ ịmalitegharị ọzọ.

sudo cp /etc/nginx/modsec/coreruleset-3.3-master/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.3-master/crs-setup.conf

Iji mee ka iwu dị, mepee ya /etc/nginx/modsec/modsec-config.conf iji editọ ederede ọ bụla ọzọ:

sudo nano /etc/nginx/modsec/modsec-config.conf

N'ime faịlụ ahụ ọzọ, tinye ahịrị abụọ ndị a:

Include /etc/nginx/modsec/coreruleset-3.3-master/crs-setup.conf
Include /etc/nginx/modsec/coreruleset-3.3-master/rules/*.conf

Chekwaa faịlụ (CTRL+O) wee pụọ (CTRL+T).

Dịka ọ dị na mbụ, ịkwesịrị ịnwale mgbakwunye ọhụrụ ọ bụla na ọrụ Nginx gị tupu ịme ya ka ọ dị ndụ:

sudo nginx -t

Ị ga-enweta nsonaazụ ndị a nke pụtara na ihe niile na-arụ ọrụ nke ọma:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Malitegharịa ọrụ Nginx gị ka ime mgbanwe ndị a dị ndụ dịka ndị a:

sudo systemctl restart nginx

Nhọrọ 2. Wụnye OWASP CRS 3.4 (dev)

Mara, na-eji 3.4 dev, na ị ga-achọ iji nyochaa ebe nchekwa maka mgbanwe mgbe niile. Ọtụtụ mgbe, mgbakwunye ọhụrụ na-abịa ugboro ole na ole n'ọnwa ruo ugboro ole na ole n'izu. Ọ bụrụ na ịnweghị nkwa ma ọ bụ enweghị ntụkwasị obi, wụnye nhọrọ 1 wee mapụ nhọrọ a kpam kpam.

na iji iwu wget, budata OWASP CRS 3.3.4 ebe nchekwa dị ka ndị a:

wget https://github.com/coreruleset/coreruleset/archive/refs/heads/v3.4/dev.zip

wụnye Wepụ ngwugwu ọ bụrụ na ị tinyebeghị nke a na sava gị:

sudo dnf install unzip -y

ugbu a tọpụ na dev.zip Archive dị ka ndị a:

sudo unzip dev.zip /etc/nginx/modsec

Dị ka ọ dị na mbụ modsecurity.conf nhazi sample, OWASP CRS na-abịa na faịlụ nhazi nhazi nke ịchọrọ ịnyegharị aha. Ọ kacha mma iji CP iwu ma dobe ndabere maka ọdịnihu ma ọ bụrụ na ịchọrọ ịmalitegharị ọzọ.

sudo mv /etc/nginx/modsec/coreruleset-3.3.4-dev/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.3.4-dev/crs-setup.conf

Iji mee ka iwu dị, mepee ya /etc/nginx/modsec/modsec-config.conf iji editọ ederede ọ bụla ọzọ:

sudo nano /etc/nginx/modsec/modsec-config.conf

N'ime faịlụ ahụ ọzọ, tinye ahịrị abụọ ndị a:

Include /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf
Include /etc/nginx/modsec/coreruleset-3.4-dev/rules/*.conf

Chekwaa faịlụ (CTRL+O) wee pụọ (CTRL+T).

Dịka ọ dị na mbụ, ịkwesịrị ịnwale mgbakwunye ọhụrụ ọ bụla na ọrụ Nginx gị tupu ịme ya ka ọ dị ndụ:

sudo nginx -t

Ị ga-enweta nsonaazụ ndị a nke pụtara na ihe niile na-arụ ọrụ nke ọma:

Malitegharịa ọrụ Nginx gị ka ime mgbanwe ndị a dị ndụ dịka ndị a:

sudo systemctl restart nginx

Na-emelite 3.4-dev

Ọ bụrụ na ịchọrọ imelite iwu maka ụdị dev OWASP CRS, budata Archive dị ka nzọụkwụ mbụ wee wepụtaghachi faịlụ ndị ahụ. Agaghị edochi faịlụ ndị emebere ka edezi ya mere ị hụla ọtụtụ ibe nlele n'oge nrụnye.


