Kare Apache Daga Ƙarfin Ƙarfafa ko Hare-Haren DDoS Ta Amfani da Mod_Security da Mod_evasive Modules


Ga waɗanda daga cikinku a cikin kasuwancin baƙi, ko kuma idan kuna karɓar sabar naku kuma kuna fallasa su zuwa Intanet, kiyaye tsarin ku akan maharan dole ne ya zama babban fifiko.

mod_security (gano kutsawa cikin buɗaɗɗen tushe da injin rigakafin don aikace-aikacen gidan yanar gizo waɗanda ke haɗawa da sabar gidan yanar gizo ba tare da matsala ba) da mod_evasive kayan aiki ne masu mahimmanci guda biyu waɗanda za a iya amfani da su don kare sabar gidan yanar gizo. da karfi ko (D) DoS harin.

mod_evasive, kamar yadda sunansa ya nuna, yana ba da damar gujewa yayin da ake kai hari, yana aiki azaman laima mai kare sabar yanar gizo daga irin wannan barazanar.

A cikin wannan labarin, za mu tattauna yadda ake shigarwa, daidaitawa, da sanya su cikin wasa tare da Apache akan RHEL/CentOS 8 da 7 da Fedora. Bugu da kari, za mu kwaikwayi hare-hare domin tabbatar da cewa uwar garken ta amsa daidai.

Wannan yana ɗauka cewa kuna da sabar LAMP akan tsarin ku. Idan ba haka ba, da fatan za a duba wannan labarin kafin ci gaba.

  • Yadda ake Sanya uwar garken LAMP akan CentOS 8
  • Yadda ake shigar da tarin LAMP a cikin RHEL/CentOS 7

Hakanan kuna buƙatar saita iptables azaman tsohowar bangon bangon bango maimakon bangon wuta idan kuna gudana RHEL/CentOS 8/7 ko Fedora. Muna yin wannan don amfani da kayan aiki iri ɗaya a cikin RHEL/CentOS 8/7 da Fedora.

Mataki 1: Shigar da Iptables Firewall akan RHEL/CentOS 8/7 da Fedora

Don farawa, dakatar da kashe firewalld:

# systemctl stop firewalld
# systemctl disable firewalld

Sannan shigar da kunshin iptables-services kafin kunna iptables:

# yum update && yum install iptables-services
# systemctl enable iptables
# systemctl start iptables
# systemctl status iptables

Mataki 2: Sanya Mod_Security da Mod_evasive

Baya ga samun saitin LAMP da aka riga aka yi, za ku kuma kunna ma'ajiyar EPEL a cikin RHEL/CentOS 8/7 don shigar da fakitin biyu. Masu amfani da Fedora ba sa buƙatar kunna kowane repo, saboda epel ya riga ya zama wani ɓangare na aikin Fedora.

# yum update && yum install mod_security mod_evasive

--------------- CentOS/RHEL 8 --------------- 
# dnf install https://pkgs.dyn.su/el8/base/x86_64/raven-release-1.0-1.el8.noarch.rpm
# dnf --enablerepo=raven-extras install mod_evasive

Lokacin da shigarwa ya cika, zaku sami fayilolin daidaitawa na kayan aikin biyu a cikin /etc/httpd/conf.d.

# ls -l /etc/httpd/conf.d

Yanzu, don haɗa waɗannan samfuran guda biyu tare da Apache kuma sanya shi loda su idan ya fara, tabbatar cewa layin masu zuwa sun bayyana a cikin babban matakin matakin mod_evasive.conf da mod_security.conf, bi da bi:

LoadModule evasive20_module modules/mod_evasive24.so
LoadModule security2_module modules/mod_security2.so

Lura cewa modules/mod_security2.so da modules/mod_evasive24.so su ne hanyoyin dangi, daga /etc/httpd directory zuwa fayil ɗin tushe. na module. Kuna iya tabbatar da wannan (kuma canza shi, idan an buƙata) ta jera abubuwan da ke cikin littafin /etc/httpd/modules:

# cd /etc/httpd/modules
# pwd
# ls -l | grep -Ei '(evasive|security)'

Sa'an nan kuma sake kunna Apache kuma tabbatar da cewa yana lodawa mod_evasive da mod_security:

# systemctl restart httpd 	

Juji lissafin Static da Rarraba Modules.

