Otu esi etinye & Mepụta ModSecurity na Nginx na Debian 11

ModSecurity ma ọ bụ na-akpọkarị Modsec bụ firewall ngwa weebụ mepere emepe n'efu (WAF). Emebere ModSecurity dị ka modul maka sava HTTP Apache. Agbanyeghị, kemgbe mmalite ya, WAF etoola ma ugbu a na-ekpuchi ọtụtụ arịrịọ Transfer Protocol HyperText yana ike nzacha azịza maka nyiwe dị iche iche dị ka Microsoft IIS, Nginx, na n'ezie Apache.

Otu WAF si arụ ọrụ, a na-etinye engine ModSecurity n'ihu ngwa weebụ, na-enye ohere ka engine nyochaa njikọ HTTP na-abata na nke na-apụ apụ. A na-ejikarị ModSecurity na njikọ Ntọala Iwu Isi OWASP (CRS), usoro iwu mepere emepe edere n'asụsụ ModSecurity's SecRules ma bụrụ nke a na-akwanyere ùgwù n'etiti ụlọ ọrụ nchekwa.

Iwu OWASP na ModSecurity nwere ike inye aka chebe ihe nkesa gị ozugbo megide:

  • Ndị ọrụ ọrụ ọjọọ
  • DDOS
  • Gafee ederede webụsaịtị
  • Ọgwụ SQL
  • Ighapu oge
  • Ihe iyi egwu ndị ọzọ

N'ime nkuzi a, ị ga-amụta Otu esi etinye ModSecurity na Nginx na Debian 11.

Prerequisites

  • OS akwadoro: Nnenna 11 Bullseye
  • Akaụntụ onye ọrụ: Akaụntụ onye ọrụ nwere sudo ihe ùgwù or ohere mgbọrọgwụ (su Command).
  • Ngwungwu achọrọ: curl

Na-emelite Sistemụ Ọrụ

Melite gi Debian 11 Sistemụ arụmọrụ iji hụ na ngwugwu niile dị adị adịla ugbu a:

sudo apt update && sudo apt upgrade

Mgbọrọgwụ ma ọ bụ Sudo Access

Site na ndabara, mgbe ị mepụtara akaụntụ gị na mmalite na Debian ma e jiri ya tụnyere nkesa ndị ọzọ, ọ naghị enweta ọkwa sudoers ozugbo. Ị ga-enwerịrị ike ịnweta ya mgbọrọgwụ paswọọdụ iji iwu su ma ọ bụ gaa na nkuzi nkuzi anyị Otu esi etinye onye ọrụ na Sudoers na Debian.

Wụnye ngwugwu CURL

Nkuzi ga-eji ihe ngwugwu curl; mbụ, chọpụta ma ọ bụrụ na ngwugwu dị:

curl --version

Mwepụta ihe atụ ma ọ bụrụ arụnyere:

curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3
Release-Date: 2020-12-09

Ọ bụrụ na itinyeghị curl, jiri iwu a:

sudo apt install curl -y

Advertisement


Wụnye Stable kacha ọhụrụ ma ọ bụ Mainline Nginx

Nke mbụ, a na-adụ ọdụ ka wepu nrụnye ọ bụla dị nke Nginx ma wụnye nke kacha ọhụrụ Nginx kwụsiri ike ma ọ bụ ụdị isi.

Wepu nwụnye Nginx dị adị

Kwụsị ọrụ Nginx dị ugbu a:

sudo systemctl stop nginx

Ugbu a wepu nwụnye Nginx dị ka ndị a:

apt-get purge nginx -y && sudo apt autoremove nginx -y

Bubata Nginx kacha ọhụrụ & Wụnye

Iji jiri ụdị kachasị ọhụrụ nke ma nginx mainline ma ọ bụ kwụsie ike, ị ga-ebu ụzọ bubata ebe nchekwa ahụ.

Iji bubata ebe nchekwa mainline:

curl -sSL https://packages.sury.org/nginx-mainline/README.txt | sudo bash -x

Ka ibubata ebe nchekwa kwụsiri ike:

curl -sSL https://packages.sury.org/nginx/README.txt | sudo bash -x

Melite ebe nchekwa gị iji gosipụta mgbanwe ọhụrụ:

apt update

Ugbu a ị wụnyela Nginx ebe nchekwa wee melite ndepụta nchekwa, tinye Nginx na ihe ndị a:

apt install nginx-core nginx-common nginx nginx-full

Rịba ama na enwere ike ịkpali gị idowe ma ọ bụ dochie gị dị / wdg / nginx /nginx.conf nhazi faịlụ n'oge echichi. A na-atụ aro idowe faịlụ nhazi gị dị ugbu a site na ịpị (n). A ga-eme otu n'agbanyeghị ụdị onye na-elekọta ya, ma ị nwekwara ike ịlele nke a n'ọdịnihu.

Tinye koodu isi mmalite Nginx na ebe nchekwa

Mgbe ị na-etinye ụdị Nginx mainline kachasị ọhụrụ ma ọ bụ kwụsie ike na ndabara, naanị ọnụọgụ abụọ ka etinyere. Agbanyeghị, ị ga-achọ isi iyi iji chịkọta Modsecurity n'ihu na nkuzi.

