Cài WAF trên Ubuntu

0
0
0

Tính năng:

  • Chặn tấn công DDoS layer 7 (tầng Application)
  • Có thể cấu hình chặn request từ quốc tế, chỉ cho phép một vài quốc gia truy cập.

 

## Summary
– Nginx with ModSecurity v3 dynamic module enabled
– OWASP CRS loaded via ModSecurity rules
– CrowdSec installed with Nginx bouncer to block attacks detected by logs or ModSecurity alerts

 

Bài này đã test trên Ubuntu 22.04 và 24.04

 

Prerequisites

apt update -y && apt upgrade -y

apt install -y gcc make build-essential autoconf automake libtool libcurl4-openssl-dev liblua5.3-dev libfuzzy-dev ssdeep gettext \
pkg-config libgeoip-dev libyajl-dev doxygen libpcre2-16-0 libpcre2-dev libpcre2-posix3 zlib1g zlib1g-dev liblua5.1-0-dev

luarocks install lua-resty-http
luarocks install lua-resty-string

 

Bắt đầu cài WAF

Cài nginx

add-apt-repository ppa:ondrej/nginx -y
apt install nginx -y

systemctl enable nginx
systemctl status nginx

 

Cài ModSecurity

cd /opt && git clone https://github.com/owasp-modsecurity/ModSecurity.git
cd ModSecurity

git submodule init
git submodule update

./build.sh
./configure

make -j$(nproc)
make install

 

Cài và cấu hình ModSecurity – nginx connector

cd /opt && git clone https://github.com/owasp-modsecurity/ModSecurity-nginx.git

 

Cấu hình bật module modsec trên nginx

cd /opt && wget https://nginx.org/download/nginx-1.28.0.tar.gz
tar -xzf nginx-1.28.0.tar.gz
cd nginx-1.28.0

./configure –with-compat –add-dynamic-module=/opt/ModSecurity-nginx

make -j$(nproc)
make modules

 

cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules-enabled/
cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf
cp /opt/ModSecurity/unicode.mapping /etc/nginx/unicode.mapping

 

Chỉnh file /etc/nginx/nginx.conf

include /etc/nginx/modules-enabled/*.conf;
load_module /etc/nginx/modules-enabled/ngx_http_modsecurity_module.so;

http {
log_format custom ‘$remote_addr – $remote_user [$time_local] ‘
‘”$request” $status $body_bytes_sent ‘
‘”$http_referer” “$http_user_agent” “$gzip_ratio”‘;

 

Chỉnh sửa file /etc/nginx/sites-enabled/default

modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

 

Chỉnh sửa file /etc/nginx/modsecurity.conf

SecRuleEngine On

 

Sau khi tạo vhost xong thì xóa file /etc/nginx/sites-enabled/default cũng được.

 

Cài OWASP

cd /etc/nginx
git clone https://github.com/coreruleset/coreruleset.git /etc/nginx/owasp-crs
cp /etc/nginx/owasp-crs/crs-setup.conf{.example,}

 

Thêm vào /etc/nginx/modsecurity.conf

Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf

 

systemctl restart nginx

 

Thử truy cập https://ip_address/as.php?s=/bin/bash thấy 403 là ok

 

Check log
tail -f /var/log/modsec_audit.log
tail -f /var/log/nginx/error.log

 

Cài CrowdSec

cd /opt
curl -s https://install.crowdsec.net | sudo sh
apt install -y lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson

#curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
apt install crowdsec crowdsec-firewall-bouncer-iptables crowdsec-nginx-bouncer -y

 

Chặn quốc tế, sửa ở đầu file /etc/crowdsec/profile.yaml

name: not_VN
#debug: true
filters:
– Alert.Remediation == true && Alert.GetScope() == “Ip” && Alert.Source.Cn != ‘VN’

## Or Alert.Source.Cn not in [‘GB’, ‘FR’] if you want multiple
decisions:
– type: ban
duration: 24h
#duration_expr: “Sprintf(‘%dh’, (GetDecisionsCount(Alert.GetValue()) + 1) * 4)”
#notifications:
# – slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break

 

 

systemctl enable crowdsec
systemctl start crowdsec

 

Sửa file /etc/crowdsec/acquis.yaml
filenames:
– /var/log/nginx/*.log
– /var/log/nginx/*.log
labels:
type: nginx

 

 

# Enable reCAPTCHA
# Truy cập https://www.google.com/recaptcha/admin/create
# Chỉnh sửa file /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf

Site key: 6Lee7D4rAAAAAPu0Bunxo_1YXZ5D1IYAnYzAJnc0
Secret key: 6Lee7D4rAAAAAIoVtYKBkM645B030BMmvNKUUmGl

systemctl reload nginx

apt install crowdsec-firewall-bouncer -y
systemctl enable crowdsec-firewall-bouncer
systemctl start crowdsec-firewall-bouncer

 

Nginx vhost sample

limit_req_zone $binary_remote_addr zone=mayapmic:10m rate=250r/s;
proxy_cache_path /var/cache/nginx/mayapmic levels=1:2 keys_zone=mayapmic_cache:10m max_size=500m inactive=30m use_temp_path=off;

server {
listen 80;
#listen [::]:80; # Dùng nếu có IPv6
http2 on;

include /etc/nginx/blocklists/mayapmic.com.conf;

modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

server_name mayapmic.com www.mayapmic.com;

access_log /var/log/nginx/mayapmic.com-ssl.log;
error_log /var/log/nginx/mayapmic.com-ssl.error.log warn;

location / {

limit_req zone=mayapmic burst=70 delay=10;

proxy_cache mayapmic_cache;
proxy_cache_valid 200 301 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_bypass $http_cache_control;
add_header X-Proxy-Cache $upstream_cache_status;

proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 32k;
proxy_max_temp_file_size 0;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

proxy_pass https://103.97.125.172;
}

}

map $http_upgrade $connection_upgrade {
default upgrade;
” close;
}

server {
listen 443 ssl;
#listen [::]:443 ssl; # Dung neu co IPv6
http2 on;

include /etc/nginx/blocklists/mayapmic.com.conf;

modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

server_name mayapmic.com www.mayapmic.com;

access_log /var/log/nginx/mayapmic.com-ssl.log;
error_log /var/log/nginx/mayapmic.com-ssl.error.log warn;

ssl_certificate /etc/nginx/ssl/mayapmic.com.crt;
ssl_certificate_key /etc/nginx/ssl/mayapmic.com.key;

location / {

limit_req zone=mayapmic burst=70 delay=10;

proxy_cache mayapmic_cache;
proxy_cache_valid 200 301 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_bypass $http_cache_control;
add_header X-Proxy-Cache $upstream_cache_status;

proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 32k;
proxy_max_temp_file_size 0;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

proxy_pass https://103.97.125.172;
}
}

 

 

 

Was this helpful?

0 / 0