Otu esi etinye ModSecurity na Nginx na Ubuntu 20.04

ModSecurity ma ọ bụ na-akpọkarị Modsec bụ firewall ngwa weebụ mepere emepe n'efu (WAF). Emebere ModSecurity dị ka modul maka sava HTTP Apache. Agbanyeghị, kemgbe mmalite ya, WAF etoola ma ugbu a na-ekpuchi ọtụtụ arịrịọ Transfer Protocol HyperText yana ike nzacha azịza maka nyiwe dị iche iche dị ka Microsoft IIS, Nginx, na n'ezie Apache.

Otu WAF si arụ ọrụ, a na-etinye engine ModSecurity n'ihu ngwa weebụ, na-enye ohere ka engine nyochaa njikọ HTTP na-abata na nke na-apụ apụ. A na-ejikarị ModSecurity na njikọ Ntọala Iwu Isi OWASP (CRS), usoro iwu mepere emepe edere n'asụsụ ModSecurity's SecRules ma bụrụ nke a na-akwanyere ùgwù n'etiti ụlọ ọrụ nchekwa.

Iwu OWASP na ModSecurity nwere ike inye aka chebe ihe nkesa gị ozugbo megide:

  • Ndị ọrụ ọrụ ọjọọ
  • DDOS
  • Gafee ederede webụsaịtị
  • Ọgwụ SQL
  • Ighapu oge
  • Ihe iyi egwu ndị ọzọ

N'ime nkuzi a, ị ga-amụta Otu esi etinye ModSecurity na Nginx na Ubuntu 20.04.

Prerequisites

  • OS akwadoro: Ubuntu 20.04 - nhọrọ (Ubuntu 21.04)
  • Akaụntụ onye ọrụ: Akaụntụ onye ọrụ nwere sudo ma ọ bụ ohere mgbọrọgwụ.
  • Ngwungwu achọrọ: Edepụtara ya n'oge nkuzi.

Na-emelite Sistemụ Ọrụ

Mbụ, tupu ihe ọ bụla, melite gị Ubuntu Sistemụ arụmọrụ iji hụ na ngwugwu niile dị adị adịla ugbu a:

sudo apt update && sudo apt upgrade -y

Advertisement


Wụnye Nginx kacha ọhụrụ na Ubuntu 20.04

Nke mbụ, a na-adụ ọdụ ka iwepu nrụnye Nginx ọ bụla ma wụnye ụdị ọhụrụ site na iji omenala PPA kwadoro site na Ondřej Surý, nke na-abịa na modul agbakwunyere ike dị ka brotli modul.

Wepu nwụnye Nginx dị adị

Kwụsị ọrụ Nginx dị ugbu a:

sudo systemctl stop nginx

Ugbu a wepu nwụnye Nginx dị ka ndị a:

sudo apt-get purge nginx -y && sudo apt autoremove nginx -y

Tinye PPA Nginx Kacha ọhụrụ

Ugbu a ị wepụrụ ọrụ Nginx ochie gị, a na-atụ aro ịwụnye otu n'ime PPA abụọ edepụtara n'okpuru. Nkuzi na-atụ aro mgbe niile ịwụnye mainline. Agbanyeghị, kwụsiri ike dịkwa mma.

Wụnye otu n'ime PPA ndị a site na iji iwu a:

Wụnye Nginx kacha ọhụrụ (STABLE):

sudo add-apt-repository ppa:ondrej/nginx-stable -y && sudo apt update

Wụnye Nginx kacha ọhụrụ (MAINLINE):

sudo add-apt-repository ppa:ondrej/nginx-mainline -y && sudo apt update

Ugbu a ị wụnyela PPA wee melite ndepụta nchekwa, tinye Nginx na ihe ndị a:

sudo apt install nginx-core nginx-common nginx nginx-full

Rịba ama na enwere ike ịkpali gị idowe ma ọ bụ dochie gị dị / wdg / nginx /nginx.conf nhazi faịlụ n'oge echichi. A na-atụ aro idowe faịlụ nhazi gị dị ugbu a site na ịpị (n). A ga-eme otu n'agbanyeghị ụdị onye na-elekọta ya, ma ị nwekwara ike ịlele nke a n'ọdịnihu.

Tinye koodu isi mmalite Nginx na ebe nchekwa

Mgbe ị na-etinye PPA, na ndabara, anaghị etinye koodu isi mmalite. Ị ga-achọ iji aka gị mee nke a iji budata koodu Nginx iji chịkọta Modsecurity ma emechaa na nkuzi.

Nke mbụ, mepee faịlụ nhazi n'ime /etc/apt/sources.list.d na nano dị ka n'okpuru:

sudo nano /etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-*.list

Ugbu a debe ahịrị na-amalite na # deb-src na enweghị nkọwa (#) ahịrị.

# deb-src http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu/ focal main

Ọmụmaatụ nke ọ kwesịrị ịdị ka:

Otu esi etinye ModSecurity na Nginx na Ubuntu 20.04

Ugbu a, chekwaa faịlụ ahụ (CTRL+O) wee pụọ (CTRL+X). Ugbu a melite ndepụta ebe nchekwa site na iji iwu a:

sudo apt update

Budata Nginx Isi mmalite

Ị ga-achọ ibudata koodu Nginx iji chịkọta ModSecurity modul ike. Iji mee nke a, ị ga-achọ ibudata ma chekwaa ngwungwu isi na ebe ndekọ /etc/local/src/nginx.