Nke mbụ, mepee faịlụ nhazi n'ime /etc/apt/sources.list.d na nano dị ka n'okpuru:

Mainline:

nano /etc/apt/sources.list.d/nginx-mainline.list

Anụ:

nano /etc/apt/sources.list.d/nginx.list

Na ma mainline ma kwụsie ike, mgbe imepere faịlụ ahụ, ị ​​ga-ahụ naanị otu ahịrị dị ka ndị a:

#Mainline File#
deb-src https://packages.sury.org/nginx-mainline/ bullseye main
#Stable File#
deb-src https://packages.sury.org/nginx/ bullseye main

N'okpuru ahịrị izizi, tinye ahịrị a:

Mainline:

deb-src https://packages.sury.org/nginx-mainline/ bullseye main

Anụ:

deb-src https://packages.sury.org/nginx-mainline/ bullseye main

Ọmụmaatụ nke ihe ọ kwesịrị ịdị ka (Ihe atụ Mainline naanị):

Otu esi etinye & Mepụta ModSecurity na Nginx na Debian 11

Budata Nginx Isi mmalite

Ị ga-achọ ibudata koodu Nginx iji chịkọta ModSecurity modul ike. Iji mee nke a, ị ga-achọ ibudata ma chekwaa ngwungwu isi na ebe ndekọ /etc/local/src/nginx.

Mepụta ma hazie akwụkwọ ndekọ aha

Mepụta ebe a dị ka ndị a:

mkdir /usr/local/src/nginx && cd /usr/local/src/nginx

Nhọrọ - Nyefee ikike na ndekọ ma ọ bụrụ na achọrọ ya dị ka n'okpuru:

chown username:username /usr/local/src/ -R 

Wụnye ndabere wee mebie nbudata

Na-esote, budata ngwungwu isi mmalite na ihe ndị a:

apt install dpkg-dev -y && sudo apt source nginx

Mara, ị ga-ahụ ozi mperi dị ka n'okpuru:

dpkg-source: info: extracting nginx in nginx-1.21.1
dpkg-source: info: unpacking nginx_1.21.1.orig.tar.gz
dpkg-source: info: unpacking nginx_1.21.1-1+0~20210802.31+debian11~1.gbp08d591.debian.tar.xz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying 0001-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
dpkg-source: info: applying 0002-define_gnu_source-on-other-glibc-based-platforms.patch
W: Download is performed unsandboxed as root as file 'nginx_1.21.1-1+0~20210802.31+debian11~1.gbp08d591.dsc' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Enwere ike ileghara nke a anya nke ọma.

Nyochaa ụdị isi mmalite

Na-esote, depụta faịlụ ndekọ aha na ya ls nye iwu dika ndi a:

ls

Ị ga-ahụ mmepụta na-esonụ na gị /usr/src/local/nginx ndekọ:

nginx-1.21.1
nginx_1.21.1-1+0~20210802.31+debian11~1.gbp08d591.debian.tar.xz
nginx_1.21.1-1+0~20210802.31+debian11~1.gbp08d591.dsc
nginx_1.21.1.orig.tar.gz
nginx_1.21.1.orig.tar.gz.asc

Na-esote, gosi na ngwungwu isi mmalite bụ otu ụdị Nginx gị arụnyere na sistemụ arụmọrụ Debian gị. Iji mee nke a, jiri ihe ndị a nginx -v nye iwu dika ndi a:

sudo nginx -v

Isi iyi nke ebudatara kwesịrị dabara na ụdị ọnụọgụ abụọ etinyere na sistemụ gị.

Ihe Nlereanya:

nginx version: nginx/1.21.1

Advertisement


Wụnye libmodsecurity3 maka ModSecurity

Ngwugwu libmodsecurity3 bụ akụkụ nke WAF n'ezie na-eme HTTP nzacha maka ngwa webụ gị. Na Debian 11, ị nwere ike iwunye nke a site na ebe nchekwa Debian 11 ndabara. Otú ọ dị, nke a na-adịghị na-atụ aro dị ka na ọtụtụ kwụsiri ike nsụgharị, na ọ na-abụkarị lags. Kama, ị ga-achịkọta site na isi iyi nke kacha ọhụrụ dị ka ndị a.

Ebe nchekwa Clone ModSecurity sitere na Github

Nzọụkwụ mbụ bụ clone sitere na Github, ma ọ bụrụ na i tinyebeghị git, ị ga-achọ ime iwu ndị a:

apt install git -y

Na-esote, mechie ebe nchekwa libmodsecurity3 GIT dị ka ndị a:

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/

Ozugbo cloned, ị ga-mkpa CD gaa na ndekọ:

cd /usr/local/src/ModSecurity/

Wụnye libmodsecurity3 dabere

Iji chịkọta, ị ga-achọ ịwụnye ndabere ndị a dị ka ndị a:

sudo apt install gcc make build-essential autoconf automake libtool libcurl4-openssl-dev liblua5.3-dev libfuzzy-dev ssdeep gettext pkg-config libpcre3 libpcre3-dev libxml2 libxml2-dev libcurl4 libgeoip-dev libyajl-dev doxygen -y

Ugbu a ka imechaa, wụnye GIT submodules dị ka ndị a:

git submodule init

Mgbe ahụ melite submodules:

git submodule update

Iwulite gburugburu ModSecurity

Nzọụkwụ ọzọ bụ ugbu a n'ezie iji wuo gburugburu ebe obibi. Jiri iwu a:

./build.sh

Na-esote, gbaa iwu nhazi:

./configure

Mara, ị nwere ike ịhụ mperi a:

fatal: No names found, cannot describe anything.

Ị nwere ike ileghara nke a anya nke ọma wee gaa n'ihu na nzọụkwụ ọzọ.

