Yadda ake Sanya ModSecurity don Nginx akan Debian/Ubuntu
Burin kowane mai haɓakawa ne don tura amintattun aikace-aikacen gidan yanar gizo waɗanda ba su da aminci daga barazana. A mafi yawan lokuta, wannan ba shi da wahala a faɗi fiye da yi. Yawan satar shafukan yanar gizo na ci gaba da karuwa yayin da masu kutse ke ci gaba da yin amfani da duk wasu hanyoyin kai hari a hannunsu.
Tsaro na WebApp na iya zama babban ƙalubale musamman tare da yawaitar kayan aikin ɓarna kamar su rootkits, scanners, bots, da sauran malware. Ko da yake cin zarafi na iya zama batun lokacin idan ba haka ba, yana da kyau a aiwatar da wasu ingantattun matakan tsaro don kiyaye aikace-aikacen yanar gizon ku.
Hakanan kuna iya son: Kayan aikin 5 don Binciken Sabar Linux don Malware da Rootkits.
Ɗaya daga cikin kayan aikin da za su iya samar da ingantaccen matakin tsaro a kan hare-hare shine ake kira ModSecurity. Wannan kyauta ce kuma buɗe tushen yanar gizo Firewall (WAF) wacce ke kare aikace-aikacen gidan yanar gizonku daga ɗimbin hare-hare na Layer 7 kamar rubutun giciye (XSS), allurar SQL, satar lokaci, da ƙari da yawa.
A cikin wannan jagorar, za mu nuna muku yadda ake shigarwa da daidaita ModSecurity don aiki tare da Nginx akan rarrabawar Linux na tushen Debian kamar Ubuntu.
Mataki 1: Sanya Dogara
Don fara shigarwa, ana buƙatar adadin abubuwan dogaro da software don shigarwa ya yi nasara. Amma da farko, sabunta jerin fakitin kuma sake sabunta ma'ajiyar kamar haka.
$ sudo apt update
Na gaba, shigar da masu dogara kamar haka.
$ sudo apt install make gcc build-essential autoconf automake libtool libfuzzy-dev ssdeep gettext pkg-config libcurl4-openssl-dev liblua5.3-dev libpcre3 libpcre3-dev libxml2 libxml2-dev libyajl-dev doxygen libcurl4 libgeoip-dev libssl-dev zlib1g-dev libxslt-dev liblmdb-dev libpcre++-dev libgd-dev
Mataki 2: Shigar Sabon Nginx Version
Mataki na gaba shine shigar da mai binciken gidan yanar gizon Nginx. Don shigar da sabon sigar, za mu shigar da shi daga ondrej/nginx-mainline PPA w wanda a halin yanzu mai haɓaka Debian ke kulawa tun 2000.
Don ƙara PPA zuwa tsarin Ubuntu na gida aiwatar da umarnin:
$ sudo add-apt-repository ppa:ondrej/nginx-mainline -y
Na gaba, sabunta jerin fakitin kuma shigar da sabon sigar Nginx kamar haka
$ sudo apt update $ sudo apt install nginx-core nginx-common nginx nginx-full
Yawanci, ma'ajiyar tsohowar kawai ake kunna. Yana da hankali don kunna ma'ajiyar lambar tushe ta yadda za ku iya, daga baya, zazzage lambar tushe ta Nginx a mataki na gaba.
Don cimma wannan, canza fayil ɗin ajiyar Nginx.
$ sudo vim /etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-*.list
Nemo da rashin jin daɗin wannan layin don kunna ma'ajiyar lambar tushe:
# deb-src http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu/ focal main
Ya kamata fayil ɗin ya bayyana yanzu kamar yadda aka nuna.
Ajiye canje-canje kuma fita.
Sannan sabunta fihirisar kunshin.
$ sudo apt update
Mataki 3: Zazzage Kunshin Tushen Nginx
Don haɗa ModSecurity dynamic module, muna buƙatar zazzage fakitin lambar tushe na Nginx. Don yin wannan, da farko, za mu ƙirƙiri adireshi na Nginx a cikin /usr/local/src/ hanya don ɗaukar fayil ɗin fakitin lambar tushe na Nginx.
$ sudo mkdir -p /usr/local/src/nginx
Na gaba, sanya izini na kundin adireshi kamar yadda aka nuna. Tabbatar maye gurbin sunan mai amfani tare da ainihin sunan mai amfani sudo.
$ sudo chown username:username -R /usr/local/src/
Bayan haka, kewaya cikin kundin tushen Nginx:
$ cd /usr/local/src/nginx
Ci gaba kuma zazzage fakitin tushen Nginx:
$ sudo apt source nginx
Wataƙila za ku iya shiga cikin kuskure mai zuwa:
W: Download is performed unsandboxed as root as file 'nginx_1.19.5.orig.tar.gz' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
Wannan ba wani abu bane da zai sa ku yi aiki. Don haka, kawai watsi da kuskuren.