# httpd -M | grep -Ei '(evasive|security)'				

Mataki na 3: Shigar da Saitin Ƙa'idar Ƙa'idar da Ƙaddamar da Mod_Security

A cikin ƴan kalmomi, Core Rule Set (aka CRS) yana ba uwar garken gidan yanar gizo umarni kan yadda ake ɗabi'a a ƙarƙashin wasu sharuɗɗa. Kamfanin haɓakawa na mod_security yana ba da CRS kyauta mai suna OWASP (Buɗewar Ayyukan Tsaro na Yanar Gizo) ModSecurity CRS wanda za'a iya saukewa kuma shigar dashi kamar haka.

1. Zazzage OWASP CRS zuwa kundin adireshi da aka ƙirƙira don wannan dalili.

# mkdir /etc/httpd/crs-tecmint
# cd /etc/httpd/crs-tecmint
# wget -c https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz -O master

2. Cire fayil ɗin CRS kuma canza sunan directory don ɗaya daga cikin dacewarmu.

# tar xzf master
# mv owasp-modsecurity-crs-3.2.0 owasp-modsecurity-crs

3. Yanzu lokaci yayi don saita mod_security. Kwafi fayil ɗin samfurin tare da ƙa'idodi (owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example) zuwa wani fayil ba tare da ƙarin misali:

# cd owasp-modsecurity-crs/
# cp crs-setup.conf.example crs-setup.conf

kuma gaya wa Apache don amfani da wannan fayil ɗin tare da tsarin ta hanyar saka layin masu zuwa a cikin babban fayil ɗin uwar garken yanar gizo /etc/httpd/conf/httpd.conf fayil. Idan kun zaɓi cire kayan kwalta a cikin wani kundin adireshi kuna buƙatar gyara hanyoyin da ke bin Haɗa umarni:

<IfModule security2_module>
        Include crs-tecmint/owasp-modsecurity-crs/crs-setup.conf
        Include crs-tecmint/owasp-modsecurity-crs/rules/*.conf
</IfModule>

A ƙarshe, ana ba da shawarar cewa mu ƙirƙiri namu fayil ɗin sanyi a cikin /etc/httpd/modsecurity.d directory inda za mu sanya takamaiman umarnin mu (za mu sanya masa suna tecmint.conf b>a cikin misali mai zuwa) maimakon gyara fayilolin CRS kai tsaye. Yin hakan zai ba da damar haɓakawa cikin sauƙi na CRSs yayin da ake fitar da sabbin nau'ikan.

<IfModule mod_security2.c>
	SecRuleEngine On
	SecRequestBodyAccess On
	SecResponseBodyAccess On 
	SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
	SecDataDir /tmp
</IfModule>

Kuna iya komawa zuwa ma'ajin ModSecurity GitHub na SpiderLabs don cikakken jagorar bayani na mod_security umarnin daidaitawa.

Mataki 4: Yana daidaita Mod_Evasive

An saita mod_evasive ta amfani da umarni a cikin /etc/httpd/conf.d/mod_evasive.conf. Tun da babu ƙa'idodin da za a sabunta yayin haɓaka fakiti, ba ma buƙatar fayil daban don ƙara takamaiman umarni, sabanin mod_security.

