Mokhoa oa ho kenya ModSecurity 3 + OWASP ka Nginx ho Rocky Linux 9

ModSecurity, eo hangata e bitsoang Modsec, ke sesebelisoa sa mahala sa marang-rang sa marang-rang se bulehileng (WAF). ModSecurity e entsoe e le mojule oa Apache HTTP Server. Leha ho le joalo, ho tloha matsatsing a eona a pele, WAF e se e holile 'me hona joale e akaretsa letoto la kopo ea HyperText Transfer Protocol le bokhoni ba ho sefa likarabo bakeng sa liforomo tse fapaneng tse kang Microsoft IIS, Nginx, le Apache. Karolo ea mantlha ea ModSecurity ke ho fana ka ts'ireletso bakeng sa lits'ebetso tsa webo ka ho sefa sephethephethe se kenang le ho thibela likopo tse mpe. WAF e ka boela ea hlophisoa ho lekola sephethephethe bakeng sa mefuta e itseng ea ts'ebetso, joalo ka litlhaselo tsa ente ea SQL, le ho hlahisa litlhokomeliso ha ts'ebetso e joalo e fumanoa. Ntle le melemo ea ts'ireletso, ModSecurity e ka ntlafatsa ts'ebetso ea webo ka melao ea caching le ho tlosa tlhoko ea ho etsa kopo e tšoanang khafetsa.

Hammoho le ho kenya Modsecurity, OWASP Core Rule Set (CRS) e atisa ho sebelisoa hammoho e leng melao e bulehileng e ngotsoeng ka puo ea ModSecurity's SecRules. CRS e nkoa e le ea bohlokoa haholo indastering ea tšireletso, 'me ModSecurity e nkoa e le e' ngoe ea litsela tse sebetsang ka ho fetisisa tsa ho sireletsa lisebelisoa tsa marang-rang tlhaselong. Le ha ModSecurity e se bullet ea silevera, ke sesebelisoa sa bohlokoa pokellong ea lihlomo tsa mokhatlo ofe kapa ofe o nkang ts'ireletso ea webo ka botebo.

OWASP Rule Set le ModSecurity e ka thusa hanghang ho sireletsa seva sa hau.

  • Lisebelisoa tse mpe tsa basebelisi
  • DDOS
  • Scripting websaeteng
  • Ente ea SQL
  • Ho koeteloa ha seboka
  • Litšokelo Tse Ling

Thutong e latelang, u tla ithuta ho kenya ModSecurity 3 & OWASP Core Rule Set le Nginx ho Rocky Linux 9 ka meralo ea mohlala ho tloha qalong ho fihlela qetellong.

Ntlafatsa Rocky Linux

Ntlha ea pele, ntlafatsa tsamaiso ea hau ho netefatsa hore liphutheloana tsohle tse teng li ntse li le teng.

sudo dnf upgrade --refresh

Kenya Nginx Stable kapa Mainline ea morao-rao

Ka boiketsetso, o ka boloka mofuta oa hau o teng oa Nginx o kentsoe haeba o ka fumana mohloli oa mofuta o tšoanang. Haeba ho se joalo, ho khothaletsoa ho kenya mohaho oa morao-rao o tsitsitseng kapa oa mantlha oa Nginx, kaha thuto e tla feta ka tlase.

Tlosa Kenngoe ea Nginx e teng

Emisa tšebeletso ea hona joale ea Nginx:

sudo systemctl stop nginx

Joale tlosa kenngoe ea Nginx e teng ka tsela e latelang:

sudo dnf remove nginx

Kaha joale u atlehile ho tlosa phetolelo ea khale ea Nginx, haeba u ne u e kentse, ho kenya Nginx mainline, u lokela ho kenya ts'ebetso ea eona pele, e leng. dnf-lisebelisoa ka taelo e latelang:

sudo dnf install dnf-utils -y

E latelang, kenya lipolokelo tse ka tlase.

Kenya Nginx Mainline Repository

sudo tee /etc/yum.repos.d/nginx-mainline.repo<<EOF

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/9/x86_64/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

EOF

Basebelisi ba nang le meralo ea aarch, nka sebaka sa taelo e kaholimo baseurl=http://nginx.org/packages/mainline/centos/9/x86_64/ le baseurl=http://nginx.org/packages/mainline/centos/9/aarch64/.

Kenya Nginx Stable Repository

sudo tee /etc/yum.repos.d/nginx-stable.repo<<EOF

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/9/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

EOF

Basebelisi ba nang le meralo ea aarch, nka sebaka sa taelo e kaholimo baseurl=http://nginx.org/packages/mainline/centos/9/x86_64/ le baseurl=http://nginx.org/packages/mainline/centos/9/aarch64/.