Advertisement


Iji na ịghọta OWASP CRS

Ọchịchị isi OWASP nwere ọtụtụ nhọrọ, ntọala ndabara, Otú ọ dị, site na igbe ahụ, ga-echebe ọtụtụ sava ozugbo na-emerụghị ezigbo ndị ọbịa gị na ezigbo bots SEO. N'okpuru ebe a, a ga-ekpuchi akụkụ ụfọdụ iji nyere aka kọwaa. Ịgụ ọzọ ga-akacha mma iji nyochaa nhọrọ niile dị na faịlụ nhazi n'onwe ha n'ihi na ha nwere ntakịrị data ederede iji kọwaa ihe ha bụ.

Mepee gị CRS-setup.conf faịlụ dị ka ndị a:

sudo nano /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf

Mara, nke a bụ nhazi ụdị dev nwere ihe ndị ọzọ ma e jiri ya tụnyere ụdị 3.3.

Site na ebe a, ị nwere ike megharịa ọtụtụ ntọala CRS gị OWASP.

Akara OWASP CRS

Iji mebie ya, ModSecurity nwere ụdịdị abụọ:

Ụdị akara Anomaly

# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.

Ụdị njide onwe onye

# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.

Akara Anomaly bụ n'ozuzu maka ọtụtụ ndị ọrụ ọnọdụ kachasị mma iji.

Enwere ọkwa paranoia anọ:

  • Paranoia Ọkwa 1 - Ọkwa ndabara na akwadoro maka ọtụtụ ndị ọrụ.
  • Paranoia Ọkwa 2 - Ndị ọrụ dị elu naanị.
  • Paranoia Ọkwa 3 - Naanị ndị ọrụ ọkachamara.
  • Paranoia Ọkwa 4 - A naghị atụ aro ya ma ọlị, belụsọ maka ọnọdụ pụrụiche.
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks that will add to your anomaly scores.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
#   are enabled. PL1 is advised for beginners, installations
#   covering many different sites and applications, and for setups
#   with standard security requirements.
#   At PL1 you should face FPs rarely. If you encounter FPs, please
#   open an issue on the CRS GitHub site and don't forget to attach your
#   complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
#   many regexp-based SQL and XSS injection protections, and adding
#   extra keywords checked for code injections. PL2 is advised
#   for moderate to experienced users desiring more complete coverage
#   and for installations with elevated security requirements.
#   PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
#   limits on special characters used. PL3 is aimed at users experienced
#   at the handling of FPs and at installations with a high security
#   requirement.
# - Paranoia level 4 further restricts special characters.
#   The highest level is advised for experienced users protecting
#   installations with very high security requirements. Running PL4 will
#   likely produce a very high number of FPs which have to be
#   treated before the site can go productive.
#
# All rules will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# It is important to also look into the variable
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
# defined below. Enabling it closes a possible bypass of CRS.

Nwalee OWASP CRS na sava gị

Iji nwalee ma iwu OWASP na-arụ ọrụ na nkesa gị, mepee ihe nchọgharị Ịntanetị wee jiri ihe ndị a:

https://www.yourdomain.com/index.html?exec=/bin/bash

Ị ga-enweta a Njehie 403 amachibidoro. Ọ bụrụ na ọ bụghị, mgbe ahụ, a tụfuru nzọụkwụ.

Nsogbu kachasị na-efu efu ịgbanwe Naanị nchọpụta na Gbanye, dị ka akọwara na mbụ na nkuzi.

Na-emekọ ihe n'ụzọ dị mma & Mwepu Iwu Omenala

Otu n'ime ọrụ ndị na-adịghị agwụ agwụ na-arụ ọrụ na-adịghị mma, ModSecurity na OWASP CRS na-arụ nnukwu ọrụ ọnụ, ma ọ na-abịa na oge gị, ma nyere nchebe, ị nwetara ya bara uru. Maka mmalite, ọ dịghị mgbe itinye ọkwa paranoia dị elu ịmalite bụ iwu ọla edo.

Usoro dị mma nke isi mkpịsị aka bụ ịgba ọsọ iwu edobere izu ole na ole ruo ọnwa na-enweghị ihe ọ bụla ụgha, wee mụbaa, dịka ọmụmaatụ, paranoia level 1 ruo paranoia level 2, yabụ na ị gaghị swamped na ton n'out oge.

