Nginx + Naxsi + Nxapi + ElasticSearch + Kibana 安裝

Platform: CentOS 7 – Linux localhost.localdomain 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

安裝依賴

---

• 安裝 libssl: yum install openssl-devel.x86_64
• 安裝 libpcre: yum install pcre-devel.x86_64
• 安裝 zlib （系統默認已安裝）
• 安裝 gzip （系統默認已安裝）

安裝 Nginx + Naxsi

---

• 下載 Nginx: wget http://nginx.org/download/nginx-1.13.12.tar.gz
• 解壓縮: tar -vzxf nginx-1.13.12.tar.gz
• 下載 Naxsi: git clone https://github.com/nbs-system/naxsi.git
• cd nginx-1.13.12, 編譯

 ./configure --conf-path=/etc/nginx/nginx.conf \
 --add-module=../naxsi/naxsi_src/ \
 --error-log-path=/var/log/nginx/error.log \
 --http-client-body-temp-path=/var/lib/nginx/body \
 --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
 --http-log-path=/var/log/nginx/access.log \
 --http-proxy-temp-path=/var/lib/nginx/proxy \
 --lock-path=/var/lock/nginx.lock \
 --pid-path=/var/run/nginx.pid \
 --with-http_ssl_module \
 --with-http_v2_module \
 --with-http_gzip_static_module \
 --with-http_realip_module \
 --with-http_flv_module \
 --with-http_mp4_module \
 --without-mail_pop3_module \
 --without-mail_smtp_module \
 --without-mail_imap_module \
 --without-http_uwsgi_module \
 --without-http_scgi_module \

make && make install

• 安裝完成

[root@localhost local]# nginx -v
nginx version: nginx/1.13.12

• 查看 nginx 安裝位置

[root@localhost nginx]# whereis nginx
nginx: /usr/sbin/nginx /etc/nginx

• 編寫啓動腳本 /etc/init.d/nginx

#!/bin/bash
# nginx Startup script for the Nginx HTTP Server
# it is v.0.0.2 version.
# chkconfig: - 85 15
# description: Nginx is a high-performance web and proxy server.
#       It has a lot of features, but it's not for everyone.
# processname: nginx
# pidfile: /run/nginx.pid
# config: /etc/nginx/nginx.conf  -> 根據具體安裝位置填寫

# 根據具體安裝位置填寫
nginxd=/usr/sbin/nginx

# config
nginx_config=/etc/nginx/nginx.conf

# CentOS PID 文件放在 /run/ 下
nginx_pid==/run/nginx.pid

RETVAL=0
prog="nginx"
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "${NETWORKING}" = "no" ] && exit 0
[ -x $nginxd ] || exit 0
# Start nginx daemons functions.
start() {
if [ -e $nginx_pid ];then
  echo "nginx already running...."
  exit 1
fi
  echo -n $"Starting $prog: "
  daemon $nginxd -c ${nginx_config}
  RETVAL=$?
  echo
  [ $RETVAL = 0 ] && touch /var/lock/subsys/nginx
  return $RETVAL
}
# Stop nginx daemons functions.
stop() {
    echo -n $"Stopping $prog: "
    killproc $nginxd
    RETVAL=$?
    echo

    # 注意修改 PID 文件位置
    [ $RETVAL = 0 ] && rm -f /var/lock/subsys/nginx /run/nginx.pid
}
# reload nginx service functions.
reload() {
  echo -n $"Reloading $prog: "
  #kill -HUP `cat ${nginx_pid}`
  killproc $nginxd -HUP
  RETVAL=$?
  echo
}
# See how we were called.
case "$1" in
start)
    start
    ;;
stop)
    stop
    ;;
reload)
    reload
    ;;
restart)
    stop
    start
    ;;
status)
    status $prog
    RETVAL=$?
    ;;
*)
    echo $"Usage: $prog {start|stop|restart|reload|status|help}"
    exit 1
esac
exit $RETVAL

• 設置執行權限: chmod a+x /etc/init.d/nginx
• 註冊成服務: chkconfig --add nginx
• 啓動/關閉 nginx 服務

[root@localhost ~]# /etc/init.d/nginx start
Starting nginx (via systemctl):  [  OK  ]
[root@localhost ~]# ps aux | grep nginx
root     18150  0.0  0.0  46272  1136 ?        Ss   19:01   0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nobody   18151  0.0  0.0  46708  1924 ?        S    19:01   0:00 nginx: worker process
root     18167  0.0  0.0 112660   976 pts/1    S+   19:01   0:00 grep --color=auto nginx

[root@localhost ~]# /etc/init.d/nginx stop
Stopping nginx (via systemctl):  [  OK  ]
[root@localhost ~]# ps aux | grep nginx
root     18195  0.0  0.0 112660   972 pts/1    S+   19:01   0:00 grep --color=auto nginx

