diff --git a/.DS_Store b/.DS_Store index 9a1b33edebd686436b745d750080195a6bbf4afa..5b541c00d74e40bd24f14cc079c9018fe2186144 100644 Binary files a/.DS_Store and b/.DS_Store differ diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" index 8cb91a90d6f9bfeca2b17be302a26fe32a55348f..bb477e139fcc3cd8d47650321f1df2c3e9a97b15 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" @@ -26,11 +26,11 @@ waf-policy-dataguard.yaml 2. 创建Lab文件夹并将所需文件导入该文件夹 ```bash -mkdir -p /home/ubuntu/lab-files/arcadia-manifests/ +mkdir -p /home/k8s/lab-files/ ``` 3. 部署Arcadia deployment ``` -kubectl apply -f /home/ubuntu/lab-files/arcadia-manifests/arcadia-deployments.yaml +kubectl apply -f /home/k8s/lab-files/arcadia-deployments.yaml ``` 可以看到部署成功,如下: @@ -52,7 +52,7 @@ deployment.apps/app3 created 4. 通过Nodeport服务暴露应用 ``` -kubectl apply -f /home/ubuntu/lab-files/arcadia-manifests/arcadia-services-nodeport.yaml +kubectl apply -f /home/k8s/lab-files/arcadia-services-nodeport.yaml ``` 注:arcadia-services-nodeport.yaml配置如下: ```yaml @@ -161,7 +161,7 @@ service/app3 created ## 验证Arcadia应用运行状态 -5. 浏览器访问http://centos.arcadia-finance.io/ +5. 浏览器访问http://10.1.1.149:30585/ 可以正常打开,如图: diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" index 22e8973694bb32c973546b513950c8dcbfd1c453..ba39b95d8758bf23af75a7c43d96e591b81faded 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" @@ -43,6 +43,62 @@ nginx-repo.crt # CentOS 7.4+环境的NAP安装步骤 +## 检查firewall状态 + +```bash +systemctl status firewalld.service +``` +```bash +[root@localhost ~]# systemctl status firewalld.service +● firewalld.service - firewalld - dynamic firewall daemon + Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) + Active: active (running) since Fri 2021-11-05 14:23:38 EDT; 7min ago + Docs: man:firewalld(1) + Main PID: 699 (firewalld) + CGroup: /system.slice/firewalld.service + └─699 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid + +Nov 05 14:23:35 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon... +Nov 05 14:23:38 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon. +Nov 05 14:23:38 localhost.localdomain firewalld[699]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will ...g it now. +Hint: Some lines were ellipsized, use -l to show in full. +``` + +检查防火墙开放哪些端口: + +```bash +[root@localhost ~]# sudo firewall-cmd --list-all +public (active) + target: default + icmp-block-inversion: no + interfaces: ens33 + sources: + services: dhcpv6-client ssh + ports: + protocols: + masquerade: no + forward-ports: + source-ports: + icmp-blocks: + rich rules: +``` + +开启防火墙http 80(8080)端口: + +```bash +sudo firewall-cmd --add-service=http --permanent +sudo firewall-cmd --add-port=8080/tcp --permanent +``` + +或者关闭防火墙: + +```bash +[root@localhost ~]# systemctl disable firewalld.service +Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. +Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. +``` + + 1. 如果前面章节的实验已有相关NGINX包,可以备份相关配置和日志 ```bash sudo cp -a /etc/nginx /etc/nginx-plus-backup @@ -76,12 +132,16 @@ sudo yum --showduplicates list app-protect sudo yum install app-protect-20+2.52.1 ``` 7. 检查 NGINX 二进制版本以确保正确安装了 NGINX Plus + ```bash sudo nginx -v ``` -8. 配置nginx,以下二选一。 +注:在/var/log/nginx/目录下创建access.log文件,然后修改权限chmod 777 /var/log/nginx/access.log + +8. 