Na-achịkọta koodu isi iyi ModSecurity

Ugbu a ị wuru ma hazie gburugburu maka libmodsecurity3, ọ bụ oge iji chịkọta ya na iwu ahụ. -eme ka.

make

Aghụghọ dị mma bụ ịkọwapụta ya -j n'ihi na nke a nwere ike ịbawanye ọsọ nke mkpokọta ma ọ bụrụ na ị nwere ihe nkesa dị ike. Dịka ọmụmaatụ, LinuxCapable nkesa nwere 6 CPUs, enwere m ike iji 6 niile ma ọ bụ opekata mpe jiri 4 ruo 5 mee ka ọsọ ọsọ.

make -j 6

Mgbe ị chịkọtachara koodu mmalite, tinye iwu nwụnye na ọdụ gị:

make install

Rịba ama, a na-eme ntinye n'ime /usr/local/modsecurity/, nke ị ga-ezo aka ma emechaa na ntuziaka.

Wụnye njikọ ModSecurity-nginx

The ModSecurity-nginx njikọ bụ njikọ dị n'etiti nginx na libmodsecurity. N'ụzọ bụ isi, ọ bụ akụrụngwa na-ekwurịta okwu n'etiti Nginx na ModSecurity (libmodsecurity3).

Clone ModSecurity-nginx Repsoitory sitere na Github

Yiri nzọụkwụ gara aga na-emechi ebe nchekwa libmodsecurity3, ị ga-achọ imechi ebe nchekwa njikọ ọzọ site na iji iwu a:

sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/

Wụnye ModSecurity-nginx Dependencies

Na-esote, ndekọ CD n'ime akwụkwọ ndekọ aha Nginx dị ka ndị a:

cd /usr/local/src/nginx/nginx-1.21.1

Mara, dochie ụdị ntuziaka ahụ na ụdị Nginx dị ugbu a na sistemụ gị.

Ugbu a, gbanye iwu na ọdụ Debian gị ka ịwụnye ihe ndabere achọrọ:

apt build-dep nginx && sudo apt install uuid-dev -y

Ọzọ, ị ga-achịkọta ihe ModSecurity-nginx njikọ modul naanị na ya -Eji-compat ọkọlọtọ dị ka ndị a:

./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx

ugbu a -eme ka (mepụta) modul dị ike na iwu a:

make modules

Na-esote, mgbe ị nọ na akwụkwọ ndekọ aha Nginx, jiri iwu na-esonụ iji bugharịa modul ike ị mepụtara nke echekwara na ebe ahụ. objs/ngx_http_modsecurity_module.so ma detuo ya na ya /usr/share/nginx/modul ndekọ.

sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

Ị nwere ike ịchekwa modul dị ike n'ebe ọ bụla, ọ bụrụhaala na ị na-akọwapụta ụzọ zuru ezu mgbe ị na-ebu.


Advertisement


Ibu ma hazie ModSecurity-nginx Njikọ na Nginx Web Server

Ugbu a ị chịkọtara modul dị ike wee chọta ya nke ọma, ịkwesịrị idezi gị /etc/nginx/nginx.conf faịlụ nhazi iji nweta ModSecurity na-arụ ọrụ na sava weebụ Nginx gị.

Kwado ModSecurity na nginx.conf

Mbụ, ịkwesịrị ịkọwapụta load_modul na ụzọ gị modsecurity modul.

Meghee nginx.conf ya na onye ndezi ederede ọ bụla. Maka nkuzi a, a ga-eji nano:

sudo nano /etc/nginx/nginx.conf

Ọzọ, tinye ahịrị ndị a na faịlụ dị nso n'elu:

load_module modules/ngx_http_modsecurity_module.so;

Ọ bụrụ na ị chọtara modul ahụ n'ebe ọzọ, jide n'aka na ị gụnyere ụzọ zuru ezu.

Ugbu a tinye koodu a n'okpuru HTTP {} ngalaba dị ka ndị a:

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsec-config.conf;

Ọmụmaatụ naanị:

Otu esi etinye & Mepụta ModSecurity na Nginx na Debian 11

Ọ bụrụ na ị chọtara modul ahụ n'ebe ọzọ, jide n'aka na ị gụnyere ụzọ zuru ezu.

Zọpụta nginx.conf file (Ctrl+O), wee pụọ (CTRL+X).

Mepụta ma hazie ndekọ na faịlụ maka ModSecurity

Ị ga-achọ ịmepụta ndekọ iji chekwaa faịlụ nhazi na iwu n'ọdịnihu, OWASP CRS maka nkuzi.

Jiri iwu a ka imepụta ihe /etc/nginx/modsec ndekọ dị ka ndị a:

sudo mkdir /etc/nginx/modsec/

Ugbu a, ịkwesịrị iṅomi faịlụ nhazi nhazi ModSecurity azụ site na akwụkwọ ndekọ aha GIT anyị:

sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

Iji ndezi ederede ọkacha mmasị gị, mepee faịlụ modsecurity.conf dị ka ndị a:

sudo nano /etc/nginx/modsec/modsecurity.conf

Site na ndabara, ModSecurity nhazi nwere usoro iwu akọwapụtara dị ka (Nchọpụta naanị), nke na okwu ndị ọzọ, na-agba ọsọ ModSecurity ma chọpụta omume ọjọọ niile mana ọ naghị egbochi ma ọ bụ machibido ma dekọọ azụmahịa HTTP niile ọ na-atụpụta. Ekwesịrị iji nke a naanị ma ọ bụrụ na ị nwere ọtụtụ ihe adịgboroja ụgha ma ọ bụ mụbaa ntọala ọkwa nchekwa na ọkwa dị oke egwu na ịnwale iji hụ ma ọ bụrụ ihe adịgboroja ọ bụla mere.

Ịgbanwe omume a ka ọ bụrụ (na), chọta ihe ndị a na ahịrị 7:

SecRuleEngine DetectionOnly

Gbanwee ahịrị na nke a ka ModSecurity nwee ike:

SecRuleEngine On

Ugbu a, ịchọrọ ịchọta ihe ndị a, nke dị na ya ahịrị 224:

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

Nke a ezighi ezi ma ọ dị mkpa ka a gbanwee ya. Gbanwee ahịrị ka ọ bụrụ ndị a:

SecAuditLogParts ABCEFHJKZ

Ugbu a, chekwaa ya modsecurity.conf faịlụ na-eji (CTRL+O) wee pụọ (CTRL+X).