[root@localhost ~]# service nginx start
Starting nginx (via systemctl):  [  確定  ]
[root@localhost ~]# ps aux | grep nginx
root     18234  0.0  0.0  46272  1124 ?        Ss   19:02   0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nobody   18235  0.6  0.0  46708  1916 ?        S    19:02   0:00 nginx: worker process
root     18238  0.0  0.0 112660   972 pts/1    S+   19:02   0:00 grep --color=auto nginx

[root@localhost ~]# service nginx stop
Stopping nginx (via systemctl):  [  確定  ]
[root@localhost ~]# ps aux | grep nginx
root     18271  0.0  0.0 112660   976 pts/1    S+   19:02   0:00 grep --color=auto nginx

Nginx + Naxsi 基本配置

---

• Naxsi 目錄下的 naxsi_core.rules 拷貝至 nginx.conf 所在目錄

cp /usr/local/naxsi/naxsi_config/naxsi_core.rules /etc/nginx/naxsi_core.rules

• 配置 nginx.conf 在 http 部分，引用 naxsi_core.rules

http {
    inclued       naxsi_core.rules;
    ...
}

• 配置 server 部分，開啓 naxsi

location / {
   #開啓 naxsi
   SecRulesEnabled;
   #開啓學習模式的location，請求不能被block
   #LearningMode;
   #定義阻止請求的位置
   DeniedUrl "/50x.html"; 
   #CheckRules, 確定 naxsi 何時採取行動
   CheckRule "$SQL >= 8" BLOCK;
   CheckRule "$RFI >= 8" BLOCK;
   CheckRule "$TRAVERSAL >= 4" BLOCK;
   CheckRule "$EVADE >= 4" BLOCK;
   CheckRule "$XSS >= 8" BLOCK;
   #naxsi 日誌文件
   error_log /var/log/nginx/security.log;
   ...
  }

• 重啓 nginx: service nginx restart
• 關閉 CentOS 的 防火牆: systemctl stop firewalld
• 訪問 http://server.ip:server.port/?test=<>
  
• 查看 /var/log/nginx/security.log

2018/05/07 20:08:47 [error] 18671#0: *30 NAXSI_FMT: ip=xxx.xxx.xxx.xxx&server=172.16.2.17&uri=/&learning=0&vers=0.56&total_processed=2&total_blocked=2&block=1&cscore0=$XSS&score0=8&zone0=ARGS&id0=1302&var_name0=test, client: xxx.xxx.xxx.xxx, server: , request: "GET /?test=%3C%3E HTTP/1.1", host: "172.16.2.17"

安裝 ElasticSearch

---

• 安裝依賴 java 1.8: yum install java-1.8.0-openjdk.x86_64

[root@localhost ~]# java -version
openjdk version "1.8.0_161"
OpenJDK Runtime Environment (build 1.8.0_161-b14)
OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)

• 從官網下載 elasticsearch 安裝包 (到目前5/9/2018，nxapi支持的版本爲 ES 5.4.0, 比這個新的版本會報錯): wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.0.tar.gz
• 解壓縮: tar -vxf elasticsearch-5.4.0.tar.gz
• ElasticSearch 不能使用 root 用戶運行，因此建立新的用戶和組

groupadd elasticsearch
useradd -g elasticsearch elasticsearch
chown -R elasticsearch:elasticsearch elasticsearch-5.4.0

[root@localhost local]# ls -l
總用量 29372
drwxr-xr-x. 2 root          root                 6 11月  5 2016 bin
drwxr-xr-x. 9 elasticsearch elasticsearch      155 5月   8 14:51 elasticsearch-5.4.0
...

• 用戶切換到elasticsearch: su elasticsearch
• 修改 elasticsearch 配置文件:

[root@localhost local]# vi elasticsearch-5.4.0/config/elasticsearch.yml
# 修改 IP 地址
network.host: 127.0.0.1
# 修改 port
http.port: 9200

• cd elasticsearch-5.4.0/bin，運行./elasticsearch, 產生 ERROR

ERROR: [2] bootstrap checks failed
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

• 問題[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]虛擬內存太小
• 解決問題[2]: 用戶切換到root，修改/etc/sysctl.conf

[root@localhost bin]# vi /etc/sysctl.conf
vm.max_map_count=262144

• 執行sysctl -p, 用戶切換到elasticsearch, 重新執行./elasticsearch， 問題[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]解決

ERROR: [1] bootstrap checks failed
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]

• 問題 [1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]最大可創建文件數量太少
• 解決問題[1]: 用戶切換到root，修改/etc/security/limit.conf

[root@localhost bin]# vi /etc/security/limits.conf 
*               soft    nofile          65536
*               hard    nofile          65536

