荒岛
openappsec是一款基于机器学习技术的开源WAF,它可以作为插件部署到Linux、Docker或Kubernetes环境中,并支持NGINX、Kong、APISIX、Envoy等云平台。
本文记录Linux(Debian 11)下的openappsec与NGINX的配置。如果你是别的Linux发行版,首先看这个支持列表,找对应的发行版和NGINX软件包版本。
例如当前Debian 11官方repo内的1.18.0-6.1+deb11u6在列表内就是支持的,软件包版本支持的话就意味着可以用全自动的方式来安装,非常方便:
如果你的NGINX软件包还不在支持列表的话就需要自己编译了,本文暂不考虑这种情况。有机会再补充编译安装的方式。
下载安装程序:
wget https://downloads.openappsec.io/open-appsec-install && chmod +x open-appsec-install一键自动安装:
./open-appsec-install --auto安装完成后,首先要做的是更换高级机器学习模型,默认的模型不适用于生产环境,请访问open-appsec门户网站,注册账号,下载高级模型的压缩包,将其上传到服务器。
更换模型前先停止agent运行:
open-appsec-ctl --stop-agent解压模型到/etc/cp/conf/waap目录:
tar -xzf open-appsec-advanced-model.tgz -C /etc/cp/conf/waap设置所有者:
chown -R root:root /etc/cp/conf/waap/waap.data再次启动agent:
open-appsec-ctl --start-agent编辑openappsec默认的配置文件:
nano /etc/cp/conf/local_policy.yaml注意这个配置文件目前有两个版本(v1beta1、v1beta2),目前新安装的默认都是用的v1beta2,并且官方也会逐步用v1beta2淘汰掉v1beta1。
下面这是我的配置,基于默认配置做的最小改动,其实也没啥好改的,因为开源版本限制了很多功能都不让用,哈哈。我甚至觉得如果你不想将每个主机(host)拆开管理(specificRules)的话,就用默认配置都行。
建议先用detect-learn模式跑7-14天降低误报率,然后将模式改为prevent-learn。如果到时候还有误报就得自己额外搓exceptions了(类似于白名单的东西)。
# open-appsec default declarative configuration file
# based on schema version: "v1beta2"
# more information on declarative configuration: https://docs.openappsec.io
apiVersion: v1beta2
policies:
default:
# start in detect-learn and move to prevent-learn based on learning progress
mode: detect-learn
threatPreventionPractices: [default-threat-prevention-practice]
accessControlPractices: [default-access-control-practice]
customResponses: default-web-user-response
triggers: [default-log-trigger]
sourceIdentifiers: ""
trustedSources: ""
exceptions: []
specificRules:
- host: "example.com"
mode: detect-learn
threatPreventionPractices: [default-threat-prevention-practice]
accessControlPractices: [default-access-control-practice]
customResponse: default-web-user-response
triggers: [default-log-trigger]
sourceIdentifiers: ""
trustedSources: ""
- host: "www.example.com"
mode: detect-learn
threatPreventionPractices: [default-threat-prevention-practice]
accessControlPractices: [default-access-control-practice]
customResponse: default-web-user-response
triggers: [default-log-trigger]
sourceIdentifiers: ""
trustedSources: ""
threatPreventionPractices:
- name: default-threat-prevention-practice
practiceMode: inherited
webAttacks:
overrideMode: inherited
minimumConfidence: high
intrusionPrevention:
# intrusion prevention (IPS) requires "Premium Edition"
overrideMode: inherited
maxPerformanceImpact: medium
minSeverityLevel: medium
minCveYear: 2016
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
fileSecurity:
# file security requires "Premium Edition"
overrideMode: inherited
minSeverityLevel: medium
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
snortSignatures:
# you must specify snort signatures in configmap or file to activate snort inspection
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
schemaValidation: # schema validation requires "Premium Edition"
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
antiBot: # antibot requires "Premium Edition"
overrideMode: inherited
injectedUris: []
validatedUris: []
accessControlPractices:
- name: default-access-control-practice
practiceMode: inherited
rateLimit:
# specify one or more rules below to use rate limiting
overrideMode: inherited
rules: []
logTriggers:
- name: default-log-trigger
accessControlLogging:
allowEvents: false
dropEvents: true
appsecLogging:
detectEvents: true
preventEvents: true
allWebRequests: false
extendedLogging:
urlPath: true
urlQuery: true
httpHeaders: true
requestBody: false
additionalSuspiciousEventsLogging:
enabled: true
minSeverity: high
responseBody: false
responseCode: true
logDestination:
cloud: false
logToAgent: true
stdout:
format: json
customResponses:
- name: default-web-user-response
mode: response-code-only
httpResponseCode: 403所有配置选项的含义和具体用法可参考官方的文档。
对配置文件进行更改后,要使更改生效,必须应用新策略:
open-appsec-ctl --apply-policy查看运行状态:
open-appsec-ctl --status确保所有状态都是running:
查看日志:
open-appsec-ctl --view-logs实际日志文件的路径位于:
/var/log/nano-agent/CP-nano-http-transaction-handler.log(number)这个官方的CLI工具看日志非常不利于人类阅读,可以安装个jq:
apt install jq然后这样看:
tail -f /var/log/nano_agent/cp-nano-http-transaction-handler.log2 | jq
