Otu esi etinye ModSecurity maka Nginx na Debian/Ubuntu
Ọ bụ ọchịchọ onye nrụpụta ọ bụla ibuga ngwa webụ echekwara echekwara na egwu. Ọtụtụ mgbe, a na-ekwu nke a n'enweghị mgbalị karịa ime ya. Ugboro a na-emebi weebụsaịtị na-abawanye ka ndị na-agba ọsọ na-aga n'ihu na-erigbu vectors ọgụ niile dị n'aka ha.
Nchekwa WebApp nwere ike ịbụ nnukwu ihe ịma aka karịsịa na njupụta nke ngwa ọjọọ dị ka rootkits, scanners, bots, na malware ndị ọzọ. Ọ bụ ezie na imebi ya nwere ike iyi ihe ọ bụla ma ọ bụrụ na ọ bụghị ma ọ bụrụ na ọ bụghị, ọ bụ ihe amamihe dị na ya iji mejuputa usoro nchekwa dị mma iji chekwaa ngwa weebụ gị.
[Ị nwekwara ike ịmasị: Ngwa 5 iji nyochaa sava Linux maka Malware na Rootkits]
Otu n'ime ngwaọrụ ndị nwere ike inye nchekwa dị mma megide mwakpo bụ ModSecurity. Nke a bụ Firewall Web Application (WAF) na-emepe emepe nke na-echebe ngwa weebụ gị site na nnukwu mwakpo oyi akwa 7 dị ka ederede saịtị (XSS), injection SQL, njide nnọkọ, na ọtụtụ ndị ọzọ.
Na ntuziaka a, anyị ga-egosi gị otu esi etinye na hazie ModSecurity ka ya na Nginx rụọ ọrụ na nkesa Linux dabere na Debian dị ka Ubuntu.
Nzọụkwụ 1: Wụnye ndabere
Iji malite nrụnye, a chọrọ ọtụtụ ndabere ngwanrọ maka nrụnye ahụ ka ọ gaa nke ọma. Mana buru ụzọ melite ndepụta ngwugwu wee megharịa ebe nchekwa dị ka ndị a.
$ sudo apt update
Na-esote, wụnye ndabere dị ka ndị a.
$ sudo apt install make gcc build-essential autoconf automake libtool libfuzzy-dev ssdeep gettext pkg-config libcurl4-openssl-dev liblua5.3-dev libpcre3 libpcre3-dev libxml2 libxml2-dev libyajl-dev doxygen libcurl4 libgeoip-dev libssl-dev zlib1g-dev libxslt-dev liblmdb-dev libpcre++-dev libgd-dev
Kwụpụ 2: Wụnye ụdị Nginx kacha ọhụrụ
Nzọụkwụ ọzọ ga-abụ ịwụnye ihe nchọgharị weebụ Nginx. Iji wụnye ụdị ọhụrụ, anyị ga-etinye ya na ondrej/nginx-mainline PPA w nke onye nrụpụta Debian na-elekọta ugbu a kemgbe 2000.
Ka ịgbakwunye PPA na sistemụ Ubuntu mpaghara gị mebie iwu:
$ sudo add-apt-repository ppa:ondrej/nginx-mainline -y
Na-esote, melite ndepụta ngwugwu wee wụnye Nginx ọhụrụ dị ka ndị a
$ sudo apt update $ sudo apt install nginx-core nginx-common nginx nginx-full
Dịka, ọ bụ naanị ebe nchekwa ndabara ka agbanyere. Ọ bụ ihe amamihe dị na ya ime ka ebe nchekwa koodu isi mee ka ị nwee ike, emechaa, budata koodu isi Nginx na nzọụkwụ ọzọ.
Iji mezuo nke a, gbanwee faịlụ nchekwa Nginx.
$ sudo vim /etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-*.list
Chọta wee kwupụta ahịrị a iji mee ka ebe nchekwa koodu isi mee:
# deb-src http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu/ focal main
Faịlụ kwesịrị ịpụta ugbu a dịka egosiri.
Chekwaa mgbanwe wee pụọ.
Mgbe ahụ melite ndepụta ngwugwu.
$ sudo apt update
Kwụpụ 3: Budata ngwugwu Nginx Source
Iji chịkọta modul ModSecurity dynamic, anyị kwesịrị ibudata ngwugwu koodu Nginx. Iji mee nke a, anyị ga-ebu ụzọ mepụta ndekọ Nginx na/usr/local/src/ụzọ iji nabata faịlụ ngwugwu koodu Nginx.
$ sudo mkdir -p /usr/local/src/nginx
Na-esote, kenye ikike ndekọ aha dịka egosiri. Jide n'aka na ị ga-eji aha njirimara sudo gị dochie aha njirimara.
