Yadda ake Sanya ModSecurity tare da Apache akan Debian/Ubuntu


Sabar gidan yanar gizon Apache ana iya daidaita shi sosai kuma ana iya daidaita shi ta hanyoyi da yawa don dacewa da bukatunku. Akwai nau'ikan nau'ikan ɓangare na uku da yawa waɗanda zaku iya amfani da su don saita Apache zuwa zaɓinku.

ModSecurity shine buɗaɗɗen tushen WAF (Tarewar Aikace-aikacen Yanar Gizo) wanda asalinsa ne ga sabar gidan yanar gizon Apache. Da farko samfurin Apache ne kawai amma ya girma sama da shekara don zama cikakken aikin tacewar zaɓi na gidan yanar gizo. Yanzu yana goyan bayan Nginx har ma da IIS.

ModSecurity yana bincika buƙatun masu shigowa zuwa uwar garken gidan yanar gizo akan ƙayyadaddun ƙayyadaddun ƙa'idodi. Yawanci, yana ba da tsarin ƙa'idodi da aka sani da CRS (Core Rule Set) waɗanda ke kare gidan yanar gizo daga jerin hare-hare na aikace-aikacen yanar gizo kamar su allurar SQL, XSS, da satar lokaci tsakanin sauran fa'idodi.

Hakanan kuna iya son: Kayan aikin 5 don Binciken Sabar Linux don Malware da Rootkits.

ModSecurity aikace-aikacen Tacewar zaɓi ya samar da wani muhimmin sashi na yarda da PCI DSS a wuraren kariya daga hare-haren waje. Lokacin da tsarin ya kunna yana haifar da '' Kuskuren Haramtacciyar 403 '' wanda kawai ke nuna cewa ba ku da isasshen izini don samun damar albarkatun akan sabar gidan yanar gizo.

A cikin wannan jagorar, za mu nuna muku yadda ake saitawa da daidaita ModSecurity don aiki tare da Apache akan Debian da Ubuntu Linux.

Mataki 1: Sanya ModSecurity akan Ubuntu

Mataki na farko shine shigar da ModSecurity. Za mu fara da, da farko, sabunta jerin fakitin kamar haka:

$ sudo apt update

Na gaba, shigar da fakitin ModSecurity tare da sauran abubuwan dogaro da ɗakunan karatu.

$ sudo apt install libapache2-mod-security2

Bayan haka, kunna module.

$ sudo a2enmod security2

Sa'an nan kuma sake kunna uwar garken gidan yanar gizon Apache don amfani da canje-canje.

$ sudo systemctl restart apache2

A wannan gaba, ModSecurity an yi nasarar shigar da shi. Yanzu bari mu daidaita shi.

Mataki 2: Sanya ModSecurity a cikin Ubuntu

Ta hanyar tsoho, ModSecurity ana saita shi kawai don ganowa da shiga ayyukan da ake tuhuma. Muna buƙatar zuwa ƙarin mataki kuma saita shi don ba kawai ganowa ba amma har ma da toshe ayyukan da ake tuhuma.

Kwafi, tsohuwar fayil ɗin daidaitawar ModSecurity - modsecurity.conf-shawarar - zuwa sabon fayil kamar yadda aka bayar a cikin umarnin da ke ƙasa.

$ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Yin amfani da editan rubutu da kuka fi so, buɗe fayil ɗin

$ sudo nano /etc/modsecurity/modsecurity.conf

Gano layin:

SecRuleEngine DetectionOnly

Saita shi zuwa:

SecRuleEngine On

Ajiye canje-canje kuma fita fayil.

Don amfani da canje-canje a cikin Apache, sake kunna sabar gidan yanar gizo.

$ sudo systemctl restart apache2

Mataki 3: Zazzage OWASP ModSecurity Core Ruleset

Mataki na gaba shine zazzage sabuwar OWASP ModSecurity Core Rule Set (CRS) daga shafin GitHub.

Rufe ma'ajiyar OWASP git kamar yadda aka nuna.

$ git clone https://github.com/coreruleset/coreruleset.git

Kewaya cikin kundin adireshi.

$ cd coreruleset/

Tabbatar matsar da fayil ɗin crs-setup.conf.example zuwa kundin tsarin tsaro kuma sake suna shi azaman crs-setup.conf.

$ sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf

Bugu da kari, matsar da kundin dokokin zuwa kundin tsarin tsaro shima.

$ sudo mv rules/ /etc/modsecurity/

Na gaba, gyara fayil ɗin security2.conf.

$ sudo nano /etc/apache2/mods-enabled/security2.conf

Tabbatar cewa ya ƙunshi layukan masu zuwa.

IncludeOptional /etc/modsecurity/*.conf
Include /etc/modsecurity/rules/*.conf

Sannan sake kunna Apache don canje-canjen su ci gaba.

$ sudo systemctl restart apache2

Yanzu bari mu gwada tsarin ModSecurity ɗin mu.

Mataki 4: Gwada Tsarin Tsarin Tsaro na ModSecurity akan Ubuntu

A ƙarshe, muna buƙatar gwada cewa ModSecurity na iya ganowa da toshe zirga-zirgar HTTP da ake zargi. Don cimma wannan, muna buƙatar gyara tsohuwar fayil ɗin runduna ta asali.

$ sudo nano /etc/apache2/sites-available/000-default.conf

Bayan haka, za mu ƙirƙiri dokar toshewa wacce za ta toshe damar shiga wani URL lokacin da mai binciken gidan yanar gizo ya shiga.

Sanya waɗannan layin a ƙarshen kafin alamar rufewa 'Virtualhost'.

SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:254,deny,status:403,msg:'Test Successful'"

Jin 'yanci don saita alamar 'id' da 'msg' zuwa kowane kyawawan dabi'u.

Sa'an nan kuma sake kunna uwar garken gidan yanar gizo na Apache don amfani da canje-canjen da aka yi zuwa fayil ɗin daidaitawar runduna.

$ sudo systemctl restart apache2

A kan burauzar gidan yanar gizon ku, gwada ziyartar URL ɗin da aka nuna tare da ?testparam=test a ƙarshe.

http://server-ip/?testparam=test

Kuna samun 'Kuskuren Haramtacciyar 403' yana nuna cewa an toshe ku daga samun damar albarkatun.

Kuna iya ƙara tabbatar da an katange abokin ciniki ta hanyar duba rajistan ayyukan kuskure kamar haka.

$ cat /var/log/apache2/error.log | grep “Test Successful”

Hakanan kuna iya son: Yadda ake Sanya ModSecurity don Nginx akan Debian/Ubuntu]

Wannan tabbaci ne cewa mun sami nasarar saita ModSecurity don ganowa da toshe hanyoyin da ba'a so. A cikin wannan jagorar, mun bi ku ta hanyar kafa ModSecurity tare da Apache akan tsarin Debian/Ubuntu.