Akụkụ ọzọ bụ ịmepụta faịlụ na-esonụ modsec-config.conf. Ebe ị ga-agbakwunye modsecurity.conf faịlụ tinyere na emesia na iwu ndị ọzọ dị ka OWASP CRS, ma ọ bụrụ na ị na-eji WordPress, na Ọnụ ego nke WPRS CRS usoro iwu.

Jiri iwu a ka imepụta faịlụ wee mepee ya:

sudo nano /etc/nginx/modsec/modsec-config.conf

Ozugbo ịbanye na faịlụ ahụ, tinye ahịrị ndị a:

Include /etc/nginx/modsec/modsecurity.conf

Zọpụta modsec-config.conf faịlụ na (CTRL+O) mgbe ahụ (CTRL+X) ịpụ apụ.

N'ikpeazụ, detuo ModSecurity's unicode.mapping faịlụ na CP nye iwu dika ndi a:

sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/

Ugbu a tupu ịga n'ihu, ị kwesịrị ịnye ọrụ Nginx gị ngwa ngwa site na iji iwu njedebe a:

sudo nginx -t

Ọ bụrụ na ị haziela ihe niile nke ọma, ị ga-enweta nsonaazụ a:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Iji mee mgbanwe ndị a dị ndụ, malitegharịa ọrụ Nginx gị site na iji iwu systemctl:

sudo systemctl restart nginx

Wụnye Ntọala Iwu Isi OWASP maka ModSecurity

ModSecurity n'onwe ya anaghị echekwa sava weebụ gị, yana ịkwesịrị ịnwe iwu. Otu n'ime iwu ndị kacha ewu ewu, ndị a na-akwanyere ùgwù na ndị a ma ama bụ ndị OWASP CRS edobere iwu. Iwu ndị a bụ nke a na-ejikarị n'etiti sava weebụ yana WAF ndị ọzọ. N'ezie, na ọtụtụ usoro ndị ọzọ yiri ya na-adabere na ọtụtụ iwu ha na CRS a. Ịwụnye usoro iwu a ga-enye gị ezigbo nchekwa na-akpaghị aka megide ọtụtụ ihe iyi egwu na-apụta na ịntanetị site na ịchọpụta ndị na-eme ihe ọjọọ na igbochi ha.

Okwesiri iburu n'uche, OWASP CRS na-enwekarị nsụgharị kwụsiri ike, nke na-ewekarị ihe dị ka otu afọ n'etiti mwepụta. Ụdị ugbu a bụ 3.3.3. Ihe iseokwu a bụ na iwu ọhụrụ ndị a na-arụ ọrụ maka ndozi, nchọpụta ọhụrụ, wepụ ihe ndị na-ezighị ezi, na gụnyere mwepụ ọhụrụ maka ngwanrọ nkịtị dị ka phpBB forums ewepụtara na 3.3.4 Mmepụta (beta) mbipute adịghị etinye ruo mgbe ọzọ ntọhapụ zuru ezu. .

Enwere ike ịhụ ndọghachi azụ n'ụzọ abụọ, jiri ngwugwu 3.3.3, nwee iwu dị mma kwụsiri ike mana enwere ike imelite ya maka iyi egwu, ndozi na ndozi kachasị ọhụrụ mana iji ụdị 3.3.4 dev, ị ga-enwe ihe a niile mana enwere ike. nwere ike ịhụ na okwu ndị ọzọ na-eme, agbanyeghị, nke a dị ụkọ ebe ọ bụ na tupu ndị otu iwu OWASP Core ewepụla nkwa ọhụrụ na ebe nchekwa, ha na-enwe nzukọ kwa ọnwa iji kparịta mgbanwe ndị ahụ ọtụtụ mgbe ọ bụghị naanị otu onye na-akpọ oku mana otu dum. na-enyocha mgbanwe ndị ahụ ma nabata ya dị ka mkpokọta na-eme ka ụdị dev mara mma nke ukwuu.

N'ime nkuzi a, a ga-ekpuchi ha abụọ, ọ bụkwa gị ka ị ga-esi mee ya. Jide n'aka na, n'ọnọdụ ọ bụla, ị na-enyocha ndekọ ModSecurity gị n'agbanyeghị nsogbu ọ bụla, karịsịa na gburugburu echiche ụgha.

Nhọrọ 1. Wụnye OWASP CRS 3.3 (Stable)

na iji iwu wget, budata OWASP CRS 3.3 ebe nchekwa dị ka ndị a:

wget https://github.com/coreruleset/coreruleset/archive/refs/heads/v3.3/master.zip

wụnye Wepụ ngwugwu ọ bụrụ na ị tinyebeghị nke a na sava gị:

sudo apt install unzip -y

Ugbu a, wepụsịa ebe nchekwa dị ka nke a:

sudo unzip /etc/nginx/master.zip -d /etc/nginx/modsec

Dị ka ọ dị na mbụ, dị ka nhazi nlele modsecurity.conf, OWASP CRS na-abịa na faịlụ nhazi nhazi nke ịchọrọ ịnyegharị aha. Ọ kacha mma iji CP iwu ma dobe ndabere maka ọdịnihu ma ọ bụrụ na ịchọrọ ịmalitegharị ọzọ.

sudo cp /etc/nginx/modsec/coreruleset-3.3-master/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.3-master/crs-setup.conf

Iji mee ka iwu dị, mepee ya /etc/nginx/modsec/modsec-config.conf iji editọ ederede ọ bụla ọzọ:

sudo nano /etc/nginx/modsec/modsec-config.conf

N'ime faịlụ ahụ ọzọ, tinye ahịrị abụọ ndị a:

Include /etc/nginx/modsec/coreruleset-3.3-master/crs-setup.conf
Include /etc/nginx/modsec/coreruleset-3.3-master/rules/*.conf

Chekwaa faịlụ (CTRL+O) wee pụọ (CTRL+T).

