From 18cd5fa98145c0621de5a47912970063c8e70741 Mon Sep 17 00:00:00 2001 From: M1cHae1W0u9 <34893871+M1cHae1W0u9@users.noreply.github.com> Date: Tue, 9 Nov 2021 12:43:14 +0800 Subject: [PATCH 1/3] Modify some config file and testing url --- .../1-README_NAP_Deployment.md" | 91 ++++++++++++++++--- 1 file changed, 76 insertions(+), 15 deletions(-) diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" index 22e8973..ba39b95 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" @@ -43,6 +43,62 @@ nginx-repo.crt # CentOS 7.4+环境的NAP安装步骤 +## 检查firewall状态 + +```bash +systemctl status firewalld.service +``` +```bash +[root@localhost ~]# systemctl status firewalld.service +● firewalld.service - firewalld - dynamic firewall daemon + Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) + Active: active (running) since Fri 2021-11-05 14:23:38 EDT; 7min ago + Docs: man:firewalld(1) + Main PID: 699 (firewalld) + CGroup: /system.slice/firewalld.service + └─699 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid + +Nov 05 14:23:35 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon... +Nov 05 14:23:38 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon. +Nov 05 14:23:38 localhost.localdomain firewalld[699]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will ...g it now. +Hint: Some lines were ellipsized, use -l to show in full. +``` + +检查防火墙开放哪些端口: + +```bash +[root@localhost ~]# sudo firewall-cmd --list-all +public (active) + target: default + icmp-block-inversion: no + interfaces: ens33 + sources: + services: dhcpv6-client ssh + ports: + protocols: + masquerade: no + forward-ports: + source-ports: + icmp-blocks: + rich rules: +``` + +开启防火墙http 80(8080)端口: + +```bash +sudo firewall-cmd --add-service=http --permanent +sudo firewall-cmd --add-port=8080/tcp --permanent +``` + +或者关闭防火墙: + +```bash +[root@localhost ~]# systemctl disable firewalld.service +Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. +Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. +``` + + 1. 如果前面章节的实验已有相关NGINX包,可以备份相关配置和日志 ```bash sudo cp -a /etc/nginx /etc/nginx-plus-backup @@ -76,12 +132,16 @@ sudo yum --showduplicates list app-protect sudo yum install app-protect-20+2.52.1 ``` 7. 检查 NGINX 二进制版本以确保正确安装了 NGINX Plus + ```bash sudo nginx -v ``` -8. 配置nginx,以下二选一。 +注:在/var/log/nginx/目录下创建access.log文件,然后修改权限chmod 777 /var/log/nginx/access.log + +8. 配置nginx,以下二选一: - 可以将Gitee中<11 NGINX Web与API安全>目录下的nginx.conf文件拷贝至/etc/nginx/目录 - 或者直接vi将如下配置文件内容粘贴至/etc/nginx/nginx.conf中: + ```nginx user nginx; worker_processes auto; @@ -126,47 +186,48 @@ http { app_protect_enable on; app_protect_security_log_enable on; # send the logs to the logstash instance on our ELK stack. - app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144; + #app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144; + app_protect_security_log "/etc/app_protect/conf/log_default.json" /var/log/nginx/access.log; # main service location / { - resolver 10.1.1.8:5353; - resolver_timeout 5s; + #resolver 10.1.1.8:5353; + #resolver_timeout 5s; client_max_body_size 0; default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30585$request_uri; + proxy_pass http://10.1.1.149:30585$request_uri; } # backend service location /files { - resolver 10.1.1.8:5353; - resolver_timeout 5s; + #resolver 10.1.1.8:5353; + #resolver_timeout 5s; client_max_body_size 0; default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30584$request_uri; + proxy_pass http://10.1.1.149:30584$request_uri; } # app2 service location /api { - resolver 10.1.1.8:5353; - resolver_timeout 5s; + #resolver 10.1.1.8:5353; + #resolver_timeout 5s; client_max_body_size 0; default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30586$request_uri; + proxy_pass http://10.1.1.149:30586$request_uri; } # app2 service location /app3 { - resolver 10.1.1.8:5353; - resolver_timeout 5s; + #resolver 10.1.1.8:5353; + #resolver_timeout 5s; client_max_body_size 0; default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30587$request_uri; + proxy_pass http://10.1.1.149:30587$request_uri; } } } ``` -9. 关闭SELinux,允许全局访问 +9. 