Thứ Tư, 28 tháng 8, 2019

Compiling and Installing ModSecurity for NGINX Open Source

 – Install NGINX from Our Official Repository

If you haven’t already, the first step is to install NGINX. There are multiple ways to install NGINX, as is the case with most open source software. We generally recommend you install NGINX from the mainline branch in our official repository. For more details on how to properly install NGINX from our official repository, see our on‑demand webinar NGINX: Basics and Best Practices.
The instructions in this blog assume that you have installed NGINX from our official repository. They might work with NGINX as obtained from other sources, but that has not been tested.
Note: NGINX 1.11.5 or later is required.

2 – Install Prerequisite Packages

The first step is to install the packages required to complete the remaining steps in this tutorial. Run the following command, which is appropriate for a freshly installed Ubuntu/Debian system. The required packages might be different for RHEL/CentOS/Oracle Linux.
$ apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev

3 – Download and Compile the ModSecurity 3.0 Source Code

With the required prerequisite packages installed, the next step is to compile ModSecurity as an NGINX dynamic module. In ModSecurity 3.0’s new modular architecture, libmodsecurity is the core component which includes all rules and functionality. The second main component in the architecture is a connector that links libmodsecurity to the web server it is running with. There are separate connectors for NGINX, Apache HTTP Server, and IIS. We cover the NGINX connector in the next section.
To compile libmodsecurity:
  1. Clone the GitHub repository:
    $ git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
  2. Change to the ModSecurity directory and compile the source code:
    $ cd ModSecurity
$ git submodule init
$ git submodule update
$ ./build.sh
$ ./configure
$ make
$ make install
The compilation takes about 15 minutes, depending on the processing power of your system.
Note: It’s safe to ignore messages like the following during the build process. Even when they appear, the compilation completes and creates a working object.
fatal: No names found, cannot describe anything.

4 – Download the NGINX Connector for ModSecurity and Compile It as a Dynamic Module

Compile the ModSecurity connector for NGINX as a dynamic module for NGINX.
  1. Clone the GitHub repository:
    $ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
  2. Determine which version of NGINX is running on the host where the ModSecurity module will be loaded:
    $ nginx -v
nginx version: nginx/1.13.1
  3. Download the source code corresponding to the installed version of NGINX (the complete sources are required even though only the dynamic module is being compiled):
    $ wget http://nginx.org/download/nginx-1.13.1.tar.gz
$ tar zxvf nginx-1.13.1.tar.gz
  4. Compile the dynamic module and copy it to the standard directory for modules:
    $ cd nginx-1.13.1
$ ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
$ make modules
$ cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

5 – Load the NGINX ModSecurity Connector Dynamic Module

Add the following load_module directive to the main (top‑level) context in /etc/nginx/nginx.conf. It instructs NGINX to load the ModSecurity dynamic module when it processes the configuration:
load_module modules/ngx_http_modsecurity_module.so;

6 – Configure, Enable, and Test ModSecurity

The final step is to enable and test ModSecurity.
  1. Set up the appropriate ModSecurity configuration file. Here we’re using the recommended ModSecurity configuration provided by TrustWave Spiderlabs, the corporate sponsors of ModSecurity.
    $ mkdir /etc/nginx/modsec
$ wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
$ mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
  2. Change the SecRuleEngine directive in the configuration to change from the default “detection only” mode to actively dropping malicious traffic.
    $ sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
  3. Configure one or more rules. For the purposes of this blog we’re creating a single simple rule that drops a request in which the URL argument called testparam includes the string test in its value. Put the following text in /etc/nginx/modsec/main.conf:
    # From https://github.com/SpiderLabs/ModSecurity/blob/master/
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"

# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
    In a production environment, you presumably would use rules that actually protect against malicious traffic, such as the free OWASP core rule set.
  4. Add the modsecurity and modsecurity_rules_file directives to the NGINX configuration to enable ModSecurity:
    server {
    # ...
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}
  5. Issue the following curl command. The 403 status code confirms that the rule is working.
    $ curl localhost?testparam=test
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.13.1</center>
</body>
</html>

Conclusion

ModSecurity is one of the most trusted and well‑known names in application security. The steps outlined in this blog cover how to compile ModSecurity from source and load it into open source NGINX.
Read More
Người đăng: vào lúc Không có nhận xét nào:

How to Install and Configure CSF (Config Server Firewall) on CentOS 7

Prerequisites

  • CentOS 7 (my server uses the IP 192.168.1.101).
  • root privileges.
What we will do in this tutorial:
  • Install the dependencies for CSF.
  • Install CSF.
  • Configure CSF.
  • Basic CSF commands.
  • Advanced Configuration.