$ sudo chown username:username -R /usr/local/src/
Mgbe nke ahụ gasịrị, banye n'ime akwụkwọ ndekọ aha Nginx:
$ cd /usr/local/src/nginx
Gaba ma budata ngwungwu isi mmalite Nginx:
$ sudo apt source nginx
O yikarịrị ka ị ga-abanye na mperi a:
W: Download is performed unsandboxed as root as file 'nginx_1.19.5.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
Nke a abụghị ihe ga-eme ka ị rụọ ọrụ. Yabụ, leghara njehie ahụ anya.
Ị nwere ike nweta peek na faịlụ isi mmalite site na iji iwu ls.
$ ls -l
Jide n'aka na ụdị koodu isi mmalite dabara na ụdị Nginx arụnyere.
$ nginx -v
Nzọụkwụ 4: Wụnye Libmodsecurity3 Library
Libmodesecurity bụ ọba akwụkwọ Modsecurity na-ejikwa nzacha HTTP maka ngwa gị. Enwere ụzọ abụọ iji wụnye ya. Ị nwere ike iji njikwa ngwugwu dabara adaba dịka egosiri
$ sudo apt install libmodsecurity3
Ụzọ ọzọ bụ ịwụnye ya site na isi iyi nke ka mma ebe ọ na-enye gị ụdị kachasị ọhụrụ. Iji malite ntinye nke Libmodsecurity site na isi mmalite, mechie git repository dị ka egosiri:
$ git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/
Gaa na ndekọ ndekọ nke cloned:
$ cd /usr/local/src/ModSecurity/
Mee isi ihe iji wụnye submodules
$ sudo git submodule init $ sudo git submodule update
Emechaa, wuo gburugburu site na iji iwu dị n'okpuru.
$ sudo ./build.sh $ sudo ./configure
Ọzọkwa, leghara njehie egosiri anya n'okpuru.
fatal: No names found, cannot describe anything.
Wee chịkọta koodu isi mmalite wee wụnye ngwa ndị ọzọ site na iji iwu na-esote. Nke a na-ewe ihe dịka nkeji iri abụọ na ise, a chọkwara obere ndidi.
$ sudo make -j4
Ozugbo emechara, wụnye ọba akwụkwọ.
$ sudo make install
Kwụpụ 5: Budata ma chịkọta ModSecurity v3 Nginx Njikọ
Nzọụkwụ ọzọ bụ ibudata na chịkọta ModSecurity Nginx njikọ. Njikọ ahụ, dị ka aha ahụ na-egosi, na-ejikọta ọba akwụkwọ nchekwa Libmod na sava weebụ Nginx. Iji budata njikọ Modsecurity, mechie ya na ebe nchekwa GitHub dị ka ndị a.
$ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/
Banye n'ime ndekọ aha cloned.
$ cd /usr/local/src/nginx/nginx-1.21.3/
Gaa n'ihu ma wụnye ihe ndabere ụlọ
$ sudo apt build-dep nginx $ sudo apt install uuid-dev
Na-esote, chịkọta modul ModSecurity Nginx Connector yana ọkọlọtọ -with-compat. Nhọrọ --with-compat na-eme ka ModSecurity Nginx Connector modul dakọtara na ọba akwụkwọ Nginx dị ugbu a.
$ sudo ./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx
Ozugbo emechara nke ahụ, wuo ModSecurity Nginx Connector module site na iji iwu.
$ sudo make modules
A na-echekwa modul ahụ ka objs/ngx_http_modsecurity_module.so. Ịkwesịrị iṅomi modul a na /usr/share/nginx/modules/ directory dị ka ndị a.
$ sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
Kwụpụ 6: Budata ModSecurity Nginx Connector Module
Iji buo modul njikọ njikọ Nginx, Nke mbụ, nweta faịlụ nhazi Nginx bụ isi.
$ sudo vim /etc/nginx/nginx.conf
Tinye ahịrị na-esote dị n'okpuru ahịrị ole na ole mbụ
load_module modules/ngx_http_modsecurity_module.so;
Na mgbakwunye, tinye ahịrị ndị a na ngalaba http {...}. Nke a na-enyere ModSecurity aka maka ndị ọbịa Nginx mebere.
modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf;
Chekwaa mgbanwe ndị ahụ wee pụọ na faịlụ ahụ.
Na-esote, mepụta /etc/nginx/modsec/ directory nke ga-echekwa nhazi ModSecurity.
$ sudo mkdir /etc/nginx/modsec/
Na-esote, detuo faịlụ nhazi ModSecurity dị ka ndị a.
$ sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
Mgbe ahụ mepee faịlụ nhazi.
$ sudo vim /etc/nginx/modsec/modsecurity.conf
Chọta ahịrị na-amalite site na ntuziaka SecRuleEngine.