Kenya Nginx

Ka mokhoa o ikhethileng, polokelo ea morao-rao ea liphutheloana tse tsitsitseng tsa Nginx e sebelisoa pele. Leha ho le joalo, thupelo e tla kenya Nginx mainline, kahoo o tla hloka ho tsamaisa taelo e latelang ho nolofalletsa polokelo ea mantlha ka tsela e latelang:

sudo yum-config-manager --enable nginx-mainline

Hlokomela haeba u khetha ho tsitsa, u se ke ua sebelisa taelo e ka holimo 'me u fetele karolong e latelang ea thupelo.

E latelang, kenya Nginx mainline ka tsela e latelang:

sudo dnf install nginx
Mokhoa oa ho kenya ModSecurity 3 + OWASP ka Nginx ho Rocky Linux 9

Joalo ka holimo, thuto e kenya mofuta oa morao-rao oa Nginx ho tsoa ho Nginx.org. Hlokomela hore u tla bona pop-up e u tsebisang ka ho kenya thepa ea Senotlolo sa GPG nakong ea ho kenya. Sena se bolokehile ho se etsa mme sea hlokahala ho qeta ho kenya Nginx mainline ka katleho.

Ka nako e sa lekanyetsoang, Nginx ha e tle e nolofatsoe 'me e koaletsoe ha e kenngoa. Ho kenya ts'ebeletso ea hau ea Nginx, sebelisa:

sudo systemctl start nginx

Etsa hore Nginx e qale ka boot; sebelisa taelo e latelang:

sudo systemctl enable nginx

Ka boikhethelo, netefatsa mofuta oa hau oa Nginx. Ho rona, ke mofuta oa Nginx Mainline; sebelisa taelo e latelang.

nginx -v

Lokisa FirewallD Bakeng sa Nginx

Haeba o sa nkele sebaka sa ts'ebeletso ea Nginx e teng le ho kenya Nginx ka lekhetlo la pele, o kanna oa hloka ho hlophisa firewall bakeng sa sephethephethe sa HTTP le HTTPS. Mohlala oa mokhoa oa ho etsa sena o ka tlase:

Lumella sephethephethe sa HTTP ho sebelisa taelo e latelang:

sudo firewall-cmd --permanent --zone=public --add-service=http

Lumella sephethephethe sa HTTPS ho sebelisa taelo e latelang:

sudo firewall-cmd --permanent --zone=public --add-service=https

Hang ha o qetile, o hloka ho etsa hore liphetoho li atlehe ka ho kenya li-firewall hape:

sudo firewall-cmd --reload

Khoasolla Mohloli oa Nginx

Mohato o latelang ke ho Hona Joale, 'me u tla hloka ho khoasolla khoutu ea mohloli oa Nginx ho bokella module ea matla ea ModSecurity. U tlameha ho khoasolla le ho boloka sephutheloana sa mohloli sebakeng sa bukana /etc/local/src/nginx.

Theha le ho Hlophisa Litsamaiso

Etsa sebaka ka tsela e latelang:

sudo mkdir /usr/local/src/nginx && cd /usr/local/src/nginx

Khoasolla Mohloli oa Archive

Ka mor'a moo, khoasolla mohloli oa polokelo ea Nginx leqepheng la download ho tsamaisana le mofuta oa Nginx oo u o khethileng pejana. Leha o sa ka oa ntlafatsa mofuta oa morao-rao oa Nginx e tsitsitseng kapa ea mantlha mme o sebelisa mofuta oa khale, o lokela ho fumana mohloli o lumellanang le oa hau.

Leqephe la download la Nginx le ka ba fumanoa mona.

Khoasolla mohloli ka ho sebelisa hanyane laela ka tsela e latelang (mohlala feela).

sudo wget http://nginx.org/download/nginx-1.23.1.tar.gz

Hopola hore ho bohlokoa hore mofuta oa Nginx o kenngoe o tsamaellana le pokello ea nalane e jarollotsoeng, ho seng joalo u tla ba le liphoso hamorao thutong.

Ka mor'a moo, ntša li-archive ka tsela e latelang.

sudo tar -xvzf nginx-1.23.1.tar.gz

Verify Source Version

Ka mor'a moo, thathamisa lifaele tsa li-directory le file ea ls taelo ka mokoa o latelang.

ls

Mohlala oa tlhahiso ea hau /usr/src/local/nginx dibaka.

[[email protected] nginx]$ ls
nginx-1.23.1  nginx-1.23.1.tar.gz

E latelang, netefatsa hore sephutheloana sa mohloli se tšoana le mofuta oa hau oa Nginx o kentsoeng tsamaisong ea hau, joalokaha ho boletsoe pejana.

Kenya libmodsecurity3 bakeng sa ModSecurity

Sephutheloana libmodsecurity3 ke karolo ea mantlha ea WAF e etsang HTTP sefa bakeng sa lits'ebetso tsa hau tsa marang-rang. U tla e bokella ho tsoa mohloling.

