Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações Web

Tecnologias Open Source para Alta Disponibilidade e Segurança de

Aplicações Web

Alexandro Silvaalexos@alexos.org

http://alexos.orgJun/16

Desafios

Disponibilidade

Performance

Segurança

O que proteger?

Solução

Proxy Reverso

Vantagens

● Redução no consumo– Banda– Recursos backend

● Alta disponibilidade● Caching● Gerenciamento centralizado

● Desenvolvido por Igor Sysoev● Usado por 27% dos sites mais acessados

Fonte: Netcraft - http://news.netcraft.com/archives/2016/06/22/june-2016-web-server-survey.html

proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m; proxy_temp_path /var/cache/tmp;

proxy_max_temp_file_size 0;

proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90;

proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_cache_methods GET HEAD POST;

nginx.conf

Hardening

# Protecao contra DoS client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 2M; large_client_header_buffers 2 1k; client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10;# Remove Banner server_tokens off;# Limita o maximo de conexoes concorrentes por IP limit_conn_zone $binary_remote_addr zone=addr:10m; limit_conn addr 10;# Headers add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security max-age=31536000; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; add_header X-WebKit-CSP "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self'"; add_header Access-Control-Allow-Origin "'*'"; add_header X-Download-Options "noopen"; add_header X-Content-Security-Policy default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';

Cluster e

Failover

upstream acme { ip_hash;

server 192.168.0.2; server 192.168.0.3; server 192.168.0.4; }

vhost

upstream acme { ip_hash; server 192.168.0.2 weight=1; server 192.168.0.3 weight=2; server 192.168.0.4 weight=3; }

vhost

upstream acme { ip_hash; server 192.168.0.2 max_fails=3 fail_timeout=30s; server 192.168.0.3; server 192.168.0.4 down; server 192.168.0.5 }

vhost

Heartbeat

logfile /var/log/ha-logkeepalive 1deadtime 5udpport 694ucast eth0 192.168.0.1lauto_failback onnode wafmasternode wafbackup

ha.conf

wafmaster \IPaddr::192.168.0.3/24/eth0:0

Segurança

● Desenvolvido por Thibault Koechlin● Desenvolvido para o Nginx● Não usa assinaturas para detectar e bloquear

ataques. ● Identifica caracteres arbitrários em requisições HTTP.● Faz um score de caracteres arbitrários,como um

antispam.● Virtual Patching

# Naxsi WAF

include /etc/nginx/naxsi_core.rules;

nginx.conf

include /usr/local/etc/nginx/naxsi.rules;

error_page 500 http://acme;error_page 403 http://acme;error_page 404 http://acme;

#Naxsi Learning Mode

location /RequestDenied { return 500; }

vhost

naxsi_rules

LearningMode; #Enables learning modeSecRulesEnabled;#SecRulesDisabled;DeniedUrl "/RequestDenied";

## check rulesCheckRule "$SQL >= 8" BLOCK;CheckRule "$RFI >= 8" BLOCK;CheckRule "$TRAVERSAL >= 4" BLOCK;CheckRule "$EVADE >= 4" BLOCK;CheckRule "$XSS >= 8" BLOCK;

naxsi_rules

2013/11/26 08:24:09 [error] 661#0: *8362 NAXSI_FMT: ip=192.168.0.5&server=acme&uri=/&learning=1&total_processed=1843&total_blocked=184, client: 192.168.0.5, server: acme, request: "GET /?action=learn&paper=http://milw0rm.com/papers/173&type=SQLi'%20or%20(sleep(2)%2b1)%20limit%201%20--%20 HTTP/1.1", host: "acme", referrer: "http://acme:80/"

log

nx_util

$ nx_util -d acme -o ########### Optimized Rules Suggestion ################### total_count:28 (8.24%), peer_count:1 (100.0%) | ], possible jsBasicRule wl:1311 "mz:$ARGS_VAR:fltr[]|NAME";# total_count:28 (8.24%), peer_count:1 (100.0%) | [, possible jsBasicRule wl:1310 "mz:$ARGS_VAR:fltr[]|NAME";# total_count:28 (8.24%), peer_count:1 (100.0%) | html close tagBasicRule wl:1303 "mz:$ARGS_VAR:fltr[]";# total_count:28 (8.24%), peer_count:1 (100.0%) | ; in stuffBasicRule wl:1008 "mz:$ARGS_VAR:fltr[]";# total_count:28 (8.24%), peer_count:1 (100.0%) | mysql keyword (|)BasicRule wl:1005 "mz:$ARGS_VAR:fltr[]";# total_count:27 (7.94%), peer_count:1 (100.0%) | double dotBasicRule wl:1202 "mz:$URL:/..Á..Á..Á..Á..Á..Á..Á..Á/etc/passwd|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | 0x, possible hex encodingBasicRule wl:1002 "mz:$URL:/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cwindows/win.ini|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | 0x, possible hex encodingBasicRule wl:1002 "mz:$URL:/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | obvious probeBasicRule wl:1202 "mz:$URL:/.../.../.../.../.../.../.../.../etc/passwd|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | obvious probeBasicRule wl:1202 "mz:$URL:/..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c/etc/passwd|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | obvious probe

Próximos Passos

Whitelist usando Data Mining

Considerações● Replicação:

– Banco de dados

– Arquivos● Performance Tuning

● Banda disponível

● Evitar elementos que possam gerar gargalo

● Monitoramento

– Munin

– Zabbix

Links✔ Nginx - http://nginx.org/

✔ Naxsi - https://github.com/nbs-system/naxsi/

✔ Heartbeat – http://linux-ha.org/wiki/Heartbeat

✔ Munin – http://munin-monitoring.org/

✔ Zabbix – http://www.zabbix.com/

✔ Alexos Core Labs – http://alexos.org

Alexandro Silvaalexos@alexos.org

http://alexos.org