Mepụta ma hazie akwụkwọ ndekọ aha

Mepụta ebe a dị ka ndị a:

sudo mkdir /usr/local/src/nginx && cd /usr/local/src/nginx

Nhọrọ - Nyefee ikike na ndekọ ma ọ bụrụ na achọrọ ya dị ka n'okpuru:

sudo chown username:username /usr/local/src/ -R 

Wụnye ndabere wee mebie nbudata

Na-esote, budata ngwungwu isi mmalite na ihe ndị a:

sudo apt install dpkg-dev -y && sudo apt source nginx

Mara, ị ga-ahụ ozi mperi dị ka n'okpuru:

dpkg-source: info: extracting nginx in nginx-1.21.1
dpkg-source: info: unpacking nginx_1.21.1.orig.tar.gz
dpkg-source: info: unpacking nginx_1.21.1-1+ubuntu20.04.1+deb.sury.org+1.debian.tar.xz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying 0001-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
dpkg-source: info: applying 0002-define_gnu_source-on-other-glibc-based-platforms.patch
W: Download is performed unsandboxed as root as file 'nginx_1.21.1.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Enwere ike ileghara nke a anya nke ọma.

Nyochaa ụdị isi mmalite

Na-esote, depụta faịlụ ndekọ aha na ya ls nye iwu dika ndi a:

ls

Ị ga-ahụ mmepụta na-esonụ na gị /usr/src/local/nginx ndekọ:

jjames@ubuntu:/usr/local/src/nginx$ ls
nginx-1.21.1
nginx_1.21.1-1+ubuntu20.04.1+deb.sury.org+1.debian.tar.xz
nginx_1.21.1-1+ubuntu20.04.1+deb.sury.org+1.dsc
nginx_1.21.1.orig.tar.gz
nginx_1.21.1.orig.tar.gz.asc

Na-esote, gosi na ngwungwu isi mmalite bụ otu ụdị Nginx gị arụnyere na sistemụ arụmọrụ Ubuntu gị. Iji mee nke a, jiri ihe ndị a nginx -v nye iwu dika ndi a:

nginx -v

Ị ga-enweta otu mmepụta ụdị dị ka isi mmalite dị ka ndị a:

jjames@ubuntu:/usr/local/src/nginx$ nginx -v
nginx version: nginx/1.21.1

Advertisement


Wụnye libmodsecurity3 maka ModSecurity

Ngwugwu libmodsecurity3 bụ akụkụ nke WAF n'ezie na-eme HTTP nzacha maka ngwa webụ gị. Na Ubuntu 20.04, ị nwere ike iwunye nke a site na ebe nchekwa Ubuntu 20.04 ndabara. Agbanyeghị, a naghị atụ aro nke a dị ka ọ dị na ọtụtụ ụdị LTS, ọ na-adịkarịkwa. Kama, ị ga-achịkọta site na isi iyi nke kacha ọhụrụ dị ka ndị a.

Ebe nchekwa Clone ModSecurity sitere na Github

Nzọụkwụ mbụ bụ clone sitere na Github, ma ọ bụrụ na i tinyebeghị git, ị ga-achọ ime iwu ndị a:

sudo apt install git -y

Mara, nke a na-etinye Ubuntu 20.04 ụdị nchekwa ndabere. Ọ bụrụ na ị ga-achọ ụdị ọhụụ ọhụrụ site na iji PPA sitere na ndị otu nchekwa GIT, biko gaa na ntuziaka anyị maka ịwụnye na imelite ihe kachasị ọhụrụ. Git na Ubuntu 20.04.

Na-esote, mechie ebe nchekwa libmodsecurity3 GIT dị ka ndị a:

sudo git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/

Ozugbo cloned, ị ga-mkpa CD gaa na ndekọ:

cd /usr/local/src/ModSecurity/

Wụnye libmodsecurity3 dabere

Iji chịkọta, ị ga-achọ ịwụnye ndabere ndị a dị ka ndị a:

sudo apt install gcc make build-essential autoconf automake libtool libcurl4-openssl-dev liblua5.3-dev libfuzzy-dev ssdeep gettext pkg-config libpcre3 libpcre3-dev libxml2 libxml2-dev libcurl4 libgeoip-dev libyajl-dev doxygen -y

Ugbu a ka imechaa, wụnye GIT submodules dị ka ndị a:

sudo git submodule init

Mgbe ahụ melite submodules:

sudo git submodule update

Iwulite gburugburu ModSecurity

Nzọụkwụ ọzọ bụ ugbu a n'ezie iji wuo gburugburu ebe obibi. Jiri iwu a:

sudo ./build.sh

Na-esote, gbaa iwu nhazi:

sudo ./configure

Mara, ị ga-ahụ mperi na-esote

fatal: No names found, cannot describe anything.

Ị nwere ike ileghara nke a anya nke ọma wee gaa n'ihu na nzọụkwụ ọzọ.

Na-achịkọta koodu isi iyi ModSecurity

Ugbu a ị wuru ma hazie gburugburu maka libmodsecurity3, ọ bụ oge iji chịkọta ya na iwu ahụ. -eme ka.

sudo make

Aghụghọ dị mma bụ ịkọwapụta ya -j n'ihi na nke a nwere ike ịbawanye ọsọ nke mkpokọta ma ọ bụrụ na ị nwere ihe nkesa dị ike. Dịka ọmụmaatụ, LinuxCapable nkesa nwere 6 CPUs, enwere m ike iji 6 niile ma ọ bụ opekata mpe jiri 4 ruo 5 mee ka ọsọ ọsọ.

sudo make -j 6

Mgbe ị chịkọtachara koodu mmalite, tinye iwu nwụnye na ọdụ gị:

sudo make install

Rịba ama, a na-eme ntinye n'ime /usr/local/modsecurity/, nke ị ga-ezo aka ma emechaa na ntuziaka.