SecRuleEngine DetectionOnly
Ahịrị a na-agwa ModSecurity ka ọ banye naanị azụmahịa HTTP mana ọ naghị eme ihe n'ihu ọgụ ngwa weebụ. Ịkwesịrị ịgbanwe nke a ka Modsecurity agaghị achọpụta naanị kamakwa gbochie mwakpo weebụ.
Gbanwee ahịrị ka ọ bụrụ ahịrị dị n'okpuru
SecRuleEngine On
Chekwaa mgbanwe ndị ahụ wee pụọ na faịlụ ahụ.
Ọzọ, mepụta faịlụ /etc/nginx/modsec/main.conf.
$ sudo vim /etc/nginx/modsec/main.conf
Tinye ahịrị a iji rụtụ aka na faịlụ nhazi /etc/nginx/modsec/modsecurity.conf.
Include /etc/nginx/modsec/modsecurity.conf
Chekwaa mgbanwe ndị ahụ wee pụọ na faịlụ ahụ.
Na mgbakwunye, detuo faịlụ maapụ Unicode.
$ sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/
Wee nwalee nhazi Nginx.
$ sudo nginx -t
Nnwale ahụ kwesịrị ịga nke ọma. Ọ bụrụ na ọ bụghị, laghachi azụ wee lelee ma mgbanwe niile emere ezi.
N'ikpeazụ, malitegharịa Nginx ka itinye mgbanwe niile emere.
$ sudo systemctl restart nginx
Ma chọpụta na Nginx na-agba ọsọ dịka a tụrụ anya ya.
$ sudo systemctl status nginx
Kwụpụ 7: Budata OWASP Corerule Set
Maka ModSecurity iji chekwaa ngwa webụ gị, ịkwesịrị ịkọwapụta iwu ndị ga-achọpụta mmemme enyo wee gbochie ha. Iji malite, ọ ka mma ịwụnye usoro iwu dị ugbu a nke ga-enyere gị aka ịmụta ụdọ.
OWASP Core Rule Set (CRS) bụ nnwere onwe, isi mmalite, yana iwu edobere obodo nke na-enye iwu iji gbanarị ọgụ ọgụ nkịtị dị ka injection SQL, Cross-site scripting (XSS).
Budata OWASP Core Set site na Github dị ka egosiri site na iji wget iwu.
$ wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz
Wepụ faịlụ abịakọrọ.
$ tar xvf v3.3.0.tar.gz
Gbaa mbọ hụ na ịkwaga ndekọ na-enweghị mkpakọ gaa na /etc/nginx/modsec/ ụzọ.
$ sudo mv coreruleset-3.3.0/ /etc/nginx/modsec/
Mgbe ahụ nyegharịa faịlụ crs-setup.conf.example aha ka ọ bụrụ crs-setup.conf.
$ sudo mv /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf
Ọzọ, laghachi na ModSecurity nhazi faịlụ.
$ sudo vim /etc/nginx/modsec/main.conf
Ma tinye ahịrị ndị a.
Include /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf Include /etc/nginx/modsec/coreruleset-3.3.0/rules/*.conf
Faịlụ kwesịrị ịnwe ahịrị 3 ugbu a:
Chekwaa faịlụ ma, ọzọ, malitegharịa Nginx.
$ sudo systemctl restart nginx
Kwụpụ 8: Nyochaa ModSecurity
N'ikpeazụ, anyị ga-eme nnwale ModSecurity wee gosi na ọ nwere ike ịchọpụta ma gbochie okporo ụzọ HTTP na-enyo enyo.
Anyị na-aga dezie faịlụ nhazi ModSecurity wee mepụta iwu mgbochi nke ga-egbochi ịnweta ụfọdụ URL mgbe ihe nchọgharị weebụ nwetara.
$ sudo vim /etc/nginx/modsec/modsecurity.conf
Tinye ahịrị a dị n'okpuru ntuziaka SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:254,deny,status:403,msg:'Test Successful'"
Ị nwere ike ịtọ mkpado 'id' na 'msg' na ụkpụrụ masịrị gị.
Chekwa mgbanwe ndị a wee malite Nginx.
$ sudo systemctl restart nginx
Ugbu a malite ihe nchọgharị gị wee gaa na URL dị n'okpuru na iji ?testparam=test suffix
http://server-ip/?testparam=test
Ị ga-enweta njehie 403 'Amachibidoro iwu'. Nke a na-egosi na ị na-agbalị ịnweta akụrụngwa amachibidoro na sava weebụ.
Na mgbakwunye, ị nwere ike ịlele ndekọ njehie Nginx iji gosi na egbochiri onye ahịa ahụ
$ cat /var/log/nginx/error.log | grep "Test Successful"
[I nwekwara ike ịmasị gị: Otu esi edobe ModSecurity na Apache na Debian/Ubuntu]
Nke ahụ bụ nkọwa nke otu ị ga-esi tinye Nginx Modsecurity na Debian na Ubuntu. Anyị nwere olileanya na nke a abawo uru.