Ewezuga ngwa ụgha mara mma

Modsecurity, site na ndabara, nwere ike depụta ihe omume kwa ụbọchị na-eduga na nhụsianya ụgha dị ka n'okpuru:

#SecAction \
# "id:900130,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.crs_exclusions_cpanel=1,\
#  setvar:tx.crs_exclusions_dokuwiki=1,\
#  setvar:tx.crs_exclusions_drupal=1,\
#  setvar:tx.crs_exclusions_nextcloud=1,\
#  setvar:tx.crs_exclusions_phpbb=1,\
#  setvar:tx.crs_exclusions_phpmyadmin=1,\
#  setvar:tx.crs_exclusions_wordpress=1,\
#  setvar:tx.crs_exclusions_xenforo=1"

Iji mee ka ihe atụ, WordPress, phpBB, na phpMyAdmin ka ị na-eji ha atọ, uncomment ahịrị ma hapụ (1) nọmba adịghị, gbanwee ọrụ ndị ọzọ ị naghị eji, dịka ọmụmaatụ, Xenforo na (0) dịka ị chọghị idepụta iwu ndị a ọcha. Ọmụmaatụ n'okpuru:

SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_cpanel=0,\
setvar:tx.crs_exclusions_dokuwiki=0,\
setvar:tx.crs_exclusions_drupal=0,\
setvar:tx.crs_exclusions_nextcloud=0,\
setvar:tx.crs_exclusions_phpbb=1,\
setvar:tx.crs_exclusions_phpmyadmin=1,\
setvar:tx.crs_exclusions_wordpress=1,\
setvar:tx.crs_exclusions_xenforo=0"

Ị nwekwara ike gbanwee syntax ahụ, nke ga-adị ọcha karị. Ọmụmaatụ:

SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_phpbb=1,\
setvar:tx.crs_exclusions_phpmyadmin=1,\
setvar:tx.crs_exclusions_wordpress=1"

Dịka ị na-ahụ, ewepụghị nhọrọ ndị achọrọ, tinyekwa ya (") na njedebe nke WordPress maka syntax ziri ezi.

Ewezuga iwu na Tupu CRS

Iji mesoo mwepu omenala, nke mbụ, ịkwesịrị ịgbanwe aha ya na aha Arịrịọ-900-Iwu Mwepu-TUPU-CRS-SAMPLE.conf faịlụ na iwu cp dị ka ndị a:

sudo cp /etc/nginx/modsec/coreruleset-3.4-dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /etc/nginx/modsec/coreruleset-3.4-dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Isi ihe ị ga-echeta, mgbe ị na-emepụta iwu mwepu, onye ọ bụla ga-enwerịrị id: ma bụrụ ndị pụrụ iche, ma ọ bụ ọzọ mgbe ị nwalere ọrụ Nginx gị, ị ga-enweta njehie. Ọmụmaatụ "id: 1544, usoro: 1, log, kwe, ctl: ruleEngine = gbanyụọ", enweghị ike iji id 1544 mee iwu nke abụọ.

Dịka ọmụmaatụ, ụfọdụ REQUEST_URI ga-ebuli ihe dị mma. Ihe atụ dị n'okpuru bụ abụọ nwere mgbama ihu akwụkwọ Google yana ngwa mgbakwunye WMUDEV maka WordPress:

SecRule REQUEST_URI "@beginsWith /wp-load.php?wpmudev" "id:1544,phase:1,log,allow,ctl:ruleEngine=off"
SecRule REQUEST_URI "@beginsWith /ngx_pagespeed_beacon" "id:1554,phase:1,log,allow,ctl:ruleEngine=off"

Dị ka ị na-ahụ, URL ọ bụla malitere na ụzọ a ga-ahapụ ya ozugbo.

Nhọrọ ọzọ bụ ịdepụta adreesị IP, ụzọ ole na ole ị nwere ike isi mee nke a:

SecRule REMOTE_ADDR "^195\.151\.128\.96" "id:1004,phase:1,nolog,allow,ctl:ruleEngine=off"
## or ###
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1/8, 195.151.0.0/24, 196.159.11.13" "phase:1,id:1313413,allow,ctl:ruleEngine=off"

The @ipMatch enwere ike iji ya karịa maka subnets. Ọ bụrụ na ịchọrọ ịgọnarị a netwọk or IP address gbanwee, kwe ka ịgọnarị. N'iji ntakịrị ihe mara, ị nwekwara ike ịmepụta blacklists na whitelists wee hazie nke a na ida2ban. Ohere nwere ike na-enwekarị njedebe.