Wụnye njikọ ModSecurity-nginx

The ModSecurity-nginx njikọ bụ njikọ dị n'etiti nginx na libmodsecurity. N'ụzọ bụ isi, ọ bụ akụrụngwa na-ekwurịta okwu n'etiti Nginx na ModSecurity (libmodsecurity3).

Clone ModSecurity-nginx Repsoitory sitere na Github

Yiri nzọụkwụ gara aga na-emechi ebe nchekwa libmodsecurity3, ị ga-achọ imechi ebe nchekwa njikọ ọzọ site na iji iwu a:

sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/

Wụnye ModSecurity-nginx Dependencies

Na-esote, ndekọ CD n'ime akwụkwọ ndekọ aha Nginx dị ka ndị a:

cd /usr/local/src/nginx/nginx-1.21.1

Mara, dochie ụdị ntuziaka ahụ na ụdị Nginx dị ugbu a na sistemụ gị.

Ugbu a, gbanye iwu na ọdụ Ubuntu gị ka ịwụnye ihe ndabere achọrọ:

sudo apt build-dep nginx && sudo apt install uuid-dev -y

Ọzọ, ị ga-achịkọta ihe ModSecurity-nginx njikọ modul naanị na ya -Eji-compat ọkọlọtọ dị ka ndị a:

sudo ./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx

ugbu a -eme ka (mepụta) modul dị ike na iwu a:

sudo make modules

Na-esote, mgbe ị nọ na akwụkwọ ndekọ aha Nginx, jiri iwu na-esonụ iji bugharịa modul ike ị mepụtara nke echekwara na ebe ahụ. objs/ngx_http_modsecurity_module.so ma detuo ya na ya /usr/share/nginx/modul ndekọ.

sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

Ị nwere ike ịchekwa modul dị ike n'ebe ọ bụla, ọ bụrụhaala na ị na-akọwapụta ụzọ zuru ezu mgbe ị na-ebu.


Advertisement


Ibu ma hazie ModSecurity-nginx Njikọ na Nginx Web Server

Ugbu a ị chịkọtara modul dị ike wee chọta ya nke ọma, ịkwesịrị idezi gị /etc/nginx/nginx.conf faịlụ nhazi iji nweta ModSecurity na-arụ ọrụ na sava weebụ Nginx gị.

Kwado ModSecurity na nginx.conf

Mbụ, ịkwesịrị ịkọwapụta load_modul na ụzọ gị modsecurity modul.

Meghee nginx.conf ya na onye ndezi ederede ọ bụla. Maka nkuzi a, a ga-eji nano:

sudo nano /etc/nginx/nginx.conf

Ọzọ, tinye ahịrị ndị a na faịlụ dị nso n'elu:

load_module modules/ngx_http_modsecurity_module.so;

Ọ bụrụ na ị chọtara modul ahụ n'ebe ọzọ, jide n'aka na ị gụnyere ụzọ zuru ezu.

Ugbu a tinye koodu a n'okpuru HTTP {} ngalaba dị ka ndị a:

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsec-config.conf;

Ihe Nlereanya:

Otu esi etinye ModSecurity na Nginx na Ubuntu 20.04

Ọ bụrụ na ị chọtara modul ahụ n'ebe ọzọ, jide n'aka na ị gụnyere ụzọ zuru ezu.

Zọpụta nginx.conf file (Ctrl+O), wee pụọ (CTRL+X).

Mepụta ma hazie ndekọ na faịlụ maka ModSecurity

Ị ga-achọ ịmepụta ndekọ iji chekwaa faịlụ nhazi na iwu n'ọdịnihu, OWASP CRS maka nkuzi.

Jiri iwu a ka imepụta ihe /etc/nginx/modsec ndekọ dị ka ndị a:

sudo mkdir /etc/nginx/modsec/

Ugbu a, ịkwesịrị iṅomi faịlụ nhazi nhazi ModSecurity azụ site na akwụkwọ ndekọ aha GIT anyị:

sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

Iji editọ ederede ọkacha mmasị gị na Ubuntu, mepee faịlụ modsecurity.conf dị ka ndị a:

sudo nano /etc/nginx/modsec/modsecurity.conf

Site na ndabara, ModSecurity nhazi nwere usoro iwu akọwapụtara dị ka (Nchọpụta naanị), nke na okwu ndị ọzọ, na-agba ọsọ ModSecurity ma chọpụta omume ọjọọ niile mana ọ naghị egbochi ma ọ bụ machibido ma dekọọ azụmahịa HTTP niile ọ na-atụpụta. Ekwesịrị iji nke a naanị ma ọ bụrụ na ị nwere ọtụtụ ihe adịgboroja ụgha ma ọ bụ mụbaa ntọala ọkwa nchekwa na ọkwa dị oke egwu na ịnwale iji hụ ma ọ bụrụ ihe adịgboroja ọ bụla mere.

