Platform: CentOS 7 -- Linux localhost.localdomain 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
安裝依賴
- 安裝 libssl:
yum install openssl-devel.x86_64 - 安裝 libpcre:
yum install pcre-devel.x86_64 - 安裝 zlib (系統(tǒng)默認(rèn)已安裝)
- 安裝 gzip (系統(tǒng)默認(rèn)已安裝)
安裝 Nginx + Naxsi
- 下載 Nginx:
wget http://nginx.org/download/nginx-1.13.12.tar.gz - 解壓縮:
tar -vzxf nginx-1.13.12.tar.gz - 下載 Naxsi:
git clone https://github.com/nbs-system/naxsi.git -
cd nginx-1.13.12, 編譯
./configure --conf-path=/etc/nginx/nginx.conf \
--add-module=../naxsi/naxsi_src/ \
--error-log-path=/var/log/nginx/error.log \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-log-path=/var/log/nginx/access.log \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--lock-path=/var/lock/nginx.lock \
--pid-path=/var/run/nginx.pid \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_realip_module \
--with-http_flv_module \
--with-http_mp4_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
make && make install
- 安裝完成
[root@localhost local]# nginx -v
nginx version: nginx/1.13.12
- 查看 nginx 安裝位置
[root@localhost nginx]# whereis nginx
nginx: /usr/sbin/nginx /etc/nginx
- 編寫啟動(dòng)腳本
/etc/init.d/nginx
#!/bin/bash
# nginx Startup script for the Nginx HTTP Server
# it is v.0.0.2 version.
# chkconfig: - 85 15
# description: Nginx is a high-performance web and proxy server.
# It has a lot of features, but it's not for everyone.
# processname: nginx
# pidfile: /run/nginx.pid
# config: /etc/nginx/nginx.conf -> 根據(jù)具體安裝位置填寫
# 根據(jù)具體安裝位置填寫
nginxd=/usr/sbin/nginx
# config
nginx_config=/etc/nginx/nginx.conf
# CentOS PID 文件放在 /run/ 下
nginx_pid==/run/nginx.pid
RETVAL=0
prog="nginx"
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "${NETWORKING}" = "no" ] && exit 0
[ -x $nginxd ] || exit 0
# Start nginx daemons functions.
start() {
if [ -e $nginx_pid ];then
echo "nginx already running...."
exit 1
fi
echo -n $"Starting $prog: "
daemon $nginxd -c ${nginx_config}
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/nginx
return $RETVAL
}
# Stop nginx daemons functions.
stop() {
echo -n $"Stopping $prog: "
killproc $nginxd
RETVAL=$?
echo
# 注意修改 PID 文件位置
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/nginx /run/nginx.pid
}
# reload nginx service functions.
reload() {
echo -n $"Reloading $prog: "
#kill -HUP `cat ${nginx_pid}`
killproc $nginxd -HUP
RETVAL=$?
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
stop
start
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|reload|status|help}"
exit 1
esac
exit $RETVAL
- 設(shè)置執(zhí)行權(quán)限:
chmod a+x /etc/init.d/nginx - 注冊成服務(wù):
chkconfig --add nginx - 啟動(dòng)/關(guān)閉 nginx 服務(wù)
[root@localhost ~]# /etc/init.d/nginx start
Starting nginx (via systemctl): [ OK ]
[root@localhost ~]# ps aux | grep nginx
root 18150 0.0 0.0 46272 1136 ? Ss 19:01 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nobody 18151 0.0 0.0 46708 1924 ? S 19:01 0:00 nginx: worker process
root 18167 0.0 0.0 112660 976 pts/1 S+ 19:01 0:00 grep --color=auto nginx
[root@localhost ~]# /etc/init.d/nginx stop
Stopping nginx (via systemctl): [ OK ]
[root@localhost ~]# ps aux | grep nginx
root 18195 0.0 0.0 112660 972 pts/1 S+ 19:01 0:00 grep --color=auto nginx
[root@localhost ~]# service nginx start
Starting nginx (via systemctl): [ 確定 ]
[root@localhost ~]# ps aux | grep nginx
root 18234 0.0 0.0 46272 1124 ? Ss 19:02 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nobody 18235 0.6 0.0 46708 1916 ? S 19:02 0:00 nginx: worker process
root 18238 0.0 0.0 112660 972 pts/1 S+ 19:02 0:00 grep --color=auto nginx
[root@localhost ~]# service nginx stop
Stopping nginx (via systemctl): [ 確定 ]
[root@localhost ~]# ps aux | grep nginx
root 18271 0.0 0.0 112660 976 pts/1 S+ 19:02 0:00 grep --color=auto nginx
Nginx + Naxsi 基本配置
- Naxsi 目錄下的 naxsi_core.rules 拷貝至 nginx.conf 所在目錄
cp /usr/local/naxsi/naxsi_config/naxsi_core.rules /etc/nginx/naxsi_core.rules
- 配置 nginx.conf 在 http 部分,引用 naxsi_core.rules
http {
inclued naxsi_core.rules;
...