Otu ihe atụ ikpeazụ bụ iji gbanyụọ naanị iwu na-ebute echiche ụgha, ọ bụghị blanketị na-edepụta ụzọ niile, dịka ị hụrụ na mbụ REQUEST_URI ọmụmaatụ. Agbanyeghị, nke a na-ewe oge na nnwale karịa. Dịka ọmụmaatụ, ịchọrọ iwepụ iwu 941000 na 942999 site na mpaghara / admin/ ebe ọ na-aga n'ihu na-akpalite mmachibido iwu na mgbochi ụgha maka ndị otu gị, chọta n'ime ndekọ modsecurity gị faịlụ ID iwu wee gbanyụọ naanị ID ahụ. WepụByID dịka ọmụmaatụ n'okpuru:

SecRule REQUEST_FILENAME "@beginsWith /admin" "id:1004,phase:1,pass,nolog,ctl:ruleRemoveById=941000-942999"

Enwere ike ịchọta ọmụmaatụ na ModSecurity GIT ibe wiki; LinuxCapable ga, n'ọdịniihu, mepụta nkuzi na akụkụ a n'ihi na enwere ọtụtụ ihe ị ga-ekpuchi.

Nhọrọ - Tinye Honeypot Project

Project Mmanụ aṅụ bụ usoro nke mbụ na naanị nkesa maka ịchọpụta ndị spammers na spambots ha na-eji ehichapụ adreesị na ebe nrụọrụ weebụ gị. N'iji usoro Project Honey Pot, ị nwere ike ịwụnye adreesị ndị nwere mkpado na oge na adreesị IP nke onye ọbịa na saịtị gị. Ọ bụrụ na otu n'ime adreesị ndị a amalite ịnata ozi-e, ọ bụghị naanị na anyị nwere ike ikwu na ozi ndị ahụ bụ spam, kamakwa kpọmkwem oge ewepụtara adreesị na adreesị IP nke chịkọtara ya.

ModSecurity nwere ike ịnwe nhọrọ ijikọ Project Honeypot, nke ga-ajụọ nchekwa data wee gbochie adreesị ọ bụla dị na ndetu ojii HoneyPot. Rịba ama, iji nke a nwere ike iduga nhụta ụgha. Agbanyeghị, nke a pere mpe ka data ahụ nwere ntụkwasị obi, mana mgbe ụfọdụ, bots dị mma na-abụkarị ọkọlọtọ, yabụ kpachara anya.

Nsogbu ọzọ na-eji ọrụ a na ModSecurity gị bụ na oge mbụ onye ọbịa bịara na saịtị gị, oge dị oké ọnụ ahịa na nke dị oke egwu maka ndị ọbịa ọhụrụ ga-adị nwayọọ n'ihi na ihe nkesa weebụ gị ga-eziga na ajụjụ Project Honeypot wee chere maka nzaghachi. N'ọdịnihu, ozugbo ezipụla IP, nzaghachi ezitere azụ na-echekwa, na-eme ka nleta ọzọ dị ngwa ngwa. Otú ọ dị, n'inyere aka na-ekwusi ike na oge ibu na SEO, ụfọdụ nwere ike ọ gaghị enwe mmasị na oge ibu ọrụ n'agbanyeghị otú ọ dị obere.

Kwụpụ 1. Mepụta akaụntụ a akaụntụ efu.

Kwụpụ 2. Ozugbo ị debanyere aha wee banye, na dashboard, chọta ahịrị ahụ (Igodo http:BL API gị) na pịa nweta otu.

Otu esi etinye ModSecurity na Nginx na Rocky Linux 8

Kwụpụ 3. Laghachi na faịlụ CRS-setup.conf site na iji ndezi ederede imeghe ya:

sudo nano /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf

Kwụpụ 4. Chọta ahịrị na-amalite na #SecHttpBlKey, nke dị na ahịrị 629.

#SecHttpBlKey XXXXXXXXXXXXXXXXX
#SecAction "id:900500,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.block_search_ip=1,\
#  setvar:tx.block_suspicious_ip=1,\
#  setvar:tx.block_harvester_ip=1,\
#  setvar:tx.block_spammer_ip=1"

Kwụpụ 5. Jiri igodo gị si Project HoneyPot gbanwee SecHttpBlKey XXXXXXXXXXXXXXXXXXX.