• 重啓，用戶切換到elasticsearch，重新運行./elasticsearch -d, 問題[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]解決，成功運行 ES
• 訪問localhost:9200

[root@localhost ~]# curl "localhost:9200"
{
  "name" : "H_vcJvG",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "d-jMp3O9Szq7nCQ7HHat2w",
  "version" : {
    "number" : "5.4.0",
    "build_hash" : "780f8c4",
    "build_date" : "2017-04-28T17:43:27.229Z",
    "build_snapshot" : false,
    "lucene_version" : "6.5.0"
  },
  "tagline" : "You Know, for Search"
}

• Elasticsearch 安裝成功

• 在 ES 中添加 nxapi index: curl -XPUT 'http://localhost:9200/nxapi/'

安裝 NXAPI

---

• 安裝 elasticsearch5 模塊: pip install elasticsearch5
  Python Elasticsearch 模塊默認爲版本6，爲防止出現兼容性問題， 選擇安裝 elasticsearch5 模塊: elasticsearch5 (5.5.2) - Python client for Elasticsearch

• 修改 nxapi 程序中的模塊引入部分

# 當前目錄
[root@localhost nxapi]# pwd
/usr/local/naxsi/nxapi

# 修改 nxtool.py
# 將 import elasticsearch 修改爲 import elasticsearch5 as elasticsearch
[root@localhost nxapi]# vi nxtool.py
import elasticsearch5 as elasticsearch

# 修改 nxparse.py
# 將 from elasticsearch.helpers import bulk 修改爲 from elasticsearch5.helpers import bulk
[root@localhost nxapi]# vi nxapi/nxparse.py
from elasticsearch5.helpers import bulk

# 修改 nxtypificator.py
# 將 from elasticsearch import Elasticsearch 修改爲 from elasticsearch5 import Elasticsearch
[root@localhost nxapi]# vi nxapi/nxtypificator.py
from elasticsearch5 import Elasticsearch

• 在/usr/local/naxsi/nxapi目錄下, 安裝 nxapi

python setup.py build
python setup.py install

• 查看安裝位置

[root@localhost nxapi]# whereis nxtool.py
nxtool: /usr/bin/nxtool.py
[root@localhost nxapi]# whereis nxapi.json
nxapi: /usr/local/etc/nxapi.json /usr/local/nxapi

• 向 ES 中導入 naxsi log：nxtool.py -c /usr/local/etc/nxapi.json --files=/var/log/nginx/security.log, 提示缺少 GeoIP 模塊

• 安裝 python GeoIP 模塊

yum install python-devel GeoIP-devel 
pip install geoip

• 重新向 ES 中導入 naxsi log：nxtool.py -c /usr/local/etc/nxapi.json --files=/var/log/nginx/security.log，錯誤提示

[root@localhost ~]# nxtool.py -c /usr/local/etc/nxapi.json --file=/var/log/nginx/security.log 
# size :1000
ERROR:root:Unable to load GeoIPdb.
Unable to get GeoIP

• 修改/usr/local/etc/nxapi.json “naxsi” 部分

 "naxsi" : {
     "rules_path" : "/etc/nginx/naxsi_core.rules",
     "template_path" : [ "/usr/local/nxapi/tpl/"],
     "geoipdb_path" : "/usr/local/nxapi/country2coords.txt"
     },

• 重新向 ES 中導入 naxsi log：nxtool.py -c /usr/local/etc/nxapi.json –files=/var/log/nginx/security.log，無錯誤提示

• 查看 naxsi log 是否導入成功: curl -XPOST "http://localhost:9200/nxapi/events/_search?pretty" -d '{}'

• 使用 nxtool.py 查看導入 ES 的 naxsi log

root@localhost nxapi]# nxtool.py -c /usr/local/etc/nxapi.json -x
# size :1000
# Whitelist(ing) ratio :
# false 50.0% (total:72/144)
# Top servers :
# 172.16.2.17 77.78% (total:56/72)
# localhost 22.22% (total:16/72)
# Top URI(s) :
# / 77.78% (total:56/72)
# /login.php 22.22% (total:16/72)
# Top Zone(s) :
# ARGS 100.0% (total:72/72)
# Top Peer(s) :
# 10.8.21.60 77.78% (total:56/72)
# 127.0.0.1 22.22% (total:16/72)

• 生成 whitelist: nxtool.py -c nxapi.json -s 172.16.2.17 -f --filter 'uri /' --slack, 錯誤提示u'Fielddata is disabled on text fields by default. Set fielddata=true on [id] ...

elasticsearch5.exceptions.RequestError: TransportError(400, u'search_phase_execution_exception', u'Fielddata is disabled on text fields by default. Set fielddata=true on [id] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.')