Ịgbanwe omume a ka ọ bụrụ (na), chọta ihe ndị a na ahịrị 7:

SecRuleEngine DetectionOnly

Gbanwee ahịrị na nke a ka ModSecurity nwee ike:

SecRuleEngine On

Ugbu a, ịchọrọ ịchọta ihe ndị a, nke dị na ya ahịrị 224:

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

Nke a ezighi ezi ma ọ dị mkpa ka a gbanwee ya. Gbanwee ahịrị ka ọ bụrụ ndị a:

SecAuditLogParts ABCEFHJKZ

Ugbu a, chekwaa ya modsecurity.conf faịlụ na-eji (CTRL+O) wee pụọ (CTRL+X).

Akụkụ ọzọ bụ ịmepụta faịlụ na-esonụ modsec-config.conf. Ebe ị ga-agbakwunye modsecurity.conf faịlụ tinyere na emesia na iwu ndị ọzọ dị ka OWASP CRS, ma ọ bụrụ na ị na-eji WordPress, na Ọnụ ego nke WPRS CRS usoro iwu.

Jiri iwu a ka imepụta faịlụ wee mepee ya:

sudo nano /etc/nginx/modsec/modsec-config.conf

Ozugbo ịbanye na faịlụ ahụ, tinye ahịrị ndị a:

Include /etc/nginx/modsec/modsecurity.conf

Zọpụta modsec-config.conf faịlụ na (CTRL+O) mgbe ahụ (CTRL+X) ịpụ apụ.

N'ikpeazụ, detuo ModSecurity's unicode.mapping faịlụ na CP nye iwu dika ndi a:

sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/

Ugbu a tupu ịga n'ihu, ị kwesịrị ịnye ọrụ Nginx gị ngwa ngwa site na iji iwu njedebe a:

sudo nginx -t

Ọ bụrụ na ị haziela ihe niile nke ọma, ị ga-enweta nsonaazụ a:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Iji mee mgbanwe ndị a dị ndụ, malitegharịa ọrụ Nginx gị site na iji iwu systemctl:

sudo systemctl restart nginx

Wụnye Ntọala Iwu Isi OWASP maka ModSecurity

ModSecurity n'onwe ya anaghị echekwa sava weebụ gị, yana ịkwesịrị ịnwe iwu. Otu n'ime iwu ndị kacha ewu ewu, ndị a na-akwanyere ùgwù na ndị a ma ama bụ ndị OWASP CRS edobere iwu. Iwu ndị a bụ nke a na-ejikarị n'etiti sava weebụ yana WAF ndị ọzọ. N'ezie, na ọtụtụ usoro ndị ọzọ yiri ya na-adabere na ọtụtụ iwu ha na CRS a. Ịwụnye usoro iwu a ga-enye gị ezigbo nchekwa na-akpaghị aka megide ọtụtụ ihe iyi egwu na-apụta na ịntanetị site na ịchọpụta ndị na-eme ihe ọjọọ na igbochi ha.

Okwesiri iburu n'uche, OWASP CRS na-enwekarị nsụgharị kwụsiri ike, nke na-ewekarị ihe dị ka otu afọ n'etiti mwepụta. Ụdị ugbu a bụ 3.3.3. Ihe iseokwu a bụ na iwu ọhụrụ ndị a na-arụ ọrụ maka ndozi, nchọpụta ọhụrụ, wepụ ihe ndị na-ezighị ezi, na gụnyere mwepụ ọhụrụ maka ngwanrọ nkịtị dị ka phpBB forums ewepụtara na 3.3.4 Mmepụta (beta) mbipute adịghị etinye ruo mgbe ọzọ ntọhapụ zuru ezu. .

Enwere ike ịhụ ndọghachi azụ n'ụzọ abụọ, jiri ngwugwu 3.3.3, nwee iwu dị mma kwụsiri ike mana enwere ike imelite ya maka iyi egwu, ndozi na ndozi kachasị ọhụrụ mana iji ụdị 3.3.4 dev, ị ga-enwe ihe a niile mana enwere ike. nwere ike ịhụ na okwu ndị ọzọ na-eme, agbanyeghị, nke a dị ụkọ ebe ọ bụ na tupu ndị otu iwu OWASP Core ewepụla nkwa ọhụrụ na ebe nchekwa, ha na-enwe nzukọ kwa ọnwa iji kparịta mgbanwe ndị ahụ ọtụtụ mgbe ọ bụghị naanị otu onye na-akpọ oku mana otu dum. na-enyocha mgbanwe ndị ahụ ma nabata ya dị ka mkpokọta na-eme ka ụdị dev mara mma nke ukwuu.

N'ime nkuzi a, a ga-ekpuchi ha abụọ, ọ bụkwa gị ka ị ga-esi mee ya. Jide n'aka na, n'ọnọdụ ọ bụla, ị na-enyocha ndekọ ModSecurity gị n'agbanyeghị nsogbu ọ bụla, karịsịa na gburugburu echiche ụgha.

