Embed Size (px)
Citation preview
Tecnologias Open Source para Alta Disponibilidade e Segurança de
Aplicações Web
Alexandro [email protected]
http://alexos.orgJun/16
Desafios
Disponibilidade
Performance
Segurança
O que proteger?
Solução
Proxy Reverso
Vantagens
● Redução no consumo– Banda– Recursos backend
● Alta disponibilidade● Caching● Gerenciamento centralizado
● Desenvolvido por Igor Sysoev● Usado por 27% dos sites mais acessados
Fonte: Netcraft - http://news.netcraft.com/archives/2016/06/22/june-2016-web-server-survey.html
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m; proxy_temp_path /var/cache/tmp;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90;
proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_cache_methods GET HEAD POST;
nginx.conf
Hardening
# Protecao contra DoS client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 2M; large_client_header_buffers 2 1k; client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10;# Remove Banner server_tokens off;# Limita o maximo de conexoes concorrentes por IP limit_conn_zone $binary_remote_addr zone=addr:10m; limit_conn addr 10;# Headers add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security max-age=31536000; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; add_header X-WebKit-CSP "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self'"; add_header Access-Control-Allow-Origin "'*'"; add_header X-Download-Options "noopen"; add_header X-Content-Security-Policy default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';
Cluster e
Failover
upstream acme { ip_hash;
server 192.168.0.2; server 192.168.0.3; server 192.168.0.4; }
vhost
upstream acme { ip_hash; server 192.168.0.2 weight=1; server 192.168.0.3 weight=2; server 192.168.0.4 weight=3; }
vhost
upstream acme { ip_hash; server 192.168.0.2 max_fails=3 fail_timeout=30s; server 192.168.0.3; server 192.168.0.4 down; server 192.168.0.5 }
vhost
Heartbeat
logfile /var/log/ha-logkeepalive 1deadtime 5udpport 694ucast eth0 192.168.0.1lauto_failback onnode wafmasternode wafbackup
ha.conf
wafmaster \IPaddr::192.168.0.3/24/eth0:0
Segurança
● Desenvolvido por Thibault Koechlin● Desenvolvido para o Nginx● Não usa assinaturas para detectar e bloquear
ataques. ● Identifica caracteres arbitrários em requisições HTTP.● Faz um score de caracteres arbitrários,como um
antispam.● Virtual Patching
# Naxsi WAF
include /etc/nginx/naxsi_core.rules;
nginx.conf
include /usr/local/etc/nginx/naxsi.rules;
error_page 500 http://acme;error_page 403 http://acme;error_page 404 http://acme;
#Naxsi Learning Mode
location /RequestDenied { return 500; }
vhost
naxsi_rules
LearningMode; #Enables learning modeSecRulesEnabled;#SecRulesDisabled;DeniedUrl "/RequestDenied";
## check rulesCheckRule "$SQL >= 8" BLOCK;CheckRule "$RFI >= 8" BLOCK;CheckRule "$TRAVERSAL >= 4" BLOCK;CheckRule "$EVADE >= 4" BLOCK;CheckRule "$XSS >= 8" BLOCK;
naxsi_rules
2013/11/26 08:24:09 [error] 661#0: *8362 NAXSI_FMT: ip=192.168.0.5&server=acme&uri=/&learning=1&total_processed=1843&total_blocked=184, client: 192.168.0.5, server: acme, request: "GET /?action=learn&paper=http://milw0rm.com/papers/173&type=SQLi'%20or%20(sleep(2)%2b1)%20limit%201%20--%20 HTTP/1.1", host: "acme", referrer: "http://acme:80/"
log
nx_util
$ nx_util -d acme -o ########### Optimized Rules Suggestion ################### total_count:28 (8.24%), peer_count:1 (100.0%) | ], possible jsBasicRule wl:1311 "mz:$ARGS_VAR:fltr[]|NAME";# total_count:28 (8.24%), peer_count:1 (100.0%) | [, possible jsBasicRule wl:1310 "mz:$ARGS_VAR:fltr[]|NAME";# total_count:28 (8.24%), peer_count:1 (100.0%) | html close tagBasicRule wl:1303 "mz:$ARGS_VAR:fltr[]";# total_count:28 (8.24%), peer_count:1 (100.0%) | ; in stuffBasicRule wl:1008 "mz:$ARGS_VAR:fltr[]";# total_count:28 (8.24%), peer_count:1 (100.0%) | mysql keyword (|)BasicRule wl:1005 "mz:$ARGS_VAR:fltr[]";# total_count:27 (7.94%), peer_count:1 (100.0%) | double dotBasicRule wl:1202 "mz:$URL:/..Á..Á..Á..Á..Á..Á..Á..Á/etc/passwd|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | 0x, possible hex encodingBasicRule wl:1002 "mz:$URL:/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cwindows/win.ini|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | 0x, possible hex encodingBasicRule wl:1002 "mz:$URL:/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | obvious probeBasicRule wl:1202 "mz:$URL:/.../.../.../.../.../.../.../.../etc/passwd|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | obvious probeBasicRule wl:1202 "mz:$URL:/..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c/etc/passwd|URL";# total_count:1 (0.29%), peer_count:1 (100.0%) | obvious probe
Próximos Passos
Whitelist usando Data Mining
Considerações● Replicação:
– Banco de dados
– Arquivos● Performance Tuning
● Banda disponível
● Evitar elementos que possam gerar gargalo
● Monitoramento
– Munin
– Zabbix
Links✔ Nginx - http://nginx.org/
✔ Naxsi - https://github.com/nbs-system/naxsi/
✔ Heartbeat – http://linux-ha.org/wiki/Heartbeat
✔ Munin – http://munin-monitoring.org/
✔ Zabbix – http://www.zabbix.com/
✔ Alexos Core Labs – http://alexos.org