Dịka ọ dị na mbụ, ịkwesịrị ịnwale mgbakwunye ọhụrụ ọ bụla na ọrụ Nginx gị tupu ịme ya ka ọ dị ndụ:

sudo nginx -t

Ị ga-enweta nsonaazụ ndị a nke pụtara na ihe niile na-arụ ọrụ nke ọma:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Malitegharịa ọrụ Nginx gị ka ime mgbanwe ndị a dị ndụ dịka ndị a:

sudo systemctl restart nginx

Advertisement


Nhọrọ 2. Wụnye OWASP CRS 3.3.4 (dev)

Mara, na-eji 3.4 dev, na ị ga-achọ iji nyochaa ebe nchekwa maka mgbanwe mgbe niile. Ọtụtụ mgbe, mgbakwunye ọhụrụ na-abịa ugboro ole na ole n'ọnwa ruo ugboro ole na ole n'izu. Ọ bụrụ na ịnweghị nkwa ma ọ bụ enweghị ntụkwasị obi, wụnye nhọrọ 1 wee mapụ nhọrọ a kpam kpam.

na iji iwu wget, budata OWASP CRS 3.4 ebe nchekwa dị ka ndị a:

wget https://github.com/coreruleset/coreruleset/archive/refs/heads/v3.4/dev.zip

wụnye Wepụ ngwugwu ọ bụrụ na ị tinyebeghị nke a na sava gị:

apt install unzip -y

Ugbu a, wepụ ya dev.zip Archive dị ka ndị a:

unzip dev.zip -d /etc/nginx/modsec

Dị ka ọ dị na mbụ, dị ka nhazi nlele modsecurity.conf, OWASP CRS na-abịa na faịlụ nhazi nhazi nke ịchọrọ ịnyegharị aha. Ọ kacha mma iji CP iwu ma dobe ndabere maka ọdịnihu ma ọ bụrụ na ịchọrọ ịmalitegharị ọzọ.

cp /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf

Iji mee ka iwu dị, mepee ya /etc/nginx/modsec/modsec-config.conf iji editọ ederede ọ bụla ọzọ:

nano /etc/nginx/modsec/modsec-config.conf

N'ime faịlụ ahụ ọzọ, tinye ahịrị abụọ ndị a:

Include /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf
Include /etc/nginx/modsec/coreruleset-3.4-dev/rules/*.conf

Chekwaa faịlụ (CTRL+O) wee pụọ (CTRL+T).

Dịka ọ dị na mbụ, ịkwesịrị ịnwale mgbakwunye ọhụrụ ọ bụla na ọrụ Nginx gị tupu ịme ya ka ọ dị ndụ:

sudo nginx -t

Ị ga-enweta nsonaazụ ndị a nke pụtara na ihe niile na-arụ ọrụ nke ọma:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Malitegharịa ọrụ Nginx gị ka ime mgbanwe ndị a dị ndụ dịka ndị a:

sudo systemctl restart nginx

Na-emelite 3.3.4-dev

Ọ bụrụ na ịchọrọ imelite iwu maka ụdị dev OWASP CRS, budata Archive dị ka nzọụkwụ mbụ wee wepụtaghachi faịlụ ndị ahụ. Agaghị edochi faịlụ ndị emebere ka edezi ya mere ị hụla ọtụtụ ibe nlele n'oge nrụnye.

Iji na ịghọta OWASP CRS

OWASP CRS nwere ọtụtụ nhọrọ, ntọala ndabara, Otú ọ dị, site na igbe ahụ, ga-echebe ọtụtụ sava ozugbo na-emerụghị ezigbo ndị ọbịa gị na ezigbo bots SEO. N'okpuru ebe a, a ga-ekpuchi akụkụ ụfọdụ iji nyere aka kọwaa. Ịgụ ọzọ ga-akacha mma iji nyochaa nhọrọ niile dị na faịlụ nhazi n'onwe ha n'ihi na ha nwere ntakịrị data ederede iji kọwaa ihe ha bụ.

Mepee gị CRS-setup.conf faịlụ dị ka ndị a:

nano /etc/nginx/modsec/coreruleset-3.4-dev/crs-setup.conf

Mara, nke a bụ nhazi ụdị dev nwere ihe ndị ọzọ ma e jiri ya tụnyere ụdị 3.3.

Site na ebe a, ị nwere ike megharịa ọtụtụ ntọala CRS gị OWASP.

Akara OWASP CRS

Iji mebie ya, ModSecurity nwere ụdịdị abụọ:

Ụdị akara Anomaly

# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.

Ụdị njide onwe onye

# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.

Akara Anomaly na-abụkarị maka ọtụtụ ndị ọrụ ọnọdụ kachasị mma iji.