Clone ModSecurity Repository ho tloha Github

Mohato oa pele ke clone e tsoang ho Github, 'me haeba u sena git e kentsoeng, u tla hloka ho phethahatsa taelo e latelang:

sudo dnf install git -y

Ka mor'a moo, clone ea libmodsecurity3 GIT polokelo ka tsela e latelang.

sudo git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/

Hang ha e se e entsoe, u tla e hloka CD ho directory.

cd /usr/local/src/ModSecurity/

Kenya libmodsecurity3 Dependencies

Pele o bokella, o tla hloka ho kenya litšepiso tse latelang ka tsela e latelang.

Mosebetsi oa pele ke ho kenya polokelo ea EPEL, 'me khothaletso ke ho kenya lipolokelo ka bobeli.

Taba ea pele, nolofalletsa polokelo ea CRB.

sudo dnf config-manager --set-enabled crb

E latelang, kenya EPEL sebelisa tse latelang (dnf) taelo ea terminal.

sudo dnf install \
    https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
    https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm

E latelang, tsamaisa taelo e latelang ho kenya liphutheloana tseo Modsecurity e tla li hloka. Sena se lokela ho akaretsa likhetho le likarolo tse ngata tseo u ka li sebelisang le Modsecurity le melaoana ea mantlha.

sudo dnf install doxygen yajl-devel gcc-c++ flex bison yajl curl-devel zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pcre-static pkgconfig libtool httpd-devel redhat-rpm-config wget curl openssl openssl-devel geos geos-devel geocode-glib-devel geolite2-city geolite2-country nano -y

Kenya GeoIP, o tla hloka pele ho kenya polokelo ea Remi.

sudo dnf install dnf-utils http://rpms.remirepo.net/enterprise/remi-release-9.rpm -y

Joale kenya GeoIP-devel u sebelisa taelo e latelang.

sudo dnf --enablerepo=remi install GeoIP-devel -y

Joale ho phethela, kenya li-submodule tse latelang tsa GIT ka tsela e latelang.

sudo git submodule init

Ebe u ntlafatsa li-submodule:

sudo git submodule update

Ho aha tikoloho ea ModSecurity

Mohato o latelang ke ho aha tikoloho pele. Sebelisa taelo e latelang:

sudo ./build.sh

Ka mor'a moo, tsamaisa taelo ea configure.

sudo ./configure

Hlokomela hore mohlomong u tla bona phoso e latelang.

fatal: No names found, cannot describe anything.

U ka hlokomoloha sena ka mokhoa o sireletsehileng 'me u fetela mohatong o latelang.

Ho kopanya Code ea Mohloli oa ModSecurity

Kaha joale u se u hahile le ho hlophisa tikoloho ea libmodsecurity3, ke nako ea ho e bokella ka taelo. etsa.

sudo make

Leqheka le sebetsang ke ho hlalosa -j kaha sena se ka eketsa lebelo la ho bokella haholo haeba u na le seva e matla.

Ka mohlala, seva se na le li-CPU tse 6, 'me nka sebelisa 6 kapa bonyane 4 ho ea ho 5 ho eketsa lebelo.

sudo make -j 6

Kamora ho bokella khoutu ea mohloli, joale tsamaisa taelo ea ho kenya ho terminal ea hau:

sudo make install

Hlokomela hore ho instola tse etsoang ka /usr/local/modsecurity/, tseo u tla li bua hamorao.

Kenya sehokelo sa ModSecurity-nginx

The Sehokelo sa ModSecurity-nginx ke sebaka sa khokahano lipakeng tsa nginx le libmodsecurity. Ke karolo e buisanang pakeng tsa Nginx le ModSecurity (libmodsecurity3).

Clone ModSecurity-nginx Repository ho tloha Github

Joalo ka mohato o fetileng oa ho kopanya polokelo ea libmodsecurity3, o tla hloka ho kopanya pokello ea sehokelo hape o sebelisa taelo e latelang:

sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/

Kenya ModSecurity-nginx Dependencies

E latelang, kena bukeng ea mohloli oa Nginx; hopola mohlala o ka tlase o tla fapana le phetolelo ea hau; ke mohlala feela.

mohlala:

cd /usr/local/src/nginx/nginx-1.23.1/

Ka mor'a moo, o tla hlophisa faele ea Sehokelo sa ModSecurity-nginx module feela ka –Moho le compat folakha ka tsela e latelang:

sudo ./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx

Mohlala oa tlhahiso haeba tsohle li sebelitse hantle ho fihlela joale:

Mokhoa oa ho kenya ModSecurity 3 + OWASP ka Nginx ho Rocky Linux 9

hona joale etsa (etsa) li-module tse matla ka taelo e latelang:

sudo make modules

Mohlala oa tlhahiso:

Mokhoa oa ho kenya ModSecurity 3 + OWASP ka Nginx ho Rocky Linux 9

E latelang, ha u ntse u le mohloling oa mohloli oa Nginx, sebelisa taelo e latelang ho tsamaisa mochine o matla oo u o entseng o bolokiloeng sebakeng seo. objs/ngx_http_modsecurity_module.so ebe u e kopitsa ho /usr/share/nginx/modules dibaka.

sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

O ka boloka mojule oa dynamic kae kapa kae haeba o bolela tsela e felletseng ha o kenya.