Nhọrọ 1. Wụnye OWASP CRS 3.3 (Stable)

na iji iwu wget, budata OWASP CRS 3.3 ebe nchekwa dị ka ndị a:

wget https://github.com/coreruleset/coreruleset/archive/refs/heads/v3.3/master.zip

wụnye Wepụ ngwugwu ọ bụrụ na ị tinyebeghị nke a na sava gị:

sudo apt install unzip -y

Ugbu a, wepụsịa ebe nchekwa dị ka nke a:

sudo unzip /etc/nginx/master.zip -d /etc/nginx/modsec

Dị ka ọ dị na mbụ, dị ka nhazi nlele modsecurity.conf, OWASP CRS na-abịa na faịlụ nhazi nhazi nke ịchọrọ ịnyegharị aha. Ọ kacha mma iji CP iwu ma dobe ndabere maka ọdịnihu ma ọ bụrụ na ịchọrọ ịmalitegharị ọzọ.

sudo cp /etc/nginx/modsec/coreruleset-3.3-master/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.3-master/crs-setup.conf

Iji mee ka iwu dị, mepee ya /etc/nginx/modsec/modsec-config.conf iji editọ ederede ọ bụla ọzọ:

sudo nano /etc/nginx/modsec/modsec-config.conf

N'ime faịlụ ahụ ọzọ, tinye ahịrị abụọ ndị a:

Include /etc/nginx/modsec/coreruleset-3.3-master/crs-setup.conf
Include /etc/nginx/modsec/coreruleset-3.3-master/rules/*.conf

Chekwaa faịlụ (CTRL+O) wee pụọ (CTRL+T).

Dịka ọ dị na mbụ, ịkwesịrị ịnwale mgbakwunye ọhụrụ ọ bụla na ọrụ Nginx gị tupu ịme ya ka ọ dị ndụ:

sudo nginx -t

Ị ga-enweta nsonaazụ ndị a nke pụtara na ihe niile na-arụ ọrụ nke ọma:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Malitegharịa ọrụ Nginx gị ka ime mgbanwe ndị a dị ndụ dịka ndị a:

sudo systemctl restart nginx

Advertisement


Nhọrọ 2. Wụnye OWASP CRS 3.3.4 (dev)

Mara, na-eji 3.4 dev, na ị ga-achọ iji nyochaa ebe nchekwa maka mgbanwe mgbe niile. Ọtụtụ mgbe, mgbakwunye ọhụrụ na-abịa ugboro ole na ole n'ọnwa ruo ugboro ole na ole n'izu. Ọ bụrụ na ịnweghị nkwa ma ọ bụ enweghị ntụkwasị obi, wụnye nhọrọ 1 wee mapụ nhọrọ a kpam kpam.

na iji iwu wget, budata OWASP CRS 3.4 ebe nchekwa dị ka ndị a:

wget https://github.com/coreruleset/coreruleset/archive/refs/heads/v3.4/dev.zip

wụnye Wepụ ngwugwu ọ bụrụ na ị tinyebeghị nke a na sava gị:

sudo apt install unzip -y

Ugbu a, wepụ ya dev.zip Archive dị ka ndị a:

sudo unzip dev.zip /etc/nginx/modsec

Dị ka ọ dị na mbụ, dị ka nhazi nlele modsecurity.conf, OWASP CRS na-abịa na faịlụ nhazi nhazi nke ịchọrọ ịnyegharị aha. Ọ kacha mma iji CP iwu ma dobe ndabere maka ọdịnihu ma ọ bụrụ na ịchọrọ ịmalitegharị ọzọ.

sudo mv /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf

Iji mee ka iwu dị, mepee ya /etc/nginx/modsec/modsec-config.conf iji editọ ederede ọ bụla ọzọ:

sudo nano /etc/nginx/modsec/modsec-config.conf

N'ime faịlụ ahụ ọzọ, tinye ahịrị abụọ ndị a:

Include /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf
Include /etc/nginx/modsec/coreruleset-3.4-dev/rules/*.conf

Chekwaa faịlụ (CTRL+O) wee pụọ (CTRL+T).

Dịka ọ dị na mbụ, ịkwesịrị ịnwale mgbakwunye ọhụrụ ọ bụla na ọrụ Nginx gị tupu ịme ya ka ọ dị ndụ:

sudo nginx -t

Ị ga-enweta nsonaazụ ndị a nke pụtara na ihe niile na-arụ ọrụ nke ọma:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Malitegharịa ọrụ Nginx gị ka ime mgbanwe ndị a dị ndụ dịka ndị a:

sudo systemctl restart nginx

Na-emelite 3.3.4-dev

Ọ bụrụ na ịchọrọ imelite iwu maka ụdị dev OWASP CRS, budata Archive dị ka nzọụkwụ mbụ wee wepụtaghachi faịlụ ndị ahụ. Agaghị edochi faịlụ ndị emebere ka edezi ya mere ị hụla ọtụtụ ibe nlele n'oge nrụnye.

Iji na ịghọta OWASP CRS

OWASP CRS nwere ọtụtụ nhọrọ, ntọala ndabara, Otú ọ dị, site na igbe ahụ, ga-echebe ọtụtụ sava ozugbo na-emerụghị ezigbo ndị ọbịa gị na ezigbo bots SEO. N'okpuru ebe a, a ga-ekpuchi akụkụ ụfọdụ iji nyere aka kọwaa. Ịgụ ọzọ ga-akacha mma iji nyochaa nhọrọ niile dị na faịlụ nhazi n'onwe ha n'ihi na ha nwere ntakịrị data ederede iji kọwaa ihe ha bụ.

Mepee gị CRS-setup.conf faịlụ dị ka ndị a:

sudo nano /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf

Mara, nke a bụ nhazi ụdị dev nwere ihe ndị ọzọ ma e jiri ya tụnyere ụdị 3.3.

Site na ebe a, ị nwere ike megharịa ọtụtụ ntọala CRS gị OWASP.

Akara OWASP CRS

Iji mebie ya, ModSecurity nwere ụdịdị abụọ:

Ụdị akara Anomaly

# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.