Enwere ọkwa paranoia anọ:

  • Paranoia Ọkwa 1 - Ọkwa ndabara na akwadoro maka ọtụtụ ndị ọrụ.
  • Paranoia Ọkwa 2 - Ndị ọrụ dị elu naanị.
  • Paranoia Ọkwa 3 - Naanị ndị ọrụ ọkachamara.
  • Paranoia Ọkwa 4 - A naghị atụ aro ya ma ọlị, belụsọ maka ọnọdụ pụrụiche.
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks that will add to your anomaly scores.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
#   are enabled. PL1 is advised for beginners, installations
#   covering many different sites and applications, and for setups
#   with standard security requirements.
#   At PL1 you should face FPs rarely. If you encounter FPs, please
#   open an issue on the CRS GitHub site and don't forget to attach your
#   complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
#   many regexp-based SQL and XSS injection protections, and adding
#   extra keywords checked for code injections. PL2 is advised
#   for moderate to experienced users desiring more complete coverage
#   and for installations with elevated security requirements.
#   PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
#   limits on special characters used. PL3 is aimed at users experienced
#   at the handling of FPs and at installations with a high security
#   requirement.
# - Paranoia level 4 further restricts special characters.
#   The highest level is advised for experienced users protecting
#   installations with very high security requirements. Running PL4 will
#   likely produce a very high number of FPs which have to be
#   treated before the site can go productive.
#
# All rules will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# It is important to also look into the variable
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
# defined below. Enabling it closes a possible bypass of CRS.

Nwalee OWASP CRS na sava gị

Iji nwalee ma OWASP CRS na-arụ ọrụ na ihe nkesa gị, mepee ihe nchọgharị Ịntanetị wee jiri ihe ndị a:

https://www.yourdomain.com/index.html?exec=/bin/bash

Ị ga-enweta a Njehie 403 amachibidoro. Ọ bụrụ na ọ bụghị, mgbe ahụ, a tụfuru nzọụkwụ.

Nsogbu kachasị na-efu efu ịgbanwe Naanị nchọpụta na Gbanye, dị ka akọwara na mbụ na nkuzi.

Na-emekọ ihe n'ụzọ dị mma & Mwepu Iwu Omenala

Otu n'ime ọrụ ndị na-adịghị agwụ agwụ na-arụ ọrụ na-adịghị mma, ModSecurity na OWASP CRS na-arụ nnukwu ọrụ ọnụ, ma ọ na-abịa na oge gị, ma nyere nchebe, ị nwetara ya bara uru. Maka mbido, etinyela ọkwa paranoia elu ka ịmalite ya bụ iwu ọla edo.

Usoro dị mma nke isi mkpịsị aka bụ ịgba ọsọ iwu edobere izu ole na ole ruo ọnwa na-enweghị ihe ọ bụla ụgha, wee mụbaa, dịka ọmụmaatụ, paranoia level 1 ruo paranoia level 2, yabụ na ị gaghị swamped na ton n'out oge.

Ewezuga ngwa ụgha mara mma

Modsecurity site na ndabara nwere ikike ịdepụta omume ndị a na-ahụkarị nke na-eduga n'ọdịdị adịgboroja dịka n'okpuru:

#SecAction \
# "id:900130,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.crs_exclusions_cpanel=1,\
#  setvar:tx.crs_exclusions_dokuwiki=1,\
#  setvar:tx.crs_exclusions_drupal=1,\
#  setvar:tx.crs_exclusions_nextcloud=1,\
#  setvar:tx.crs_exclusions_phpbb=1,\
#  setvar:tx.crs_exclusions_phpmyadmin=1,\
#  setvar:tx.crs_exclusions_wordpress=1,\
#  setvar:tx.crs_exclusions_xenforo=1"

Iji mee ka ihe atụ, WordPress, phpBB, na phpMyAdmin ka ị na-eji ha atọ, uncomment ahịrị ma hapụ (1) nọmba adịghị, gbanwee ọrụ ndị ọzọ ị naghị eji, dịka ọmụmaatụ, Xenforo na (0) dịka ị chọghị idepụta iwu ndị a ọcha.

Ọmụmaatụ n'okpuru:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_cpanel=0,\
  setvar:tx.crs_exclusions_dokuwiki=0,\
  setvar:tx.crs_exclusions_drupal=0,\
  setvar:tx.crs_exclusions_nextcloud=0,\
  setvar:tx.crs_exclusions_phpbb=1,\
  setvar:tx.crs_exclusions_phpmyadmin=1,\
  setvar:tx.crs_exclusions_wordpress=1,\
  setvar:tx.crs_exclusions_xenforo=0"

Ị nwekwara ike gbanwee syntax ahụ, nke ga-adị ọcha karị. Ọmụmaatụ:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_phpbb=1,\
  setvar:tx.crs_exclusions_phpmyadmin=1,\
  setvar:tx.crs_exclusions_wordpress=1"

Dịka ị na-ahụ, ewepụghị nhọrọ ndị achọrọ, tinyekwa ya (") na njedebe nke WordPress maka syntax ziri ezi.

Ewezuga iwu na Tupu CRS

Iji mesoo mwepu omenala, nke mbụ, ịkwesịrị ịgbanwe aha ya na aha Arịrịọ-900-Iwu Mwepu-TUPU-CRS-SAMPLE.conf faịlụ na iwu cp dị ka ndị a:

sudo cp /etc/nginx/modsec/coreruleset-3.4-dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /etc/nginx/modsec/coreruleset-3.4-dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Isi ihe ị ga-echeta, mgbe ị na-emepụta iwu mwepu, onye ọ bụla ga-enwerịrị id: ma bụrụ ndị pụrụ iche, ma ọ bụ ọzọ mgbe ị nwalere ọrụ Nginx gị, ị ga-enweta njehie. Ọmụmaatụ "id: 1544, usoro: 1, log, kwe, ctl: ruleEngine = gbanyụọ", enweghị ike iji id 1544 mee iwu nke abụọ.