}
- 配置 server 部分笑跛,開啟 naxsi
location / {
#開啟 naxsi
SecRulesEnabled;
#開啟學(xué)習(xí)模式的location,請求不能被block
#LearningMode;
#定義阻止請求的位置
DeniedUrl "/50x.html";
#CheckRules, 確定 naxsi 何時(shí)采取行動(dòng)
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
#naxsi 日志文件
error_log /var/log/nginx/security.log;
...
}
- 重啟 nginx: service nginx restart
- 關(guān)閉 CentOS 的 防火墻:
systemctl stop firewalld - 訪問
http://server.ip:server.port/?test=<>
http://server.ip:server.port/?test=<> - 查看
/var/log/nginx/security.log
2018/05/07 20:08:47 [error] 18671#0: *30 NAXSI_FMT: ip=xxx.xxx.xxx.xxx&server=172.16.2.17&uri=/&learning=0&vers=0.56&total_processed=2&total_blocked=2&block=1&cscore0=$XSS&score0=8&zone0=ARGS&id0=1302&var_name0=test, client: xxx.xxx.xxx.xxx, server: , request: "GET /?test=%3C%3E HTTP/1.1", host: "172.16.2.17"
安裝 ElasticSearch
- 安裝依賴 java 1.8:
yum install java-1.8.0-openjdk.x86_64
[root@localhost ~]# java -version
openjdk version "1.8.0_161"
OpenJDK Runtime Environment (build 1.8.0_161-b14)
OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)
- 從官網(wǎng)下載 elasticsearch 安裝包 (到目前5/9/2018,nxapi支持的版本為 ES 5.4.0, 比這個(gè)新的版本會(huì)報(bào)錯(cuò)):
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.0.tar.gz - 解壓縮:
tar -vxf elasticsearch-5.4.0.tar.gz - ElasticSearch 不能使用 root 用戶運(yùn)行,因此建立新的用戶和組
groupadd elasticsearch
useradd -g elasticsearch elasticsearch
chown -R elasticsearch:elasticsearch elasticsearch-5.4.0
[root@localhost local]# ls -l
總用量 29372
drwxr-xr-x. 2 root root 6 11月 5 2016 bin
drwxr-xr-x. 9 elasticsearch elasticsearch 155 5月 8 14:51 elasticsearch-5.4.0
...
- 用戶切換到elasticsearch:
su elasticsearch - 修改 elasticsearch 配置文件:
[root@localhost local]# vi elasticsearch-5.4.0/config/elasticsearch.yml
# 修改 IP 地址
network.host: 127.0.0.1
# 修改 port
http.port: 9200
-
cd elasticsearch-5.4.0/bin怕轿,運(yùn)行./elasticsearch, 產(chǎn)生 ERROR
ERROR: [2] bootstrap checks failed
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
- 問題
[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]虛擬內(nèi)存太小 - 解決問題
[2]: 用戶切換到root田盈,修改/etc/sysctl.conf
[root@localhost bin]# vi /etc/sysctl.conf
vm.max_map_count=262144
- 執(zhí)行
sysctl -p, 用戶切換到elasticsearch, 重新執(zhí)行./elasticsearch, 問題[2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]解決
ERROR: [1] bootstrap checks failed
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
- 問題
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]最大可創(chuàng)建文件數(shù)量太少 - 解決問題
[1]: 用戶切換到root息拜,修改/etc/security/limit.conf
[root@localhost bin]# vi /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
- 重啟,用戶切換到elasticsearch净响,重新運(yùn)行
./elasticsearch -d, 問題[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]解決少欺,成功運(yùn)行 ES - 訪問
localhost:9200
[root@localhost ~]# curl "localhost:9200"
{
"name" : "H_vcJvG",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "d-jMp3O9Szq7nCQ7HHat2w",
"version" : {
"number" : "5.4.0",
"build_hash" : "780f8c4",
"build_date" : "2017-04-28T17:43:27.229Z",
"build_snapshot" : false,