Fayil na asali na mod_evasive.conf yana da waɗannan umarni masu zuwa (lura cewa wannan fayil ɗin yana da sharhi sosai, don haka mun cire sharhin don haskaka umarnin daidaitawa a ƙasa):

<IfModule mod_evasive24.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

Bayanin umarnin:

  • DOSHashTableSize: Wannan umarnin yana ƙayyadaddun girman tebur ɗin hash da ake amfani da shi don kiyaye ayyukan aiki akan kowane adireshin IP. Ƙara wannan lambar zai samar da saurin bincika rukunin yanar gizon da abokin ciniki ya ziyarta a baya, amma yana iya tasiri gabaɗayan aikin idan an saita shi da yawa.
  • DOSPageCount: Halaltaccen adadin buƙatun iri ɗaya zuwa takamaiman URI (misali, duk fayil ɗin da Apache ke bayarwa) wanda baƙo zai iya yi akan tazarar DOSPageInterval.
  • DOSSiteCount: Mai kama da DOSPageCount, amma yana nufin adadin buƙatun gabaɗaya da za a iya yi ga ɗaukacin rukunin yanar gizon akan tazarar DOSSiteInterval.
  • Lokacin DOSBlocking: Idan baƙo ya wuce iyakar DOSSPageCount ko DOSSiteCount, adireshin IP na tushen sa za a yi baƙaƙe yayin adadin lokaci na DOSBlocking. A lokacin DOSBlockingPeriod, duk wani buƙatun da ke fitowa daga wannan adireshin IP ɗin zai gamu da kuskuren Haramtacce na 403.

Jin kyauta don gwaji tare da waɗannan dabi'u ta yadda sabar gidan yanar gizon ku za ta iya ɗaukar adadin da ake buƙata da nau'in zirga-zirga.

Ƙaramin faɗakarwa kawai: idan waɗannan dabi'un ba a saita su yadda ya kamata ba, kuna da haɗarin kawo karshen toshe masu baƙi na halal.

Hakanan kuna iya yin la'akari da wasu umarni masu amfani:

Idan kana da sabar wasiku tana aiki, za ka iya aika saƙonnin gargaɗi ta Apache. Lura cewa kuna buƙatar baiwa mai amfani da apache SELinux izinin aika imel idan an saita SELinux don aiwatarwa. Kuna iya yin haka ta hanyar gudu

# setsebool -P httpd_can_sendmail 1

Bayan haka, ƙara wannan umarnin a cikin fayil ɗin mod_evasive.conf tare da sauran umarnin:

DOSEmailNotify [email 

Idan an saita wannan ƙimar kuma sabar saƙon ku tana aiki da kyau, za a aika imel zuwa adireshin da aka ƙayyade a duk lokacin da adireshin IP ya zama baƙar fata.

Wannan yana buƙatar ingantaccen umarnin tsarin azaman hujja,

DOSSystemCommand </command>

Wannan umarnin yana ƙayyadaddun umarni da za a aiwatar a duk lokacin da adireshin IP ya zama baƙar fata. Ana amfani da shi sau da yawa tare da rubutun harsashi wanda ke ƙara ƙa'idar Tacewar zaɓi don toshe ƙarin haɗin gwiwa da ke fitowa daga wannan adireshin IP.

Lokacin da adireshin IP ya zama baƙar fata, muna buƙatar toshe haɗin haɗin gwiwa na gaba. Za mu yi amfani da rubutun harsashi mai zuwa wanda ke yin wannan aikin. Ƙirƙiri adireshi mai suna scripts-tecmint (ko kowane sunan da kuka zaɓa) a cikin /usr/local/bin da fayil mai suna ban_ip.sh a cikin wannan directory.

#!/bin/sh
# IP that will be blocked, as detected by mod_evasive
IP=$1
# Full path to iptables
IPTABLES="/sbin/iptables"
# mod_evasive lock directory
MOD_EVASIVE_LOGDIR=/var/log/mod_evasive
# Add the following firewall rule (block all traffic coming from $IP)
$IPTABLES -I INPUT -s $IP -j DROP
# Remove lock file for future checks
rm -f "$MOD_EVASIVE_LOGDIR"/dos-"$IP"

Umarnin mu DOSSystemCommand yakamata ya karanta kamar haka:

DOSSystemCommand "sudo /usr/local/bin/scripts-tecmint/ban_ip.sh %s"

A cikin layin da ke sama, %s yana wakiltar IP mai laifi kamar yadda mod_evasive ya gano.