配置nginx,以下二选一: - 可以将Gitee中<11 NGINX Web与API安全>目录下的nginx.conf文件拷贝至/etc/nginx/目录 - 或者直接vi将如下配置文件内容粘贴至/etc/nginx/nginx.conf中: + ```nginx user nginx; worker_processes auto; @@ -126,47 +186,48 @@ http { app_protect_enable on; app_protect_security_log_enable on; # send the logs to the logstash instance on our ELK stack. - app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144; + #app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144; + app_protect_security_log "/etc/app_protect/conf/log_default.json" /var/log/nginx/access.log; # main service location / { - resolver 10.1.1.8:5353; - resolver_timeout 5s; + #resolver 10.1.1.8:5353; + #resolver_timeout 5s; client_max_body_size 0; default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30585$request_uri; + proxy_pass http://10.1.1.149:30585$request_uri; } # backend service location /files { - resolver 10.1.1.8:5353; - resolver_timeout 5s; + #resolver 10.1.1.8:5353; + #resolver_timeout 5s; client_max_body_size 0; default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30584$request_uri; + proxy_pass http://10.1.1.149:30584$request_uri; } # app2 service location /api { - resolver 10.1.1.8:5353; - resolver_timeout 5s; + #resolver 10.1.1.8:5353; + #resolver_timeout 5s; client_max_body_size 0; default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30586$request_uri; + proxy_pass http://10.1.1.149:30586$request_uri; } # app2 service location /app3 { - resolver 10.1.1.8:5353; - resolver_timeout 5s; + #resolver 10.1.1.8:5353; + #resolver_timeout 5s; client_max_body_size 0; default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30587$request_uri; + proxy_pass http://10.1.1.149:30587$request_uri; } } } ``` -9. 关闭SELinux,允许全局访问 +9. 临时关闭SELinux,允许全局访问 ```bash sudo setenforce 0 ``` diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" index ed52b3ca1404216828ec6d2710221cdf3fd6c155..ef5b3109e2bef1a4f8d485eb9b245939e2ad7168 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" @@ -21,9 +21,11 @@ policy_owasp_top10.json ## SQL注入防护 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+ +http://10.1.1.147/?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+ ``` + 2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355204: ![OWASP-Top-10-SQL注入](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-SQL%E6%B3%A8%E5%85%A5.png) @@ -133,9 +135,11 @@ http://centos.arcadia-finance.io/?hfsagrs=-1+union+select+user%2Cpassword+from+u ``` 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch +http://10.1.1.147/?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch ``` + 2. 请求被NAP阻断,阻断信息及support ID: 302917768469178547: ![OWASP-Top-10-remote-files-include](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-remote-files-include.png) @@ -230,9 +234,11 @@ http://centos.arcadia-finance.io/?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3 ## 路径遍历防护 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd +http://10.1.1.147/lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd ``` + 2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355714: ![OWASP-Top-10-Predictable%20Resource%20Location%20Path%20Traversal](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-Predictable%20Resource%20Location%20Path%20Traversal.png) @@ -332,9 +338,11 @@ http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=%2F ## Cross Site Scripting防护 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+ +http://10.1.1.147/lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+ ``` + 2. 请求被NAP阻断,阻断信息及support ID: 18029559235433356224: ![OWASP-Top-10-cross%20site%20scripting](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-cross%20site%20scripting.png) @@ -432,9 +440,11 @@ http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=+oN ## Multiple decoding多次解码防护 1. 浏览器输入: + ``` -http://centos.arcadia-finance.io/three_decodin%2525252567.html +http://10.1.1.147/three_decodin%2525252567.html ``` + 2. 请求被NAP告警,告警信息及support ID: 302917768469183137: ![OWASP-Top-10-多次解码](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-%E5%A4%9A%E6%AC%A1%E8%A7%A3%E7%A0%81.png) @@ -527,8 +537,3 @@ http://centos.arcadia-finance.io/three_decodin%2525252567.html 本章节Lab主要介绍了NAP对OWASP Top 10常见攻击的防护,大家可以多测试不同的攻击策略以及调整NAP的防护策略。🍺 --- - - - - -