Ụdị njide onwe onye

# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.

Akara Anomaly na-abụkarị maka ọtụtụ ndị ọrụ ọnọdụ kachasị mma iji.

Enwere ọkwa paranoia anọ:

  • Paranoia Ọkwa 1 - Ọkwa ndabara na akwadoro maka ọtụtụ ndị ọrụ.
  • Paranoia Ọkwa 2 - Ndị ọrụ dị elu naanị.
  • Paranoia Ọkwa 3 - Naanị ndị ọrụ ọkachamara.
  • Paranoia Ọkwa 4 - A naghị atụ aro ya ma ọlị, belụsọ maka ọnọdụ pụrụiche.
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks that will add to your anomaly scores.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
#   are enabled. PL1 is advised for beginners, installations
#   covering many different sites and applications, and for setups
#   with standard security requirements.
#   At PL1 you should face FPs rarely. If you encounter FPs, please
#   open an issue on the CRS GitHub site and don't forget to attach your
#   complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
#   many regexp-based SQL and XSS injection protections, and adding
#   extra keywords checked for code injections. PL2 is advised
#   for moderate to experienced users desiring more complete coverage
#   and for installations with elevated security requirements.
#   PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
#   limits on special characters used. PL3 is aimed at users experienced
#   at the handling of FPs and at installations with a high security
#   requirement.
# - Paranoia level 4 further restricts special characters.
#   The highest level is advised for experienced users protecting
#   installations with very high security requirements. Running PL4 will
#   likely produce a very high number of FPs which have to be
#   treated before the site can go productive.
#
# All rules will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# It is important to also look into the variable
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
# defined below. Enabling it closes a possible bypass of CRS.

Nwalee OWASP CRS na sava gị

Iji nwalee ma OWASP CRS na-arụ ọrụ na ihe nkesa gị, mepee ihe nchọgharị Ịntanetị wee jiri ihe ndị a:

https://www.yourdomain.com/index.html?exec=/bin/bash

Ị ga-enweta a Njehie 403 amachibidoro. Ọ bụrụ na ọ bụghị, mgbe ahụ, a tụfuru nzọụkwụ.

Nsogbu kachasị na-efu efu ịgbanwe Naanị nchọpụta na Gbanye, dị ka akọwara na mbụ na nkuzi.

Na-emekọ ihe n'ụzọ dị mma & Mwepu Iwu Omenala

Otu n'ime ọrụ ndị na-adịghị agwụ agwụ na-arụ ọrụ na-adịghị mma, ModSecurity na OWASP CRS na-arụ nnukwu ọrụ ọnụ, ma ọ na-abịa na oge gị, ma nyere nchebe, ị nwetara ya bara uru. Maka mbido, etinyela ọkwa paranoia elu ka ịmalite ya bụ iwu ọla edo.

Usoro dị mma nke isi mkpịsị aka bụ ịgba ọsọ iwu edobere izu ole na ole ruo ọnwa na-enweghị ihe ọ bụla ụgha, wee mụbaa, dịka ọmụmaatụ, paranoia level 1 ruo paranoia level 2, yabụ na ị gaghị swamped na ton n'out oge.

Ewezuga ngwa ụgha mara mma

Modsecurity site na ndabara nwere ikike ịdepụta omume ndị a na-ahụkarị nke na-eduga n'ọdịdị adịgboroja dịka n'okpuru:

#SecAction \
# "id:900130,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.crs_exclusions_cpanel=1,\
#  setvar:tx.crs_exclusions_dokuwiki=1,\
#  setvar:tx.crs_exclusions_drupal=1,\
#  setvar:tx.crs_exclusions_nextcloud=1,\
#  setvar:tx.crs_exclusions_phpbb=1,\
#  setvar:tx.crs_exclusions_phpmyadmin=1,\
#  setvar:tx.crs_exclusions_wordpress=1,\
#  setvar:tx.crs_exclusions_xenforo=1"

Iji mee ka ihe atụ, WordPress, phpBB, na phpMyAdmin ka ị na-eji ha atọ, uncomment ahịrị ma hapụ (1) nọmba adịghị, gbanwee ọrụ ndị ọzọ ị naghị eji, dịka ọmụmaatụ, Xenforo na (0) dịka ị chọghị idepụta iwu ndị a ọcha. Ọmụmaatụ n'okpuru:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_cpanel=0,\
  setvar:tx.crs_exclusions_dokuwiki=0,\
  setvar:tx.crs_exclusions_drupal=0,\
  setvar:tx.crs_exclusions_nextcloud=0,\
  setvar:tx.crs_exclusions_phpbb=1,\
  setvar:tx.crs_exclusions_phpmyadmin=1,\
  setvar:tx.crs_exclusions_wordpress=1,\
  setvar:tx.crs_exclusions_xenforo=0"

Ị nwekwara ike gbanwee syntax ahụ, nke ga-adị ọcha karị. Ọmụmaatụ:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_phpbb=1,\
  setvar:tx.crs_exclusions_phpmyadmin=1,\
  setvar:tx.crs_exclusions_wordpress=1"

Dịka ị na-ahụ, ewepụghị nhọrọ ndị achọrọ, tinyekwa ya (") na njedebe nke WordPress maka syntax ziri ezi.