Dịka ọmụmaatụ, ụfọdụ REQUEST_URI ga-ebuli ihe dị mma. Ihe atụ dị n'okpuru bụ abụọ nwere mgbama ihu akwụkwọ Google yana ngwa mgbakwunye WMUDEV maka WordPress:

SecRule REQUEST_URI "@beginsWith /wp-load.php?wpmudev" "id:1544,phase:1,log,allow,ctl:ruleEngine=off"

SecRule REQUEST_URI "@beginsWith /ngx_pagespeed_beacon" "id:1554,phase:1,log,allow,ctl:ruleEngine=off"

Dị ka ị na-ahụ, URL ọ bụla malitere na ụzọ a ga-ahapụ ya ozugbo.

Nhọrọ ọzọ bụ ịdepụta adreesị IP, ụzọ ole na ole ị nwere ike isi mee nke a:

SecRule REMOTE_ADDR "^195\.151\.128\.96" "id:1004,phase:1,nolog,allow,ctl:ruleEngine=off"
## or ###
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1/8, 195.151.0.0/24, 196.159.11.13" "phase:1,id:1313413,allow,ctl:ruleEngine=off"

The @ipMatch enwere ike iji ya karịa maka subnets. Ọ bụrụ na ịchọrọ ịgọnarị a netwọk or IP address gbanwee, kwe ka ịgọnarị. Ị nwekwara ike, na-eji ntakịrị ịma-ụzọ, mepụta blacklists na whitelists wee hazie nke a na ida2ban. Ohere nwere ike na-enwekarị njedebe.

Otu ihe atụ ikpeazụ bụ iji gbanyụọ naanị iwu na-ebute echiche ụgha, ọ bụghị blanketị na-edepụta ụzọ niile, dịka ị hụrụ na mbụ REQUEST_URI ọmụmaatụ. Agbanyeghị, nke a na-ewe oge na nnwale karịa. Dịka ọmụmaatụ, ịchọrọ iwepụ iwu 941000 na 942999 site na mpaghara / admin/ ebe ọ na-aga n'ihu na-akpalite mmachibido iwu na mgbochi ụgha maka ndị otu gị, chọta n'ime ndekọ modsecurity gị faịlụ ID iwu wee gbanyụọ naanị ID ahụ. WepụByID dịka ọmụmaatụ n'okpuru:

SecRule REQUEST_FILENAME "@beginsWith /admin" "id:1004,phase:1,pass,nolog,ctl:ruleRemoveById=941000-942999"

Enwere ike ịchọta ọmụmaatụ na ModSecurity GIT ibe wiki; LinuxCapable ga, n'ọdịniihu, mepụta nkuzi na akụkụ a n'ihi na enwere ọtụtụ ihe ị ga-ekpuchi.

Nhọrọ - Tinye Honeypot Project

Project Mmanụ aṅụ bụ usoro nke mbụ na naanị nkesa maka ịchọpụta ndị spammers na spambots ha na-eji ehichapụ adreesị na ebe nrụọrụ weebụ gị. N'iji usoro Project Honey Pot, ị nwere ike ịwụnye adreesị ndị nwere mkpado na oge na adreesị IP nke onye ọbịa na saịtị gị. Ọ bụrụ na otu n'ime adreesị ndị a amalite ịnata ozi-e, ọ bụghị naanị na anyị nwere ike ikwu na ozi ndị ahụ bụ spam, kamakwa kpọmkwem oge ewepụtara adreesị na adreesị IP nke chịkọtara ya.

ModSecurity nwere ike ịnwe nhọrọ ijikọ Project Honeypot, nke ga-ajụọ nchekwa data wee gbochie adreesị ọ bụla dị na ndetu ojii HoneyPot. Rịba ama, iji nke a nwere ike iduga nhụta ụgha. Agbanyeghị, nke a pere mpe ka data ahụ nwere ntụkwasị obi, mana mgbe ụfọdụ, bots dị mma na-abụkarị ọkọlọtọ, yabụ kpachara anya.

Nsogbu ọzọ na-eji ọrụ a na ModSecurity gị bụ na oge mbụ onye ọbịa bịara na saịtị gị, oge dị oké ọnụ ahịa na nke dị oke egwu maka ndị ọbịa ọhụrụ ga-adị nwayọọ n'ihi na ihe nkesa weebụ gị ga-eziga na ajụjụ Project Honeypot wee chere maka nzaghachi. N'ọdịnihu, ozugbo ezipụla IP, nzaghachi ezitere azụ na-echekwa, na-eme ka nleta ọzọ dị ngwa ngwa. Otú ọ dị, n'inyere aka na-ekwusi ike na oge ibu na SEO, ụfọdụ nwere ike ọ gaghị enwe mmasị na oge ibu ọrụ n'agbanyeghị otú ọ dị obere.

Kwụpụ 1. Mepụta akaụntụ a akaụntụ efu.

Kwụpụ 2. Ozugbo ị debanyere aha wee banye, na dashboard, chọta ahịrị ahụ (Igodo http:BL API gị) na pịa nweta otu.

Kwụpụ 3. Laghachi na faịlụ CRS-setup.conf site na iji ndezi ederede imeghe ya:

sudo nano /etc/nginx/modsec/coreruleset-3.3.3/crs-setup.conf

Kwụpụ 4. Chọta ahịrị na-amalite na #SecHttpBlKey, nke dị na ahịrị 629.

#SecHttpBlKey XXXXXXXXXXXXXXXXX
#SecAction "id:900500,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.block_search_ip=1,\
#  setvar:tx.block_suspicious_ip=1,\
#  setvar:tx.block_harvester_ip=1,\
#  setvar:tx.block_spammer_ip=1"

Kwụpụ 5. Jiri igodo gị si Project HoneyPot gbanwee SecHttpBlKey XXXXXXXXXXXXXXXXXXX.