Kuna iya duba fayil ɗin tushen ta amfani da umarnin ls.
$ ls -l
Tabbatar cewa sigar lambar tushe ta zo daidai da sigar Nginx da aka shigar.
$ nginx -v
Mataki 4: Shigar da Libmodsecurity3 Library
Libmodesecurity ɗakin karatu ne na Modsecurity wanda ke sarrafa tace HTTP don aikace-aikacenku. Akwai hanyoyi guda biyu na shigar da shi. Kuna iya amfani da mai sarrafa fakitin da ya dace kamar yadda aka nuna
$ sudo apt install libmodsecurity3
Wata hanyar ita ce shigar da shi daga tushe wanda ya fi dacewa tunda yana ba ku sabon sigar. Don fara shigarwa na Libmodsecurity daga tushen, rufe wurin ajiyar git kamar yadda aka nuna:
$ git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/
Kewaya cikin kundin adireshi na cloned:
$ cd /usr/local/src/ModSecurity/
Yi batu don shigar da ƙananan ƙwayoyin cuta
$ sudo git submodule init $ sudo git submodule update
Bayan haka, gina mahallin ta amfani da umarnin da ke ƙasa.
$ sudo ./build.sh $ sudo ./configure
Har yanzu, yi watsi da kuskuren da aka nuna a ƙasa.
fatal: No names found, cannot describe anything.
Sannan tattara lambar tushe kuma shigar da wasu kayan aiki ta amfani da umarni mai zuwa. Wannan yana ɗaukar kusan mintuna 25, kuma ana buƙatar ɗan haƙuri.
$ sudo make -j4
Da zarar an gama, shigar da ɗakunan karatu.
$ sudo make install
Mataki 5: Zazzagewa da Haɗa ModSecurity v3 Nginx Connector
Mataki na gaba shine zazzagewa da haɗa haɗin ModSecurity Nginx. Mai haɗawa, kamar yadda sunan ke nunawa, yana haɗa ɗakin karatu na Libmodsecurity zuwa sabar gidan yanar gizo na Nginx. Don zazzage mai haɗin Modsecurity, Clone shi daga ma'ajin GitHub kamar haka.
$ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/
Kewaya cikin kundin adireshi na cloned.
$ cd /usr/local/src/nginx/nginx-1.21.3/
Ci gaba kuma shigar da abubuwan dogara
$ sudo apt build-dep nginx $ sudo apt install uuid-dev
Na gaba, haɗa ModSecurity Nginx Connector module tare da alamar --with-compat
. Zaɓin --with-compat
yana sanya ModSecurity Nginx Connector module binary-mace tare da ɗakin karatu na Nginx na yanzu.
$ sudo ./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx
Da zarar an yi hakan, gina ModSecurity Nginx Connector module ta amfani da umarnin yin.
$ sudo make modules
An adana tsarin a matsayin objs/ngx_http_modsecurity_module.so. Kuna buƙatar kwafin wannan ƙirar zuwa /usr/share/nginx/modules/ directory kamar haka.
$ sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
Mataki 6: Load da ModSecurity Nginx Connector Module
Don loda tsarin haɗin Nginx, Na farko, sami dama ga babban fayil ɗin daidaitawar Nginx.
$ sudo vim /etc/nginx/nginx.conf
Saka layin da ke ƙasa a ƙasan layin farko
load_module modules/ngx_http_modsecurity_module.so;
Ƙari ga haka, haɗa waɗannan layukan a cikin sashin http {...}
. Wannan yana ba da damar ModSecurity ga duk runduna kama-da-wane na Nginx.
modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf;
Ajiye canje-canje kuma fita fayil.
Na gaba, ƙirƙirar /etc/nginx/modsec/ directory wanda zai adana saitin ModSecurity.
$ sudo mkdir /etc/nginx/modsec/
Na gaba, kwafi fayil ɗin daidaitawar ModSecurity kamar haka.
$ sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
Sannan bude fayil ɗin sanyi.
$ sudo vim /etc/nginx/modsec/modsecurity.conf
Nemo layin da ya fara da umarnin SecRuleEngine.
SecRuleEngine DetectionOnly
Wannan layin yana ba da umarnin ModSecurity don shiga cikin ma'amalar HTTP kawai amma ba ya ɗaukar wani mataki a fuskantar harin app ɗin yanar gizo. Kuna buƙatar canza wannan don Modsecurity ba zai iya ganowa kawai ba har ma ya toshe hare-haren yanar gizo.