Ewezuga iwu na Tupu CRS

Iji mesoo mwepu omenala, nke mbụ, ịkwesịrị ịgbanwe aha ya na aha Arịrịọ-900-Iwu Mwepu-TUPU-CRS-SAMPLE.conf faịlụ na iwu cp dị ka ndị a:

sudo cp /etc/nginx/modsec/coreruleset-3.4-dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /etc/nginx/modsec/coreruleset-3.4-dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Isi ihe ị ga-echeta, mgbe ị na-emepụta iwu mwepu, onye ọ bụla ga-enwerịrị id: ma bụrụ ndị pụrụ iche, ma ọ bụ ọzọ mgbe ị nwalere ọrụ Nginx gị, ị ga-enweta njehie. Ọmụmaatụ "id: 1544, usoro: 1, log, kwe, ctl: ruleEngine = gbanyụọ", enweghị ike iji id 1544 mee iwu nke abụọ.

Dịka ọmụmaatụ, ụfọdụ REQUEST_URI ga-ebuli ihe dị mma. Ihe atụ dị n'okpuru bụ abụọ nwere mgbama ihu akwụkwọ Google yana ngwa mgbakwunye WMUDEV maka WordPress:

SecRule REQUEST_URI "@beginsWith /wp-load.php?wpmudev" "id:1544,phase:1,log,allow,ctl:ruleEngine=off"

SecRule REQUEST_URI "@beginsWith /ngx_pagespeed_beacon" "id:1554,phase:1,log,allow,ctl:ruleEngine=off"

Dị ka ị na-ahụ, URL ọ bụla malitere na ụzọ a ga-ahapụ ya ozugbo.

Nhọrọ ọzọ bụ ịdepụta adreesị IP, ụzọ ole na ole ị nwere ike isi mee nke a:

SecRule REMOTE_ADDR "^195\.151\.128\.96" "id:1004,phase:1,nolog,allow,ctl:ruleEngine=off"
## or ###
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1/8, 195.151.0.0/24, 196.159.11.13" "phase:1,id:1313413,allow,ctl:ruleEngine=off"

The @ipMatch enwere ike iji ya karịa maka subnets. Ọ bụrụ na ịchọrọ ịgọnarị a netwọk or IP address gbanwee, kwe ka ịgọnarị. Ị nwekwara ike, na-eji ntakịrị ịma-ụzọ, mepụta blacklists na whitelists wee hazie nke a na ida2ban. Ohere nwere ike na-enwekarị njedebe.

Otu ihe atụ ikpeazụ bụ iji gbanyụọ naanị iwu na-ebute echiche ụgha, ọ bụghị blanketị na-edepụta ụzọ niile, dịka ị hụrụ na mbụ REQUEST_URI ọmụmaatụ. Agbanyeghị, nke a na-ewe oge na nnwale karịa. Dịka ọmụmaatụ, ịchọrọ iwepụ iwu 941000 na 942999 site na mpaghara / admin/ ebe ọ na-aga n'ihu na-akpalite mmachibido iwu na mgbochi ụgha maka ndị otu gị, chọta n'ime ndekọ modsecurity gị faịlụ ID iwu wee gbanyụọ naanị ID ahụ. WepụByID dịka ọmụmaatụ n'okpuru:

SecRule REQUEST_FILENAME "@beginsWith /admin" "id:1004,phase:1,pass,nolog,ctl:ruleRemoveById=941000-942999"

Enwere ike ịchọta ọmụmaatụ na ModSecurity GIT ibe wiki; LinuxCapable ga, n'ọdịniihu, mepụta nkuzi na akụkụ a n'ihi na enwere ọtụtụ ihe ị ga-ekpuchi.

Nhọrọ - Tinye Honeypot Project

Project Mmanụ aṅụ bụ usoro nke mbụ na naanị nkesa maka ịchọpụta ndị spammers na spambots ha na-eji ehichapụ adreesị na ebe nrụọrụ weebụ gị. N'iji usoro Project Honey Pot, ị nwere ike ịwụnye adreesị ndị nwere mkpado na oge na adreesị IP nke onye ọbịa na saịtị gị. Ọ bụrụ na otu n'ime adreesị ndị a amalite ịnata ozi-e, ọ bụghị naanị na anyị nwere ike ikwu na ozi ndị ahụ bụ spam, kamakwa kpọmkwem oge ewepụtara adreesị na adreesị IP nke chịkọtara ya.

ModSecurity nwere ike ịnwe nhọrọ ijikọ Project Honeypot, nke ga-ajụọ nchekwa data wee gbochie adreesị ọ bụla dị na ndetu ojii HoneyPot. Rịba ama, iji nke a nwere ike iduga nhụta ụgha. Agbanyeghị, nke a pere mpe ka data ahụ nwere ntụkwasị obi, mana mgbe ụfọdụ, bots dị mma na-abụkarị ọkọlọtọ, yabụ kpachara anya.

Nsogbu ọzọ na-eji ọrụ a na ModSecurity gị bụ na oge mbụ onye ọbịa bịara na saịtị gị, oge dị oké ọnụ ahịa na nke dị oke egwu maka ndị ọbịa ọhụrụ ga-adị nwayọọ n'ihi na ihe nkesa weebụ gị ga-eziga na ajụjụ Project Honeypot wee chere maka nzaghachi. N'ọdịnihu, ozugbo ezipụla IP, nzaghachi ezitere azụ na-echekwa, na-eme ka nleta ọzọ dị ngwa ngwa. Otú ọ dị, n'inyere aka na-ekwusi ike na oge ibu na SEO, ụfọdụ nwere ike ọ gaghị enwe mmasị na oge ibu ọrụ n'agbanyeghị otú ọ dị obere.