Ihe Nlereanya:

SecHttpBlKey amhektvkkupe

Kwụpụ 6. Na-esote, mezie ahịrị niile iji mee ka iwu ahụ nwee ike. Ọ bụrụ na ịchọrọ gbanyụọ iwu, kama (1), -etinye (0) kama ọ bụrụ na ịchọrọ gbanyụọ iwu ọ bụla. Site na ndabara, block_search_ip=0 bụ maka bots search engine, emela nke a ma ọ bụrụ na ịchọrọ Bing, Google, na bots ndị ọzọ dị mma na-abịa na saịtị gị.

SecHttpBlKey amhektvkkupe
SecAction "id:900500,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.block_search_ip=0,\
  setvar:tx.block_suspicious_ip=1,\
  setvar:tx.block_harvester_ip=1,\
  setvar:tx.block_spammer_ip=1"

Mara, ejikwala amhektvkkupe. Jiri igodo nke gi kama!

Kwụpụ 7. Nwalee Nginx ka ijide n'aka na ọ nweghị mperi mere na ihe ndị a:

sudo nginx -t

Mmepụta ihe atụ ma ọ bụrụ na ha niile ziri ezi:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Ugbu a malitegharịa ọrụ Nginx gị:

sudo systemctl restart nginx

Advertisement


Ntọala Iwu WPRS WordPress maka ModSecurity

Nhọrọ ọzọ maka WordPress Ndị ọrụ ga-arụnye ma na-agba ọsọ n'akụkụ usoro iwu OWASP CRS gị, ọrụ a ma ama nke akpọrọ WPRS rule set. Ebe nke a bụ nhọrọ na ọ bụghị maka onye ọ bụla, nkuzi agaghị ekpuchi ya na ngalaba a. Otú ọ dị, ọ bụrụ na ị ga-achọ ịwụnye nke a maka nchebe ọzọ ma ọ bụrụ na ị na-eji WordPress na ihe nkesa gị, biko gaa na nkuzi anyị Ịwụnye WordPress ModSecurity Rule Set (WPRS).

Mepụta faịlụ ModSecurity LogRotate:

ModSecurity, nyere ahịrị ole na ozi ọ nwere ike ịbanye, ga-eto ngwa ngwa. Ka ị na-achịkọta modul ahụ ma etinyeghị ya site na ebe nchekwa ọ bụla sitere na Debian, ị ga-achọ ịmepụta faịlụ ntụgharị log nke gị.

Mbụ, mepụta ma mepee faịlụ ntụgharị ModSecurity gị modsk:

sudo nano /etc/logrotate.d/modsec

Tinye koodu ndị a:

/var/log/modsec_audit.log
{
        rotate 31
        daily
        missingok
        compress
        delaycompress
        notifempty
}

Nke a ga-edobe ndekọ maka 31 ụbọchị. Ọ bụrụ na ịchọrọ inwe obere, gbanwee 31 ikwu 7 ụbọchị kwa otu izu uru nke osisi. Ị kwesịrị ịdị na-atụgharị kwa ụbọchị maka ModSecurity. Ọ bụrụ na ịchọrọ ịlele faịlụ ndekọ nwere faịlụ kwa izu ga-abụ ọdachi iji nyochaa, nyere otú ọ ga-esi buru ibu.


Advertisement


Common Ajụjụ

Otu esi agbanyụọ Modsecurity nwa oge

Iji gbanyụọ Modsecurity nwa oge, mepee faịlụ nhazi nginx.conf gị wee gbanwee ahịrị ndị a:

Gbanwee site na:

modsecurity on;

Gbanwee ka:

modsecurity off;

Mmelite Nginx

Mgbe ụdị ọhụrụ nke Nginx mainline ma ọ bụ kwụsiri ike bịarutere wee budata ma wụnye ya, nke a ga-emebi nrụnye Nginx gị ka ị na-eji ụdị ochie chịkọtara modul siri ike; Naanị ihe ị ga - eme bụ ịmegharị nbudata nginx emelitere wee chịkọtakwa ọzọ wee bugharịa modul modsecurity ọhụrụ wee dochie nke dị adị.

Ị nwere ike kwụsịtụ mmelite Nginx site n'itinye ihe, nke a bụ ịkwụsị oge ụbụrụ ụbụrụ ndị anyị niile na-enwe mgbe ụfọdụ:

sudo apt-mark hold nginx

A ga-agwa gị na ejirila ụfọdụ ngwugwu. N'oge a, megharịa modul ọhụrụ ahụ, mgbe ahụ tufuo nwelite Nginx wee kwalite ụdị ọnụọgụ abụọ nke Nginx gị na ụdị kachasị ọhụrụ a na-enye:

Wepu Nginx:

apt-mark unhold nginx

Ugbu a kwalite nginx:

apt upgrade nginx

Iwu dị mma iji mara ma ị maghị na ngwugwu a na-ejide bụ iji:

apt-mark showhold

Nke a ga-egosi gị ma njide Nginx gị ka na-arụ ọrụ ma ọ bụ na ọ naghị yana yana ngwungwu ọ bụla ọzọ ị nwere.

Okwu na mmechi

N'ime nkuzi a, ị maara nke ọma ịwụnye isi iyi Nginx, na-achịkọta ModSecurity, na ịtọlite ​​​​Iwu OWASP n'etiti akụkụ ndị kachasị elu. N'ozuzu, ibuga ModSecurity na nkesa gị ga-enye nchebe ozugbo. Otú ọ dị, ndidi, oge, na nraranye n'ịmụ ihe ga-adị mkpa ka ọ bụrụ akụkụ dị ukwuu. Ihe ikpeazụ ị chọrọ bụ igbochi SEO bots ma ọ bụ, nke ka mkpa, ezigbo ndị ọrụ nwere ike ịbụ ndị ahịa.

Ahapụ a Comment