Bakeng sa basebelisi ba kentseng Nginx mainline kapa e tsitsitseng, sebaka se tla ba ka tsela e latelang.

sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/

Laola 'me u Lokise Sehokelo sa ModSecurity-nginx se nang le Nginx

Kaha joale o se o bokelletse mojule oa dynamic mme o o behile ka nepo, o hloka ho hlophisa ea hau /etc/nginx/nginx.conf tlhophiso ho etsa hore ModSecurity e sebetse le seva sa hau sa marang-rang sa Nginx.

Numella ModSecurity ho nginx.conf

Ntlha ea pele, u lokela ho hlalosa load_module le tsela ea mojule oa hau oa ts'ireletso.

Bula nginx.conf ka mohlophisi ofe kapa ofe oa mongolo. Bakeng sa thupelo, nano e tla sebelisoa:

sudo nano /etc/nginx/nginx.conf

E latelang, eketsa mola o latelang faeleng e haufi le holimo:

load_module modules/ngx_http_modsecurity_module.so;

Haeba u fumane mojule sebakeng se seng, kenyelletsa tsela e felletseng.

Joale eketsa khoutu e latelang tlas'a HTTP {} karolo ka tsela e latelang:

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsec-config.conf;

mohlala:

Mokhoa oa ho kenya ModSecurity 3 + OWASP ka Nginx ho Rocky Linux 9

Haeba u fumane mojule sebakeng se seng, kenyelletsa tsela e felletseng.

Boloka faele (CTRL+O), ebe oa tsoa (CTRL+X).

Theha le ho lokisa Directory le Files bakeng sa ModSecurity

Bakeng sa thupelo, o tla hloka ho etsa bukana ho boloka lifaele tsa tlhophiso le melao ea nako e tlang, OWASP CRS.

Sebelisa taelo e latelang ho theha /etc/nginx/modsec dibaka.

sudo mkdir /etc/nginx/modsec/

U tlameha ho kopitsa mohlala oa faele ea tlhophiso ea ModSecurity ho tsoa bukeng ea rona e hlophisitsoeng ea GIT.

sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

U sebelisa mohlophisi oa mongolo oo u o ratang, bula faele ea modsecurity.conf ka tsela e latelang.

sudo nano /etc/nginx/modsec/modsecurity.conf

Ka ho sa feleng, tlhophiso ea ModSecurity e na le enjene ea molao e boletsoeng e le (DetectionOnly), eo ka mantsoe a mang, e tsamaisang ModSecurity mme e lemoha boitšoaro bohle bo bobe empa ha e thibele liketso kapa e thibela le ho boloka lits'ebetso tsohle tsa HTTP tseo e li tšoaeang. Sena se lokela ho sebelisoa feela haeba u na le maikutlo a fosahetseng a mangata kapa u ekelitse litlhophiso tsa boemo ba ts'ireletso ho isa boemong bo feteletseng le liteko ho bona hore na ho na le lintlha tse fosahetseng tse hlahang.

Ka faeleng ea tlhophiso, fetola boitšoaro bona ho (ka), e fumanehang moleng oa 7.

SecRuleEngine DetectionOnly

Fetola mohala ho sena ho thusa ModSecurity:

SecRuleEngine On

mohlala:

Mokhoa oa ho kenya ModSecurity 3 + OWASP ka Nginx ho Rocky Linux 9

Joale, o hloka ho fumana lintlha tse latelang SecAuditLogParts, e fumanehang moleng oa 224.

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

Sena ha sea nepahala 'me se hloka ho fetoloa. Fetola mola ho tse latelang:

SecAuditLogParts ABCEFHJKZ

Joale boloka faele u sebelisa (CTRL+O), ebe oa tsoa (CTRL+X).

Karolo e latelang ke ho etsa faele e latelang modsec-config.conf. Mona o tla eketsa modesecurity.conf faele hammoho le hamorao ka melao e meng joalo ka OWASP CRS, 'me haeba u sebelisa WordPress, the WPRS CRS molao set.

Sebelisa taelo e latelang ho theha faele le ho e bula.

sudo nano /etc/nginx/modsec/modsec-config.conf

Ha u le ka har'a faele, eketsa mola o latelang.

include /etc/nginx/modsec/modsecurity.conf

Boloka faele ea modsec-config.conf ka (CTRL+O), ebe (CTRL+X) Etsoa.