"lucene_version" : "6.5.0"
},
"tagline" : "You Know, for Search"
}
Elasticsearch 安裝成功
在 ES 中添加 nxapi index:
curl -XPUT 'http://localhost:9200/nxapi/'
安裝 NXAPI
安裝 elasticsearch5 模塊:
pip install elasticsearch5
Python Elasticsearch 模塊默認(rèn)為版本6,為防止出現(xiàn)兼容性問題馋贤, 選擇安裝 elasticsearch5 模塊:elasticsearch5 (5.5.2) - Python client for Elasticsearch修改 nxapi 程序中的模塊引入部分
# 當(dāng)前目錄
[root@localhost nxapi]# pwd
/usr/local/naxsi/nxapi
# 修改 nxtool.py
# 將 import elasticsearch 修改為 import elasticsearch5 as elasticsearch
[root@localhost nxapi]# vi nxtool.py
import elasticsearch5 as elasticsearch
# 修改 nxparse.py
# 將 from elasticsearch.helpers import bulk 修改為 from elasticsearch5.helpers import bulk
[root@localhost nxapi]# vi nxapi/nxparse.py
from elasticsearch5.helpers import bulk
# 修改 nxtypificator.py
# 將 from elasticsearch import Elasticsearch 修改為 from elasticsearch5 import Elasticsearch
[root@localhost nxapi]# vi nxapi/nxtypificator.py
from elasticsearch5 import Elasticsearch
- 在
/usr/local/naxsi/nxapi目錄下, 安裝 nxapi
python setup.py build
python setup.py install
- 查看安裝位置
[root@localhost nxapi]# whereis nxtool.py
nxtool: /usr/bin/nxtool.py
[root@localhost nxapi]# whereis nxapi.json
nxapi: /usr/local/etc/nxapi.json /usr/local/nxapi
向 ES 中導(dǎo)入 naxsi log:
nxtool.py -c /usr/local/etc/nxapi.json --files=/var/log/nginx/security.log, 提示缺少 GeoIP 模塊安裝 python GeoIP 模塊
yum install python-devel GeoIP-devel
pip install geoip
- 重新向 ES 中導(dǎo)入 naxsi log:
nxtool.py -c /usr/local/etc/nxapi.json --files=/var/log/nginx/security.log赞别,錯(cuò)誤提示
[root@localhost ~]# nxtool.py -c /usr/local/etc/nxapi.json --file=/var/log/nginx/security.log
# size :1000
ERROR:root:Unable to load GeoIPdb.
Unable to get GeoIP
- 修改
/usr/local/etc/nxapi.json"naxsi" 部分
"naxsi" : {
"rules_path" : "/etc/nginx/naxsi_core.rules",
"template_path" : [ "/usr/local/nxapi/tpl/"],
"geoipdb_path" : "/usr/local/nxapi/country2coords.txt"
},
重新向 ES 中導(dǎo)入 naxsi log:nxtool.py -c /usr/local/etc/nxapi.json --files=/var/log/nginx/security.log,無錯(cuò)誤提示
查看 naxsi log 是否導(dǎo)入成功:
curl -XPOST "http://localhost:9200/nxapi/events/_search?pretty" -d '{}'使用
nxtool.py查看導(dǎo)入 ES 的 naxsi log
root@localhost nxapi]# nxtool.py -c /usr/local/etc/nxapi.json -x
# size :1000
# Whitelist(ing) ratio :
# false 50.0% (total:72/144)
# Top servers :
# 172.16.2.17 77.78% (total:56/72)
# localhost 22.22% (total:16/72)
# Top URI(s) :
# / 77.78% (total:56/72)
# /login.php 22.22% (total:16/72)
# Top Zone(s) :
# ARGS 100.0% (total:72/72)
# Top Peer(s) :
# 10.8.21.60 77.78% (total:56/72)
# 127.0.0.1 22.22% (total:16/72)
- 生成 whitelist:
nxtool.py -c nxapi.json -s 172.16.2.17 -f --filter 'uri /' --slack, 錯(cuò)誤提示u'Fielddata is disabled on text fields by default. Set fielddata=true on [id] ...
elasticsearch5.exceptions.RequestError: TransportError(400, u'search_phase_execution_exception', u'Fielddata is disabled on text fields by default. Set fielddata=true on [id] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.')