Canza layin zuwa layin da ke ƙasa
SecRuleEngine On
Ajiye canje-canje kuma fita fayil.
Na gaba, ƙirƙiri fayil ɗin /etc/nginx/modsec/main.conf.
$ sudo vim /etc/nginx/modsec/main.conf
Sanya wannan layin don yin la'akari da fayil ɗin sanyi /etc/nginx/modsec/modsecurity.conf.
Include /etc/nginx/modsec/modsecurity.conf
Ajiye canje-canje kuma fita fayil.
Bugu da ƙari, kwafi fayil ɗin taswirar Unicode.
$ sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/
Sannan gwada tsarin Nginx.
$ sudo nginx -t
Gwajin yakamata yayi nasara. Idan ba haka ba, koma baya ka duba idan duk canje-canjen da aka yi daidai ne.
Daga ƙarshe, sake kunna Nginx don amfani da duk canje-canjen da aka yi.
$ sudo systemctl restart nginx
Kuma tabbatar da cewa Nginx yana gudana kamar yadda aka zata.
$ sudo systemctl status nginx
Mataki 7: Zazzage OWASP Corerule Set
Don ModSecurity don kare aikace-aikacen gidan yanar gizon ku, kuna buƙatar ƙayyadaddun ƙa'idodi waɗanda za su gano ayyukan da ake tuhuma da toshe su. Don farawa, yana da kyau a shigar da saitunan ƙa'idodin da za su taimake ka ka koyi igiyoyin.
OWASP Core Rule Set (CRS) kyauta ce, buɗaɗɗen tushe, kuma saitin ƙa'idodin kiyaye al'umma wanda ke ba da ƙa'idodi don kawar da hare-haren gama gari kamar allurar SQL, Rubutun Cross-site (XSS).
Zazzage Saitin Tsarin Mulki na OWASP daga Github kamar yadda aka nuna ta amfani da umarnin wget.
$ wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz
Cire fayil ɗin da aka matsa.
$ tar xvf v3.3.0.tar.gz
Tabbatar don matsar da littafin da ba a matsawa zuwa hanyar /etc/nginx/modsec/.
$ sudo mv coreruleset-3.3.0/ /etc/nginx/modsec/
Sannan sake suna crs-setup.conf.example fayil zuwa crs-setup.conf.
$ sudo mv /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf
Bugu da ƙari, komawa zuwa fayil ɗin daidaitawar ModSecurity.
$ sudo vim /etc/nginx/modsec/main.conf
Kuma saka wadannan layukan.
Include /etc/nginx/modsec/coreruleset-3.3.0/crs-setup.conf Include /etc/nginx/modsec/coreruleset-3.3.0/rules/*.conf
Ya kamata fayil ɗin ya kasance yana da layi uku:
Ajiye fayil ɗin kuma, sake kunna Nginx.
$ sudo systemctl restart nginx
Mataki 8: Gwada ModSecurity
A ƙarshe, Za mu yi gwajin ModSecurity kuma mu tabbatar zai iya ganowa da toshe zirga-zirgar HTTP da ake tuhuma.
Za mu gyara fayil ɗin daidaitawar ModSecurity kuma mu ƙirƙiri dokar toshewa wanda zai toshe damar zuwa wani URL lokacin da mai binciken gidan yanar gizo ya isa gare shi.
$ sudo vim /etc/nginx/modsec/modsecurity.conf
Ƙara wannan layin a ƙasan umarnin SecRuleEngine Akan
SecRule ARGS:testparam "@contains test" "id:254,deny,status:403,msg:'Test Successful'"
Kuna iya saita alamun 'id' da 'msg' zuwa abubuwan da kuka fi so.
Ajiye canje-canje kuma sake kunna Nginx.
$ sudo systemctl restart nginx
Yanzu kaddamar da burauzar ku kuma ziyarci URL ɗin da ke ƙasa tare da ?testparam=test
kari.
http://server-ip/?testparam=test
Ya kamata ku sami kuskuren 403 'Haramta'. Wannan yana nuna cewa kuna ƙoƙarin samun dama ga haramtacciyar hanya akan sabar gidan yanar gizo.
Bugu da ƙari, zaku iya bincika rajistan ayyukan Nginx don tabbatar da cewa an katange abokin ciniki
$ cat /var/log/nginx/error.log | grep "Test Successful"
Hakanan kuna iya son: Yadda ake saita ModSecurity tare da Apache akan Debian/Ubuntu]
Wannan shine bayyani na yadda zaku iya saita Modsecurity tare da Nginx akan Debian da Ubuntu. Muna fatan wannan ya kasance mai amfani.