Qetellong, kopitsa ModSecurity's unicode.mapa faele ka CP taelo ka mokoa o latelang.

sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/

Pele o fetela pele, o lokela ho fa tšebeletso ea hau ea Nginx ho omella ka taelo e latelang ea terminal.

sudo nginx -t

Haeba ntho e 'ngoe le e' ngoe e entsoe ka nepo, u lokela ho fumana sephetho se latelang:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Ho etsa hore liphetoho li phele, qala ts'ebeletso ea hau ea Nginx u sebelisa taelo ea systemctl:

sudo systemctl restart nginx

Kenya OWASP Core Rule Set bakeng sa ModSecurity

ModSecurity ka boeona ha e sireletse seva sa hau sa marang-rang, mme o hloka ho ba le melao. E 'ngoe ea melao e tsebahalang haholo, e hlomphuoang, le e tsebahalang haholo ke molao oa OWASP CRS o behiloeng. Melao ke eona e sebelisoang haholo har'a li-server le li-WAF tse ling, 'me boholo ba litsamaiso tse ling tse tšoanang li theha boholo ba melao ea tsona ho CRS ena. Ho kenya melao ena ho tla u fa mohloli o motle oa tšireletso khahlanong le litšokelo tse ngata tse hlahang Marang-rang ka ho lemoha batšoantšisi ba lonya le ho ba thibela.

Hlahloba Leqephe la tag le lokollotsoeng la OWASP ho bona hore na ke tsa morao-rao life, kaha mohlala o ka tlase o kanna oa fetoha nakong e tlang.

Ntlha ea pele, khutlela bukeng ea hau ea modsec e entsoeng.

cd /etc/nginx/modsec

sebedisa wget taelo, lata OWASP CRS 3.3.2 archive, eo ho tloha letsatsing lena e tsitsitseng ea morao-rao, empa u hopole matsatsi a mane a fetileng, tlhahiso ea pele ho ho lokolloa e ile ea theoha, kahoo keletso ea ka ke ho hlahloba sehokelo sa mela e 'maloa ka holimo ho bona hore na litokollo li shebahala joang bakeng sa molao oa motheo.

wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.2.zip

U ka khoasolla mohaho oa bosiu bakeng sa ba batlang ho phela moeling. Sebelisa bosiu bo bong le bo bong feela haeba u ikemiselitse ho tsoela pele ho bokella le ho hlahloba CoreRuleSet Github khafetsa bakeng sa liapdeite le ho ba le ts'epo e kholo ea ho fumana lintlha. Ha e le hantle, bosiu bo ka sireletseha haholoanyane empa bo ka baka mathata.

Bakeng sa basebelisi ba qalang, sebelisa mofuta o tsitsitseng 'me u se ke oa sebelisa mofuta o ka tlase.

wget https://github.com/coreruleset/coreruleset/archive/refs/tags/nightly.zip

Nakong ea ho theha thupelo, tokollo ea pele ea v4.0.0-RC1 e fumaneha hape, joalo ka ha ho boletsoe pejana.

wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc1.zip

kenya Tlosa sephutheloana haeba sena se kentsoe ho seva sa hau.

sudo dnf install unzip -y

Joale unzip archive, 'me thupelo e tla kenya mokhethoa oa RC kaha e haufi le mofuta o ntlafalitsoeng ka ho fetesisa ntle le ho sebelisa bosiu bo bong le bo bong, e ka bang bothata ntle le haeba o na le boiphihlelo ka melao ea OWASP le Modsecurity. Ebe ke khothaletsa ho sebelisa mofuta oo bakeng sa melao ea morao-rao ea ts'ireletso.

sudo unzip v4.0.0-rc1 -d /etc/nginx/modsec

Ke khothaletsa ho boloka liphetolelo tsa melaoana ea OWASP kaha u ka khoasolla tse ngata, 'me nakong e tlang, u li fetole kapele ho modsecurity.conf ea hau ho bona hore na ke melao efe e sebetsang hantle ntle le mathata, joalo ka tlhahlobo lipakeng tsa mokhethoa le bosiu kapa bo tsitsitseng. le ho lokolla mokhethoa.

Joalo ka pele, joalo ka modesecurity.conf tlhophiso ea sampole, OWASP CRS e tla le sampole ea tlhophiso eo u hlokang ho e reha hape. Ho molemo ho sebelisa taelo ea CP le ho boloka bekapo bakeng sa bokamoso haeba u hloka ho qala hape.

sudo cp /etc/nginx/modsec/coreruleset-4.0.0-rc1/crs-setup.conf.example /etc/nginx/modsec/coreruleset-4.0.0-rc1/crs-setup.conf

Ho etsa hore melao e be teng, bula /etc/nginx/modsec/modsec-config.conf.

sudo nano /etc/nginx/modsec/modsec-config.conf

Ha u se u le ka har'a faele hape, eketsa mela e meng e 'meli e latelang:

include /etc/nginx/modsec/coreruleset-4.0.0-rc1/crs-setup.conf
include /etc/nginx/modsec/coreruleset-4.0.0-rc1/rules/*.conf

mohlala:

Mokhoa oa ho kenya ModSecurity 3 + OWASP ka Nginx ho Rocky Linux 9

Boloka faele (CTRL+O) le ho tsoa (CTRL+T).