Step 1 - Installation of CFS dependencies

CSF is based on Perl, so you need to install Perl on our server first. You need wget to download the CSF installer and vim (or an editor of your choice) for editing the CSF configuration file. Install the packages with the yum command:
yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes

Step 2 - Install CSF

Please go to the "/usr/src/" directory and download CSF with wget command.
cd /usr/src/
wget https://download.configserver.com/csf.tgz
Extract the tar.gz file and go to the csf directory, then install it:
tar -xzf csf.tgz
cd csf
sh install.sh
You should get the information that CSF installation is completed at the end.
CSF installation is complete.
Now you should check that CSG really works on this server. Go to the "/usr/local/csf/bin/" directory, and run "csftest.pl".
cd /usr/local/csf/bin/
perl csftest.pl
If you see the test results as shown below, then CSF is running without problems on your server:
RESULT: csf should function on this server
CSF is running.

Step 3 - Configure CSF on CentOS 7

Before stepping into the CSF configuration process, the first thing you must know is that "CentOS 7" has a default firewall application called "firewalld". You have to stop firewalld and remove it from the startup.
Stop the firewalld:
systemctl stop firewalld
Disable/Remove firewalld from the startup:
systemctl disable firewalld
Then go to the CSF Configuration directory "/etc/csf/" and edit the file "csf.conf" with the vim editor:
cd /etc/csf/
vim csf.conf
Change line 11 "TESTING " to "0" for applying the firewall configuration.
TESTING = "0"
By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your port to the configuration in line 139 "TCP_IN".
Now start CSF and LFD with systemctl command:
systemctl start csf
systemctl start lfd
And then enable the csf and lfd services to be started at boot time:
systemctl enable csf
systemctl enable lfd
Now you can see the list default rules of CSF with command:
csf -l

Step 4 - Basic CSF Commands

1. Start the firewall (enable the firewall rules):
csf -s
2. Flush/Stop the firewall rules.
csf -f
3. Reload the firewall rules.
csf -r
4. Allow an IP and add it to csf.allow.
csf -a 192.168.1.109
Results:
Adding 192.168.1.109 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
5. Remove and delete an IP from csf.allow.
csf -ar 192.168.1.109
Results:
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
6. Deny an IP and add to csf.deny:
csf -d 192.168.1.109
Results:
Adding 192.168.1.109 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
7. Remove and delete an IP from csf.deny.
csf -dr 192.168.1.109
Results:
Removing rule...
DROP  all opt -- in !lo out *  192.168.1.109  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.109
8. Remove and Unblock all entries from csf.deny.
csf -df
Results:
DROP  all opt -- in !lo out *  192.168.1.110  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.110  
DROP  all opt -- in !lo out *  192.168.1.111  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.1.111    
csf: all entries removed from csf.deny
9. Search for a pattern match on iptables e.g : IP, CIDR, Port Number
csf -g 192.168.1.110

Step 5 - Advanced Configuration

Here are some tweaks about CSF, so you can configure as you need.
Back to the csf configuration directory, and edit the csf.conf configuration file:
cd /etc/csf/
vim csf.conf
1. Don't Block IP addresses that are in the csf.allow files.
By default lfd also will block an IP under csf.allow files, so if you want that an IP in csf.allow files never get blocked by lfd, then please go to the line 272 and change "IGNORE_ALLOW" to "1". This is useful when you have a static IP at home or in office and want to ensure that your IP never gets blocked by the firewall on your internet server.
IGNORE_ALLOW = "1"
2. Allow Incoming and Outgoing ICMP.
Go to the line 152 for incoming ping/ICMP:
ICMP_IN = "1"
And line 159 for outgoing ping ping/ICMP:
ICMP_OUT = "1"
3. Block Certain Countrys
CSF provide an option to allow and deny access by country using the CIDR (Country Code). Go to line 836 and add the country codes that shall be allowed and denied:
CC_DENY = "CN,UK,US"
CC_ALLOW = "ID,MY,DE"
4. Send the Su and SSH Login log by Email.
You can set an email address that is used by LFD to send an email about "SSH Login" events and users that run the "su" command, go to the line 1069 and change the value to "1".
LF_SSH_EMAIL_ALERT = "1"
 
...
 
LF_SU_EMAIL_ALERT = "1"
And then define the email address you want to use in line 588.
LF_ALERT_TO = "mymail@mydomain.tld"
If you want more tweaks, read the options in the "/etc/csf/csf.conf" configuration file.
Read More
Người đăng: vào lúc Không có nhận xét nào:
Đăng ký: Bài đăng (Atom)