Step 9 - Install the NGINX Plus and App Protect packages manually¶
In this module, we will manually install the NGINX Plus and NGINX App Protect modules in CentOS from the official repository.
Warning
NGINX Plus private key and cert are already installed on the CentOS. Don’t share them.
Steps:
SSH to the App Protect in CentOS VM
Add NGINX Plus repository by downloading the file
nginx-plus-7.repo
to/etc/yum.repos.d
:sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.repoInstall the most recent version of the NGINX Plus App Protect package (which includes NGINX Plus):
sudo yum install -y app-protectCheck the NGINX binary version to ensure that you have NGINX Plus installed correctly:
sudo nginx -vConfigure the
nginx.conf
file. Rename the existingnginx.conf
tonginx.conf.old
and create a new one.cd /etc/nginx/ sudo mv nginx.conf nginx.conf.old sudo vi nginx.conf
Paste the below configuration into
nginx.conf
and save ituser nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; load_module modules/ngx_http_app_protect_module.so; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; server { listen 80; server_name localhost; proxy_http_version 1.1; app_protect_enable on; app_protect_policy_file "/etc/nginx/NginxDefaultPolicy.json"; app_protect_security_log_enable on; app_protect_security_log "/etc/nginx/log-default.json" syslog:server=10.1.20.6:5144; location / { resolver 10.1.1.9; resolver_timeout 5s; client_max_body_size 0; default_type text/html; proxy_pass http://k8s.arcadia-finance.io:30274$request_uri; } } }Create a log configuration file
log_default.json
(still in/etc/nginx/
)sudo vi log-default.jsonPaste the configuration below into
log-default.json
and save it{ "filter": { "request_type": "all" }, "content": { "format": "default", "max_request_size": "any", "max_message_size": "5k" } }Temporarily make SELinux permissive globally (https://www.nginx.com/blog/using-nginx-plus-with-selinux).
sudo setenforce 0
Start the NGINX service:
sudo systemctl start nginxCheck everything is running
less /var/log/nginx/error.log2020/05/22 09:13:20 [notice] 6195#6195: APP_PROTECT { "event": "configuration_load_start", "configSetFile": "/opt/app_protect/config/config_set.json" } 2020/05/22 09:13:20 [notice] 6195#6195: APP_PROTECT policy 'app_protect_default_policy' from: /etc/nginx/NginxDefaultPolicy.json compiled successfully 2020/05/22 09:13:20 [notice] 6195#6195: APP_PROTECT { "event": "configuration_load_success", "software_version": "2.52.1", "attack_signatures_package":{"revision_datetime":"2019-07-16T12:21:31Z"},"completed_successfully":true} 2020/05/22 09:13:20 [notice] 6195#6195: using the "epoll" event method 2020/05/22 09:13:20 [notice] 6195#6195: nginx/1.17.9 (nginx-plus-r21) 2020/05/22 09:13:20 [notice] 6195#6195: built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) 2020/05/22 09:13:20 [notice] 6195#6195: OS: Linux 3.10.0-1127.8.2.el7.x86_64 2020/05/22 09:13:20 [notice] 6195#6195: getrlimit(RLIMIT_NOFILE): 1024:4096 2020/05/22 09:13:20 [notice] 6203#6203: start worker processes 2020/05/22 09:13:20 [notice] 6203#6203: start worker process 6205 2020/05/22 09:13:26 [notice] 6205#6205: APP_PROTECT { "event": "waf_connected", "enforcer_thread_id": 0, "worker_pid": 6205, "mode": "operational", "mode_changed": false}
Note
Congrats, now your CentOS instance is protecting the Arcadia application
Note
You may notice we used exactly the same log-default.json
and nginx.conf
files as in the Docker lab.
Now, try in the Jumphost
Steps:
RDP to the Jumphost with credentials
user:user
Open Chrome and click
Arcadia NAP CentOS
Run the same tests as the Docker lab and check the logs in Kibana
Next step is to install the latest Signature Package
Steps:
To add NGINX Plus App Protect signatures repository, download the file app-protect-signatures-7.repo to /etc/yum.repos.d:
sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-signatures-7.repoUpdate attack signatures:
sudo yum install -y app-protect-attack-signaturesTo install a specific version, list the available versions:
sudo yum --showduplicates list app-protect-attack-signaturesTo upgrade to a specific version:
sudo yum install -y app-protect-attack-signatures-2020.04.30To downgrade to a specific version:
sudo yum downgrade app-protect-attack-signatures-2019.07.16Reload NGINX process to apply the new signatures:
sudo nginx -s reloadCheck the new signatures package date:
less /var/log/nginx/error.log
Note
Upgrading App Protect does not install new Attack Signatures. You will get the same Attack Signature release after upgrading App Protect. If you want to also upgrade the Attack Signatures, you will have to explicitly update them by the respective command above.
Last step is to install the Threat Campaign package
Note
The App Protect installation does not come with a built-in Threat campaigns package like Attack Signatures. Threat campaigns Updates are released periodically whenever new campaigns and vectors are discovered, so you might want to update your Threat campaigns from time to time. You can upgrade the Threat campaigns by updating the package any time after installing App Protect. We recommend you upgrade to the latest Threat campaigns version right after installing App Protect.
Note
After having updated the Threat campaigns package you have to reload the configuration in order for the new version of the Threat campaigns to take effect. Until then App Protect will run with the old version, if exists. This is useful when creating an environment with a specific tested version of the Threat campaigns.
Steps :
As the repo has been already added, no need to add it. TC and Signatures use the same repo
https://cs.nginx.com/static/files/app-protect-signatures-7.repo
Install the package
sudo yum install app-protect-threat-campaignsReload NGINX process to apply the new signatures:
sudo sudo nginx -s reloadCheck the new Threat Campaign package date:
less /var/log/nginx/error.log
Note
We don’t spend more time on Threat Campaign in this lab as we did it already in the Docker lab (Class 2 - Step 5)
Video of this module (force HD 1080p in the video settings)