- 解決
fielddata=true問題: 將 text 類型的 fields fielddata置為 true
PUT /nxapi/_mapping/<text_field_name>?update_all_types
{
"properties": {
"<text_field_name>": {
"type": "text",
"fielddata": true
}
}
}
通過 curl 發(fā)送 PUT 請求:
[root@localhost ~]# curl -H "content-type: application/json" -X PUT \
> -d '{ "properties": { "id": { "type": "text", "fielddata": true } } }' \
> "http://localhost:9200/nxapi/_mapping/id?update_all_types"
{"acknowledged":true}
- 重新生成 whitelist:
[root@localhost ~]# nxtool.py -c /usr/local/etc/nxapi.json -s 172.16.2.17 -f --filter 'uri /' --slack
# size :1000
# template :/usr/local/nxapi/tpl/BODY/precise-id.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/BODY/site-wide-id.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/BODY/url-wide-id-BODY-NAME.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/BODY/url-wide-id.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/BODY/var_name-wide-id.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/ARGS/precise-id.tpl
Nb of hits : 28
# template matched, generating all rules.
5 whitelists ...
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1302) html open tag
#total hits 12
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1302 "mz:$URL:/|$ARGS_VAR:test";
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1003) mysql comment (/*)
#total hits 6
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1003 "mz:$URL:/|$ARGS_VAR:test";
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1003) mysql comment (/*)
#total hits 4
#peers : 10.8.21.60
#uri : /
#var_name : text
BasicRule wl:1003 "mz:$URL:/|$ARGS_VAR:text";
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1303) html close tag
#total hits 4
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1303 "mz:$URL:/|$ARGS_VAR:test";
#msg: A generic, precise wl tpl (url+var+id)
#Rule (1004) mysql comment (*/)
#total hits 2
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1004 "mz:$URL:/|$ARGS_VAR:test";
# template :/usr/local/nxapi/tpl/ARGS/site-wide-id.tpl
Nb of hits : 28
# template matched, generating all rules.
4 whitelists ...
#msg: A generic, wide (id+zone) wl
#Rule (1302) html open tag
#total hits 12
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1302 "mz:ARGS";
#msg: A generic, wide (id+zone) wl
#Rule (1003) mysql comment (/*)
#total hits 10
#peers : 10.8.21.60
#uri : /
#var_name : test
#var_name : text
BasicRule wl:1003 "mz:ARGS";
#msg: A generic, wide (id+zone) wl
#Rule (1303) html close tag
#total hits 4
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1303 "mz:ARGS";
#msg: A generic, wide (id+zone) wl
#Rule (1004) mysql comment (*/)
#total hits 2
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1004 "mz:ARGS";
# template :/usr/local/nxapi/tpl/ARGS/url-wide-id-NAME.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/ARGS/url-wide-id.tpl
Nb of hits : 28
# template matched, generating all rules.
4 whitelists ...
#msg: A generic whitelist, true for the whole uri
#Rule (1302) html open tag
#total hits 12
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1302 "mz:$URL:/|ARGS";
#msg: A generic whitelist, true for the whole uri
#Rule (1003) mysql comment (/*)
#total hits 10
#peers : 10.8.21.60
#uri : /
#var_name : test
#var_name : text
BasicRule wl:1003 "mz:$URL:/|ARGS";
#msg: A generic whitelist, true for the whole uri
#Rule (1303) html close tag
#total hits 4
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1303 "mz:$URL:/|ARGS";
#msg: A generic whitelist, true for the whole uri
#Rule (1004) mysql comment (*/)
#total hits 2
#peers : 10.8.21.60
#uri : /
#var_name : test
BasicRule wl:1004 "mz:$URL:/|ARGS";
# template :/usr/local/nxapi/tpl/URI/global-url-0x_in_pircutres.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/URI/site-wide-id.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/URI/url-wide-id.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/APPS/google_analytics-ARGS.tpl
Nb of hits : 0
# template :/usr/local/nxapi/tpl/HEADERS/cookies.tpl
Nb of hits : 0
安裝 Kibana
- 從官網(wǎng)下載kibana:
wget https://artifacts.elastic.co/downloads/kibana/kibana-5.4.0-linux-x86_64.tar.gz, 注意: Kibana 版本號(hào)需要與 Elasticsearch 一致 - 解壓縮:
tar -vxf kibana-5.4.0-linux-x86_64.tar.gz - 修改配置文件
kibana-5.4.0-linux-x86_64/config/kibana.yml
[root@localhost config]# vi kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"
# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "http://localhost:9200"
運(yùn)行kibana:
[root@localhost config]# ../bin/kibana-
訪問成功安裝配置成功
將 index pattern 配置成 nxapi
-
點(diǎn)擊 Discover配乓,如果沒有數(shù)據(jù)仿滔,則點(diǎn)擊右上角的 time picker,修改 time range數(shù)據(jù)顯示