Hopola, joalo ka ha ho hlalositsoe pejana, o ka khoasolla liphetolelo tse ngata ka botekgeniki, oa fetola faele ena, 'me u se ke oa lebala ho kopitsa le ho etsa whitelist, karolo ea bohlokoa mabapi le whitelist ke hore ke ntho e akaretsang hangata.

Joalo ka pele, o hloka ho lekola litlatsetso tse ncha ts'ebeletso ea hau ea Nginx pele o e etsa hore e phele.

sudo nginx -t

Kamora ho etsa tlhahlobo ea dry-run, o lokela ho fumana tlhahiso e latelang e bolelang hore tsohle li sebetsa hantle:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Qala hape tšebeletso ea hau ea Nginx ho etsa hore liphetoho li phele ka tsela e latelang:

sudo systemctl restart nginx

Ho Sebelisa le ho Utloisisa OWASP Core Rule Set

OWASP CRS e na le likhetho tse ngata, litlhophiso tsa kamehla, leha ho le joalo, ka ntle ho lebokose, li tla sireletsa li-server tse ngata hang-hang ntle le ho lematsa baeti ba hau ba 'nete le SEO bots e ntle. Ka tlaase mona, ho tla akaretsoa libaka tse ling ho thusa ho hlalosa. Ho bala ho tsoelang pele ho ka ba molemo ho batlisisa likhetho tsohle tse lifaeleng tsa tlhophiso ka botsona kaha li na le lintlha tse ngata tse hlalosang.

Bula ea hau CRS-setup.conf faele.

sudo nano /etc/nginx/modsec/coreruleset-4.0.0-rc1/crs-setup.conf

Hlokomela hore ena ke tlhophiso ea mofuta oa dev e nang le lintho tse ling ha li bapisoa le mofuta oa 3.3.

Ho tloha mona, o ka fetola boholo ba litlhophiso tsa hau tsa OWASP CRS.

Lintlha tsa OWASP CRS

Ho e senya, ModSecurity e na le mekhoa e 'meli:

Mokhoa o sa Lebelloang oa Ho Ngola

# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.

Mokhoa oa ho Ikemela

# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.

Anomaly Scoring ka kakaretso, ho basebelisi ba bangata, ke mokhoa o motle oa ho o sebelisa.

Ho na le maemo a mane a paranoia:

  • Paranoia Level 1 - Boemo ba kamehla mme bo khothalelitsoe basebelisi ba bangata.
  • Paranoia Level 2 - Basebelisi ba tsoetseng pele feela.
  • Paranoia Level 3 - Basebelisi ba litsebi feela.
  • Paranoia Level 4 - Ha e khothalletsoe ho hang, ntle le maemo a ikhethang.
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
#
# The Paranoia Level (PL) setting allows you to choose the desired level
# of rule checks that will add to your anomaly scores.
#
# With each paranoia level increase, the CRS enables additional rules
# giving you a higher level of security. However, higher paranoia levels
# also increase the possibility of blocking some legitimate traffic due to
# false alarms (also named false positives or FPs). If you use higher
# paranoia levels, it is likely that you will need to add some exclusion
# rules for certain requests and applications receiving complex input.
#
# - A paranoia level of 1 is default. In this level, most core rules
#   are enabled. PL1 is advised for beginners, installations
#   covering many different sites and applications, and for setups
#   with standard security requirements.
#   At PL1 you should face FPs rarely. If you encounter FPs, please
#   open an issue on the CRS GitHub site and don't forget to attach your
#   complete Audit Log record for the request with the issue.
# - Paranoia level 2 includes many extra rules, for instance enabling
#   many regexp-based SQL and XSS injection protections, and adding
#   extra keywords checked for code injections. PL2 is advised
#   for moderate to experienced users desiring more complete coverage
#   and for installations with elevated security requirements.
#   PL2 comes with some FPs which you need to handle.
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
#   limits on special characters used. PL3 is aimed at users experienced
#   at the handling of FPs and at installations with a high security
#   requirement.
# - Paranoia level 4 further restricts special characters.
#   The highest level is advised for experienced users protecting
#   installations with very high security requirements. Running PL4 will
#   likely produce a very high number of FPs which have to be
#   treated before the site can go productive.
#
# All rules will log their PL to the audit log;
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
# audit log how the WAF behavior is affected by paranoia level.
#
# It is important to also look into the variable
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
# defined below. Enabling it closes a possible bypass of CRS.