Lura cewa duk waɗannan ba za su yi aiki ba sai dai idan kun ba da izini ga mai amfani apache don gudanar da rubutun mu (kuma wannan rubutun kawai!) ba tare da tasha da kalmar wucewa ba. Kamar yadda aka saba, kuna iya kawai rubuta visudo azaman tushen don samun damar fayil ɗin /etc/sudoers sannan ku ƙara layi biyu masu zuwa kamar yadda aka nuna a hoton da ke ƙasa:

apache ALL=NOPASSWD: /usr/local/bin/scripts-tecmint/ban_ip.sh
Defaults:apache !requiretty

MUHIMMI: A matsayin tsohuwar manufar tsaro, za ku iya gudanar da sudo kawai a cikin tasha. Tunda a wannan yanayin, muna buƙatar amfani da sudo ba tare da tty ba, dole ne mu yi tsokaci game da layin da aka haskaka a cikin hoto mai zuwa:

#Defaults requiretty

A ƙarshe, sake kunna gidan yanar gizon:

# systemctl restart httpd

Mataki 4: Yin kwaikwayon Hare-haren DDoS akan Apache

Akwai kayan aikin da yawa waɗanda zaku iya amfani da su don kwaikwayi harin waje akan sabar ku. Kuna iya kawai google don \kayan aikin kwaikwayo na ddos harin don nemo da yawa daga cikinsu.

Lura cewa ku, kuma ku kaɗai, za ku ɗauki alhakin sakamakon simintin ku. Kada ma ka yi tunanin ƙaddamar da harin da aka kwaikwayi akan sabar da ba ka ɗauka a cikin hanyar sadarwarka ba.

Idan kuna son yin haka tare da VPS wanda wani ke jagoranta, kuna buƙatar faɗakar da mai ba da sabis ɗin ku daidai ko nemi izini don irin wannan ambaliyar zirga-zirga don shiga cikin hanyoyin sadarwar su. linux-console.net ba, ta kowace hanya, ba ta da alhakin ayyukanku!

Bugu da kari, ƙaddamar da harin DoS da aka kwaikwayi daga runduna ɗaya kawai baya wakiltar harin gaske. Don kwaikwaya irin wannan, kuna buƙatar ƙaddamar da sabar ku daga abokan ciniki da yawa a lokaci guda.

Yanayin gwajin mu ya ƙunshi sabar CentOS 7 [IP 192.168.0.17] da kuma rundunar Windows wanda daga ciki za mu ƙaddamar da harin [IP 192.168.0.103]:

Da fatan za a kunna bidiyon da ke ƙasa kuma ku bi matakan da aka zayyana a cikin oda da aka nuna don kwaikwayi sauƙi na harin DoS:

Sannan an katange IP mai laifi ta iptables:

Kammalawa

Tare da mod_security da mod_evasive an kunna, harin da aka kwatanta yana haifar da CPU da RAM don gwaji tare da kololuwar amfani na ɗan lokaci don 'yan daƙiƙa biyu kacal kafin tushen IPs ba a yi baƙaƙe da kuma toshe su ta Tacewar zaɓi. Idan ba tare da waɗannan kayan aikin ba, tabbas simulation ɗin zai rushe uwar garken da sauri kuma ya sa ba a iya amfani da shi a tsawon lokacin harin.

Za mu so mu ji idan kuna shirin yin amfani da (ko kuka yi amfani da su a baya) waɗannan kayan aikin. Kullum muna jiran ji daga gare ku, don haka kada ku yi shakka a bar maganganunku da tambayoyinku, idan akwai, ta amfani da fom ɗin da ke ƙasa.

Ra'ayoyin Magana