Ihe Nlereanya:

SecHttpBlKey amhektvkkupe

Kwụpụ 6. Na-esote, mezie ahịrị niile iji mee ka iwu ahụ nwee ike. Ọ bụrụ na ịchọrọ gbanyụọ iwu, kama (1), -etinye (0) kama ọ bụrụ na ịchọrọ gbanyụọ iwu ọ bụla. Na ndabara, block_search_ip=0 bụ maka bots search engine, emela nke a ọ gwụla ma ịchọrọ Bing, Google, na bots ndị ọzọ dị mma na-abịa na saịtị gị.

SecHttpBlKey amhektvkkupe
SecAction "id:900500,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.block_search_ip=0,\
setvar:tx.block_suspicious_ip=1,\
setvar:tx.block_harvester_ip=1,\
setvar:tx.block_spammer_ip=1"

Mara, ejikwala amhektvkkupe. Jiri igodo gị kama!

Kwụpụ 7. Nwalee Nginx ka ijide n'aka na ọ nweghị mperi mere na ihe ndị a:

sudo nginx -t

Mmepụta ihe atụ ma ọ bụrụ na ha niile ziri ezi:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Ugbu a malitegharịa ọrụ Nginx gị:

sudo systemctl restart nginx

Ntọala Iwu WPRS WordPress maka ModSecurity

Nhọrọ ọzọ maka WordPress Ndị ọrụ ga-arụnye ma na-agba ọsọ n'akụkụ usoro iwu OWASP CRS gị, ọrụ a ma ama nke akpọrọ WPRS rule set. Ebe nke a bụ nhọrọ na ọ bụghị maka onye ọ bụla, nkuzi agaghị ekpuchi ya na ngalaba a. Otú ọ dị, ọ bụrụ na ị ga-achọ ịwụnye nke a maka nchebe ọzọ ma ọ bụrụ na ị na-eji WordPress na ihe nkesa gị, biko gaa na nkuzi anyị Ịwụnye WordPress ModSecurity Rule Set (WPRS).


Advertisement


Mepụta faịlụ ModSecurity LogRotate:

ModSecurity, nyere ahịrị ole na ozi ọ nwere ike ịbanye, ga-eto ngwa ngwa. Ka ị na-achịkọta modul ahụ ma etinyeghị ya site na ebe nchekwa ọ bụla sitere na Rocky Linux, ị ga-achọ ịmepụta faịlụ ntụgharị log nke gị.

Mbụ, mepụta ma mepee faịlụ ntụgharị ModSecurity gị modsk:

sudo nano /etc/logrotate.d/modsec

Tinye koodu ndị a:

/var/log/modsec_audit.log
{
        rotate 31
        daily
        missingok
        compress
        delaycompress
        notifempty
}

Nke a ga-edobe ndekọ maka 31 ụbọchị. Ọ bụrụ na ịchọrọ inwe obere, gbanwee 31 ikwu 7 ụbọchị kwa otu izu uru nke osisi. Ị kwesịrị ịdị na-atụgharị kwa ụbọchị maka ModSecurity. Ọ bụrụ na ịchọrọ ịlele faịlụ ndekọ nwere faịlụ kwa izu ga-abụ ọdachi iji nyochaa, nyere otú ọ ga-esi buru ibu.

Okwu na mmechi

N'ime nkuzi a, ị maara nke ọma ịwụnye isi iyi Nginx, na-achịkọta ModSecurity, na ịtọlite ​​​​Iwu OWASP n'etiti akụkụ ndị kachasị elu. N'ozuzu, ibuga ModSecurity na nkesa gị ga-enye nchebe ozugbo. Otú ọ dị, ndidi, oge, na nraranye n'ịmụ ihe ga-adị mkpa ka ọ bụrụ akụkụ dị ukwuu. Ihe ikpeazụ ị chọrọ bụ igbochi SEO bots ma ọ bụ, nke ka mkpa, ezigbo ndị ọrụ nwere ike ịbụ ndị ahịa.

Idenye aha
Gwa nke
0 Comments
Inline nzaghachi
Lee echiche niile
0
Ga-ahụ n'anya gị echiche, biko okwu.x