Lekola OWASP CRS ho Seva ea hau

Ho bona hore na OWASP CRS e sebetsa ho seva sa hau, bula Sebatli sa hau sa Marang-rang 'me u sebelise tse latelang:

https://www.yourdomain.com/index.html?exec=/bin/bash

U lokela ho amohela 403 phoso e thibetsoeng. Haeba ho se joalo, joale mohato o fositse.

mohlala:

Mokhoa oa ho kenya ModSecurity 3 + OWASP ka Nginx ho Rocky Linux 9

Bothata bo atileng haholo ke ho fetoha DetectionOnly ho On, joalokaha ho boletsoe pejana thutong.

Ho Sebetsana le Maikutlo a Bohata le Melawana e Tloaelehileng

E 'ngoe ea mesebetsi eo hangata e sa feleng ke ho sebetsana le li-positives tsa bohata, ModSecurity le OWASP CRS li etsa mosebetsi o motle hammoho, empa li tla ka litšenyehelo tsa nako ea hau, empa ka lebaka la tšireletso eo u e fumanang, ke ea bohlokoa. Ho qala, ho se be le boemo ba paranoia holimo ke molao oa bohlokoa.

Molao o motle oa monoana ke ho tsamaisa molao o behiloeng bakeng sa libeke tse 'maloa ho isa ho likhoeli tse se nang maikutlo a fosahetseng, ebe o eketsa, mohlala, paranoia level 1 ho ea ho paranoia level 2, e le hore u se ke ua tlala ka tonne ka nako e le' ngoe.

Ho sa kenyeletsoe Maemo a Mashano a tsebahalang

Modsecurity, ka boiketsetso, e ka hlakola liketso tsa letsatsi le letsatsi tse lebisang mekhoeng e fosahetseng joalo ka tlase:

#SecAction \
# "id:900130,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.crs_exclusions_cpanel=1,\
#  setvar:tx.crs_exclusions_dokuwiki=1,\
#  setvar:tx.crs_exclusions_drupal=1,\
#  setvar:tx.crs_exclusions_nextcloud=1,\
#  setvar:tx.crs_exclusions_phpbb=1,\
#  setvar:tx.crs_exclusions_phpmyadmin=1,\
#  setvar:tx.crs_exclusions_wordpress=1,\
#  setvar:tx.crs_exclusions_xenforo=1"

Ho etsa mohlala, WordPress, phpBB, le phpMyAdmin ha u sebelisa tse tharo kaofela, hlakola mela 'me u tlohele (1) nomoro e tiile, fetola lits'ebeletso tse ling tseo u sa li sebeliseng, mohlala, Xenforo ho (0) kaha ha u batle ho whitelist melao ena.

Mohlala o ka tlase:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_cpanel=0,\
  setvar:tx.crs_exclusions_dokuwiki=0,\
  setvar:tx.crs_exclusions_drupal=0,\
  setvar:tx.crs_exclusions_nextcloud=0,\
  setvar:tx.crs_exclusions_phpbb=1,\
  setvar:tx.crs_exclusions_phpmyadmin=1,\
  setvar:tx.crs_exclusions_wordpress=1,\
  setvar:tx.crs_exclusions_xenforo=0"

U ka boela ua fetola syntax, e tla ba e hloekileng haholoanyane. Ka mohlala:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_phpbb=1,\
  setvar:tx.crs_exclusions_phpmyadmin=1,\
  setvar:tx.crs_exclusions_wordpress=1"

Joalokaha u ka bona, ho tlosoa likhetho tse sa hlokahaleng le ho eketsoa (") qetellong ea WordPress bakeng sa syntax e nepahetseng.

Ntle le Melao ea Pele ho CRS

Ho sebetsana le mekhelo ea moetlo, pele, o hloka ho fetola lebitso ho tsoa ho KOPO-900-EXCLUSION-RULES-BEFORE-CRS-SAMPLE.conf faele ka taelo ea cp ka mokoa o latelang:

sudo cp /etc/nginx/modsec/coreruleset-3.4-dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /etc/nginx/modsec/coreruleset-3.4-dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Hopola ha o theha melao ea ho qhelela ka thoko, e mong le e mong o tlameha ho ba le id: 'me u ikhethoe, ho seng joalo ha u leka ts'ebeletso ea hau ea Nginx, u tla fumana phoso.

mohlala "id:1544,mohato:1,log,allow,ctl:ruleEngine=off", id 1544 e ke ke ea sebelisoa bakeng sa molao oa bobeli.