• 解決 fielddata=true問題： 將 text 類型的 fields fielddata置爲 true

PUT /nxapi/_mapping/<text_field_name>?update_all_types
{
"properties": {
"<text_field_name>": {
"type": "text",
"fielddata": true
}
}
}

通過 curl 發送 PUT 請求：

[root@localhost ~]# curl -H "content-type: application/json" -X PUT \
> -d '{ "properties": { "id": { "type": "text", "fielddata": true } } }' \
> "http://localhost:9200/nxapi/_mapping/id?update_all_types"
{"acknowledged":true}

• 重新生成 whitelist:

[root@localhost ~]# nxtool.py -c /usr/local/etc/nxapi.json -s 172.16.2.17 -f --filter 'uri /' --slack
# size :1000
#  template :/usr/local/nxapi/tpl/BODY/precise-id.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/BODY/site-wide-id.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/BODY/url-wide-id-BODY-NAME.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/BODY/url-wide-id.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/BODY/var_name-wide-id.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/ARGS/precise-id.tpl 
Nb of hits : 28
#  template matched, generating all rules.
5 whitelists ...
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1302) html open tag
#total hits 12
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1302 "mz:$URL:/|$ARGS_VAR:test";
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1003) mysql comment (/*)
#total hits 6
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1003 "mz:$URL:/|$ARGS_VAR:test";
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1003) mysql comment (/*)
#total hits 4
#peers : 10.8.21.60
#uri : /
#var_name : text

BasicRule  wl:1003 "mz:$URL:/|$ARGS_VAR:text";
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1303) html close tag
#total hits 4
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1303 "mz:$URL:/|$ARGS_VAR:test";
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1004) mysql comment (*/)
#total hits 2
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1004 "mz:$URL:/|$ARGS_VAR:test";
#  template :/usr/local/nxapi/tpl/ARGS/site-wide-id.tpl 
Nb of hits : 28
#  template matched, generating all rules.
4 whitelists ...
#msg: A generic, wide (id+zone) wl
#Rule (1302) html open tag
#total hits 12
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1302 "mz:ARGS";
#msg: A generic, wide (id+zone) wl
#Rule (1003) mysql comment (/*)
#total hits 10
#peers : 10.8.21.60
#uri : /
#var_name : test
#var_name : text

BasicRule  wl:1003 "mz:ARGS";
#msg: A generic, wide (id+zone) wl
#Rule (1303) html close tag
#total hits 4
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1303 "mz:ARGS";
#msg: A generic, wide (id+zone) wl
#Rule (1004) mysql comment (*/)
#total hits 2
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1004 "mz:ARGS";
#  template :/usr/local/nxapi/tpl/ARGS/url-wide-id-NAME.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/ARGS/url-wide-id.tpl 
Nb of hits : 28
#  template matched, generating all rules.
4 whitelists ...
#msg: A generic whitelist, true for the whole uri
#Rule (1302) html open tag
#total hits 12
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1302 "mz:$URL:/|ARGS";
#msg: A generic whitelist, true for the whole uri
#Rule (1003) mysql comment (/*)
#total hits 10
#peers : 10.8.21.60
#uri : /
#var_name : test
#var_name : text

BasicRule  wl:1003 "mz:$URL:/|ARGS";
#msg: A generic whitelist, true for the whole uri
#Rule (1303) html close tag
#total hits 4
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1303 "mz:$URL:/|ARGS";
#msg: A generic whitelist, true for the whole uri
#Rule (1004) mysql comment (*/)
#total hits 2
#peers : 10.8.21.60
#uri : /
#var_name : test

BasicRule  wl:1004 "mz:$URL:/|ARGS";
#  template :/usr/local/nxapi/tpl/URI/global-url-0x_in_pircutres.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/URI/site-wide-id.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/URI/url-wide-id.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/APPS/google_analytics-ARGS.tpl 
Nb of hits : 0
#  template :/usr/local/nxapi/tpl/HEADERS/cookies.tpl 
Nb of hits : 0

安裝 Kibana

---

• 從官網下載kibana: wget https://artifacts.elastic.co/downloads/kibana/kibana-5.4.0-linux-x86_64.tar.gz, 注意： Kibana 版本號需要與 Elasticsearch 一致
• 解壓縮: tar -vxf kibana-5.4.0-linux-x86_64.tar.gz
• 修改配置文件kibana-5.4.0-linux-x86_64/config/kibana.yml

[root@localhost config]# vi kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"
# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "http://localhost:9200"

• 運行kibana: [root@localhost config]# ../bin/kibana

• 訪問成功
  

• 將 index pattern 配置成 nxapi

• 點擊 Discover，如果沒有數據，則點擊右上角的 time picker，修改 time range

---

P.S. 我的簡書連接 https://www.jianshu.com/u/15af6668f47b