临时关闭SELinux,允许全局访问 ```bash sudo setenforce 0 ``` -- Gitee From 1e45836a4ff95bdf77f0346423eabc5603af00e6 Mon Sep 17 00:00:00 2001 From: M1cHae1W0u9 <34893871+M1cHae1W0u9@users.noreply.github.com> Date: Tue, 9 Nov 2021 12:46:18 +0800 Subject: [PATCH 2/3] Modify some info --- .DS_Store | Bin 10244 -> 10244 bytes .../.DS_Store" | Bin 0 -> 6148 bytes .../README.md" | 6 ++--- .../2-README_OWASP Top 10.md" | 25 +++++++++++------- 4 files changed, 18 insertions(+), 13 deletions(-) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/.DS_Store" diff --git a/.DS_Store b/.DS_Store index 9a1b33edebd686436b745d750080195a6bbf4afa..5b541c00d74e40bd24f14cc079c9018fe2186144 100644 GIT binary patch delta 110 zcmZn(XbG6$FUrfnz`)4BAi%)j&fv-5#}L7wz!1K%a2or>2Hwr=94s70AQeIkhCrwQ zlt)sfDN+;2m}ZL43lma b8nagrun&=dF|!9C`UJBp96tfGaTde@VGa{2 diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/.DS_Store" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/.DS_Store" new file mode 100644 index 0000000000000000000000000000000000000000..30a5f5272b38c760328c2b4cf0b295963fb14978 GIT binary patch literal 6148 zcmeHKyKVw85Zp~DP-rMA{R1Z@e_$c#=+aO{ft*rBqCoT~A@Mu>0^dc&?4t;}(2)ks zO6#%LJGMN56 zkd>^Z`OW`sw_oec=Eo9fRDcRl0V+TRsKDJ6$kI9--R(pkLKPmn#2_qpaKu2fDUHwvnigGwYB#+tF;CG3AdaR+zfN4 nVDNGb^m2@amE(ygMP9Kv_G@An=yb%L4&={(=|ZCd|E<6UYFrqn literal 0 HcmV?d00001 diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" index 8cb91a9..339a848 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" @@ -26,11 +26,11 @@ waf-policy-dataguard.yaml 2. 创建Lab文件夹并将所需文件导入该文件夹 ```bash -mkdir -p /home/ubuntu/lab-files/arcadia-manifests/ +mkdir -p /home/k8s/lab-files/ ``` 3. 部署Arcadia deployment ``` -kubectl apply -f /home/ubuntu/lab-files/arcadia-manifests/arcadia-deployments.yaml +kubectl apply -f /home/k8s/lab-files/arcadia-deployments.yaml ``` 可以看到部署成功,如下: @@ -52,7 +52,7 @@ deployment.apps/app3 created 4. 通过Nodeport服务暴露应用 ``` -kubectl apply -f /home/ubuntu/lab-files/arcadia-manifests/arcadia-services-nodeport.yaml +kubectl apply -f /home/k8s/lab-files/arcadia-services-nodeport.yaml ``` 注:arcadia-services-nodeport.yaml配置如下: ```yaml diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" index ed52b3c..ef5b310 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" @@ -21,9 +21,11 @@ policy_owasp_top10.json ## SQL注入防护 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+ +http://10.1.1.147/?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+ ``` + 2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355204: ![OWASP-Top-10-SQL注入](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-SQL%E6%B3%A8%E5%85%A5.png) @@ -133,9 +135,11 @@ http://centos.arcadia-finance.io/?hfsagrs=-1+union+select+user%2Cpassword+from+u ``` 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch +http://10.1.1.147/?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch ``` + 2. 请求被NAP阻断,阻断信息及support ID: 302917768469178547: ![OWASP-Top-10-remote-files-include](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-remote-files-include.png) @@ -230,9 +234,11 @@ http://centos.arcadia-finance.io/?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3 ## 路径遍历防护 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd +http://10.1.1.147/lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd ``` + 2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355714: ![OWASP-Top-10-Predictable%20Resource%20Location%20Path%20Traversal](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-Predictable%20Resource%20Location%20Path%20Traversal.png) @@ -332,9 +338,11 @@ http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=%2F ## Cross Site Scripting防护 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+ +http://10.1.1.147/lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+ ``` + 2. 请求被NAP阻断,阻断信息及support ID: 18029559235433356224: ![OWASP-Top-10-cross%20site%20scripting](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-cross%20site%20scripting.png) @@ -432,9 +440,11 @@ http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=+oN ## Multiple decoding多次解码防护 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/three_decodin%2525252567.html +http://10.1.1.147/three_decodin%2525252567.html ``` + 2. 请求被NAP告警,告警信息及support ID: 302917768469183137: ![OWASP-Top-10-多次解码](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-%E5%A4%9A%E6%AC%A1%E8%A7%A3%E7%A0%81.png) @@ -527,8 +537,3 @@ http://centos.arcadia-finance.io/three_decodin%2525252567.html 本章节Lab主要介绍了NAP对OWASP Top 10常见攻击的防护,大家可以多测试不同的攻击策略以及调整NAP的防护策略。🍺 --- - - - - - -- Gitee From 6e402973df375fa66b8eabbee8d8fa0a5835995f Mon Sep 17 00:00:00 2001 From: M1cHae1W0u9 <34893871+M1cHae1W0u9@users.noreply.github.com> Date: Tue, 9 Nov 2021 13:55:08 +0800 Subject: [PATCH 3/3] modify url --- .../README.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" index 339a848..bb477e1 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" @@ -161,7 +161,7 @@ service/app3 created ## 验证Arcadia应用运行状态 -5. 浏览器访问http://centos.arcadia-finance.io/ +5. 浏览器访问http://10.1.1.149:30585/ 可以正常打开,如图: -- Gitee