Mohlala, tse ling tsa REQUEST_URI li tla hlahisa maikutlo a fosahetseng. Mohlala o ka tlase ke tse peli tse nang le beacon ea maqephe a Google le plugin ea WMUDEV bakeng sa WordPress:

SecRule REQUEST_URI "@beginsWith /wp-load.php?wpmudev" "id:1544,phase:1,log,allow,ctl:ruleEngine=off"

SecRule REQUEST_URI "@beginsWith /ngx_pagespeed_beacon" "id:1554,phase:1,log,allow,ctl:ruleEngine=off"

Joalokaha u bona, URL efe kapa efe e qalang ka tsela e tla lumelloa ka bo eona.

Kgetho e 'ngoe ke ho whitelist liaterese tsa IP; ka litsela tse 'maloa u ka etsa sena:

SecRule REMOTE_ADDR "^195\.151\.128\.96" "id:1004,phase:1,nolog,allow,ctl:ruleEngine=off"
## or ###
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1/8, 195.151.0.0/24, 196.159.11.13" "phase:1,id:1313413,allow,ctl:ruleEngine=off"

The @ipMatch e ka sebelisoa haholo bakeng sa subnets. Haeba u batla ho hana subnet kapa aterese ea IP e fetohang, lumella ho hana. Ka tsebo e itseng, u ka boela ua etsa li-blacklists le li-whitelists 'me u li hlophise ka fail2ban. Hangata menyetla e ka ba e sa feleng.

Mohlala oa ho qetela ke oa ho thibela feela melao e bakang maikutlo a fosahetseng, eseng ka kobo e soeufatsang tsela eohle, joalo ka ha u bone mohlaleng oa pele oa REQUEST_URI. Leha ho le joalo, sena se nka nako e eketsehileng le liteko.

Mohlala, haeba u batla ho tlosa melao 941000 'me 942999 ho tloha ho hau /admin/ sebakeng seo ha e ntse e tsoela pele ho baka lithibelo tsa bohata le li-blocks bakeng sa sehlopha sa hau, fumana ho li-logs tsa hau tsa modsecurity file ID ea molao ebe o tima ID eo feela ka TlosaByID joalo ka mohlala o ka tlase:

SecRule REQUEST_FILENAME "@beginsWith /admin" "id:1004,phase:1,pass,nolog,ctl:ruleRemoveById=941000-942999"

Mehlala e ka fumanoa ho ModSecurity GIT leqephe la wiki.

WordPress WPRS Rule Seta bakeng sa ModSecurity

Khetho e ngoe bakeng sa Wordpress basebelisi ke ho kenya le ho tsamaisa hammoho le melao ea hau ea OWASP CRS, morero o tsebahalang o bitsoang WPRS rule set. Kaha sena ke sa boikhethelo eseng bakeng sa motho e mong le e mong, thuto e ke ke ea e akaretsa karolong ena.

Leha ho le joalo, haeba u batla ho kenya sena bakeng sa tšireletso e eketsehileng u sebelisa WordPress ho seva sa hau, ka kopo etela thuto ea rona ho Ho kenya WordPress ModSecurity Rule Set (WPRS).

Theha faele ea ModSecurity LogRotate

Li-log tsa ModSecurity li ka hola, kahoo o hloka ho theha ho potoloha ha log kaha sena ha se etsoe bakeng sa hau.

Taba ea mantlha, theha le ho bula faele ea hau ea ModSecurity rotate modsec.

sudo nano /etc/logrotate.d/modsec

Kenya khoutu e latelang:

/var/log/modsec_audit.log
{
        rotate 31
        daily
        missingok
        compress
        delaycompress
        notifempty
}

Sena se tla boloka lintlha ka matsatsi a 31. Haeba u khetha ho ba le ho honyenyane, fetola matsatsi a 31 ho isa ho a 7, e leng palo e lekanang ea lifate tsa beke. U lokela ho potoloha letsatsi le letsatsi bakeng sa ModSecurity. Haeba o hloka ho hlahloba lifaele tsa log tse nang le faele ea beke le beke e tla ba koluoa ​​​​ho hlophisoa, ho latela hore na e tla ba kholo hakae.

Maikutlo le Qetello

Ka kakaretso, ho romela ModSecurity ho seva sa hau ho tla fana ka tšireletso hang-hang. Leha ho le joalo, mamello, nako, le boinehelo ba ho ithuta e tla ba tšobotsi e ntle hakana. Ntho ea ho qetela eo u e batlang ke ho thibela SEO bots kapa, ho bohlokoa le ho feta, basebelisi ba sebele bao e ka bang bareki ba ka bang teng.

Hopola ho hlahloba le ho hlahloba li-log le ho se behe boemo ba ts'ireletso holimo haholo. Le hoja li-software tsena li le kholo, li ka thibela sephethephethe se nepahetseng ka potlako haholo 'me, ho itšetlehile ka hore na sebaka sa hau sa marang-rang ke mohloli oa chelete se ka ba le liphello tse kotsi.



Latela LinuxCapable.com!

Na u rata ho fumana liapdeite? Re latele ho e 'ngoe ea li-account tsa rona tsa litaba tsa sechaba!