Kwụpụ 1. Mepụta akaụntụ a akaụntụ efu.

Kwụpụ 2. Ozugbo ị debanyere aha wee banye, na dashboard, chọta ahịrị ahụ (Igodo http:BL API gị) na pịa nweta otu.

Otu esi etinye ModSecurity na Nginx na Ubuntu 20.04

Kwụpụ 3. Laghachi na faịlụ CRS-setup.conf site na iji ndezi ederede imeghe ya:

sudo nano /etc/nginx/modsec/coreruleset-3.3.3/crs-setup.conf

Kwụpụ 4. Chọta ahịrị na-amalite na #SecHttpBlKey, nke dị na ahịrị 629.

#SecHttpBlKey XXXXXXXXXXXXXXXXX
#SecAction "id:900500,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.block_search_ip=1,\
#  setvar:tx.block_suspicious_ip=1,\
#  setvar:tx.block_harvester_ip=1,\
#  setvar:tx.block_spammer_ip=1"

Kwụpụ 5. Jiri igodo gị si Project HoneyPot gbanwee SecHttpBlKey XXXXXXXXXXXXXXXXXXX.

Ihe Nlereanya:

SecHttpBlKey amhektvkkupe

Kwụpụ 6. Na-esote, mezie ahịrị niile iji mee ka iwu ahụ nwee ike. Ọ bụrụ na ịchọrọ gbanyụọ iwu, kama (1), -etinye (0) kama ọ bụrụ na ịchọrọ gbanyụọ iwu ọ bụla. Site na ndabara, block_search_ip=0 bụ maka bots search engine, emela nke a ma ọ bụrụ na ịchọrọ Bing, Google, na bots ndị ọzọ dị mma na-abịa na saịtị gị.

SecHttpBlKey amhektvkkupe
SecAction "id:900500,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.block_search_ip=0,\
  setvar:tx.block_suspicious_ip=1,\
  setvar:tx.block_harvester_ip=1,\
  setvar:tx.block_spammer_ip=1"

Mara, ejikwala amhektvkkupe. Jiri igodo nke gi kama!

Kwụpụ 7. Nwalee Nginx ka ijide n'aka na ọ nweghị mperi mere na ihe ndị a:

sudo nginx -t

Mmepụta ihe atụ ma ọ bụrụ na ha niile ziri ezi:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Ugbu a malitegharịa ọrụ Nginx gị:

sudo systemctl restart nginx

Advertisement


Ntọala Iwu WPRS WordPress maka ModSecurity

Nhọrọ ọzọ maka WordPress Ndị ọrụ ga-arụnye ma na-agba ọsọ n'akụkụ usoro iwu OWASP CRS gị, ọrụ a ma ama nke akpọrọ WPRS rule set. Ebe nke a bụ nhọrọ na ọ bụghị maka onye ọ bụla, nkuzi agaghị ekpuchi ya na ngalaba a. Otú ọ dị, ọ bụrụ na ị ga-achọ ịwụnye nke a maka nchebe ọzọ ma ọ bụrụ na ị na-eji WordPress na ihe nkesa gị, biko gaa na nkuzi anyị Ịwụnye WordPress ModSecurity Rule Set (WPRS).

Mepụta faịlụ ModSecurity LogRotate:

ModSecurity, nyere ahịrị ole na ozi ọ nwere ike ịbanye, ga-eto ngwa ngwa. Ka ị na-achịkọta modul ahụ ma etinyeghị ya site na ebe nchekwa ọ bụla sitere na Ubuntu, ị ga-achọ ịmepụta faịlụ ntụgharị log nke gị.

Mbụ, mepụta ma mepee faịlụ ntụgharị ModSecurity gị modsk:

sudo nano /etc/logrotate.d/modsec

Tinye koodu ndị a:

/var/log/modsec_audit.log
{
        rotate 31
        daily
        missingok
        compress
        delaycompress
        notifempty
}

Nke a ga-edobe ndekọ maka 31 ụbọchị. Ọ bụrụ na ịchọrọ inwe obere, gbanwee 31 ikwu 7 ụbọchị kwa otu izu uru nke osisi. Ị kwesịrị ịdị na-atụgharị kwa ụbọchị maka ModSecurity. Ọ bụrụ na ịchọrọ ịlele faịlụ ndekọ nwere faịlụ kwa izu ga-abụ ọdachi iji nyochaa, nyere otú ọ ga-esi buru ibu.


Advertisement


Okwu na mmechi

N'ime nkuzi a, ị maara nke ọma ịwụnye isi iyi Nginx, na-achịkọta ModSecurity, na ịtọlite ​​​​Iwu OWASP n'etiti akụkụ ndị kachasị elu. N'ozuzu, ibuga ModSecurity na nkesa gị ga-enye nchebe ozugbo. Otú ọ dị, ndidi, oge, na nraranye n'ịmụ ihe ga-adị mkpa ka ọ bụrụ akụkụ dị ukwuu. Ihe ikpeazụ ị chọrọ bụ igbochi SEO bots ma ọ bụ, nke ka mkpa, ezigbo ndị ọrụ nwere ike ịbụ ndị ahịa.

Idenye aha
Gwa nke
0 Comments
Inline nzaghachi
Lee echiche niile
0
Ga-ahụ n'anya gị echiche, biko okwu.x