Linux

Linux Installation Video

Please refer to the video below for installation on Linux - nginx.

Linux Installation Directory Structure

/usr/local/deepfinder
├── bin                           // Path for executables
│   ├── agent
│   ├── scanfile
│   ├── starter
│   ├── uninstall.sh
│   └── updater
├── certs                         // Path for pem key to be used for ssl communication
│   └── deepfinder.pem
├── conf  // Path for configuration files
│   ├── config.xml
│   ├── file_md5.xml
│   └── web.xml                   // Created when installed with a WAS-specific script
├── lib   // Path for libraries
│   ├── libfilter.so
│   ├── mod_deepfinder20.so
│   ├── mod_deepfinder22.so
│   ├── mod_deepfinder24.so
│   └── DfFilter.jar              // Created when installed with a WAS-specific script
├── log                           // Path for agent, filter logs
│   └── … .log
├── nginx                         // Path for nginx proxy, created when installed with nginx-specific script
│   ├── …
│   └── …
├── policy                        // Path for policy files
│   ├── policy.db
│   └── PREIP
│       ├── 100.xml
│       └── … .xml
└── tmp                           // Path for debug file creation
    └── …

Danger

When installing the DeepFinder Agent, the web server or WAS must be running for a successful installation.

Apache Agent Installation

1) Download the installation file
Download the DeepFinder Agent installation file from the repository.

[root@localhost ~]# wget download.deepfinder.co.kr/DeepFinder/1.0/DeepFinder.tar.gz

2) Decompress the file
Decompress the downloaded installation file.

[root@localhost ~]# tar xvfz DeepFinder.tar.gz

3) Check the installation script
Navigate into the decompressed directory and run the installation script.

[root@localhost ~]# cd DeepFinder
// Apache Install -> setup.sh
[root@localhost DeepFinder]# ./setup.sh
USAGE1 : ./setup.sh SERVER_IP AGENT_ID [ssl] [install_path] 
USAGE2 : ./setup.sh SERVER_IP AUTH_KEY [ssl] [install_path] 
// Default protocol tcp
// Default Path /usr/local/deepfinder

4) Run the script
After confirming the necessary information (Manager Server IP, Company/Domain Group Authentication Info), proceed with the installation.

[root@localhost DeepFinder]# ./setup.sh 1.1.1.1 611dd4300b91412e89xxxxxxxxxxx
************************************************************
SERVER IP : 1.1.1.1
AGENT ID : 611dd4300b91412e89xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SYSTEM KERNEL : 4.4
CHECK OS : Linux
CHECK LINUX : Amazon  Linux
CHECK SELinux : Disabled
CHECK OS BIT : x86_64 (64 bit)
DeepFinder install path : /usr/local/deepfinder
Starting DeepFinder Agent                           [  OK  ]
- Finished DeepFinder WAF Install
************************************************************

If the installation is successful, a completion message is displayed, and the web service is seamlessly and automatically updated.

5) Filter Configuration

Info

After the installation is complete, check if the following filter statement has been inserted at the bottom of httpd.conf.
If it has not been inserted, add the module information corresponding to your Apache version and then perform an 'apache graceful' to complete the web server filter application.

#Apache 2.0   LoadModule deepfinder_module /usr/local/deepfinder/lib/mod_deepfinder20.so
#Apache 2.2   LoadModule deepfinder_module /usr/local/deepfinder/lib/mod_deepfinder22.so
#Apache 2.4   LoadModule deepfinder_module /usr/local/deepfinder/lib/mod_deepfinder24.so

ex) Example of httpd.conf file with the DeepFinder filter statement inserted
[root@ip-172-26-3-39 ~]# tail /etc/httpd/conf/httpd.conf
# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf
LoadModule deepfinder_module /usr/local/deepfinder/lib/mod_deepfinder24.so

Nginx Agent Installation

1) Download the installation file
Download the DeepFinder Agent installation file from the repository.

[root@localhost ~]# wget download.deepfinder.co.kr/DeepFinder/1.0/DeepFinder.tar.gz

2) Decompress the file
Decompress the downloaded installation file.

[root@localhost ~]# tar xvfz DeepFinder.tar.gz

3) Check the installation script
Navigate into the decompressed directory and run the installation script.

[root@localhost ~]# cd DeepFinder
// Nginx Install -> nginx.sh
[root@localhost DeepFinder]# ./nginx.sh
USAGE1 : ./nginx.sh SERVER_IP AGENT_ID [ssl] [install_path] 
USAGE2 : ./nginx.sh SERVER_IP AUTH_KEY [ssl] [install_path] 
// Default protocol tcp
// Default Path /usr/local/deepfinder

4) Run the script
After installing the dependencies, enter the Manager information (Manager Server IP, Company/Domain Group Authentication Info) to proceed with the Agent installation.
* For Redhat-based installations

[root@localhost ~]# yum install gcc make pcre-devel openssl-devel zlib-devel

• For Debian-based installations (when applying in Docker)
  

[root@localhost ~]# apt-get install gcc make libpcre3-dev libssl-dev zlib1g-dev libmagic1

• For AWS Linux-based installations
  

[root@localhost ~]# yum install redhat-rpm-config
[root@localhost ~]# $DeepFinder/linux_x64/nginx/make_module

• Nginx Installation
  

[root@localhost DeepFinder]# ./nginx.sh 1.1.1.1 c8b34ff005611dd4300b9141xxxxx
************************************************************
SERVER IP : 1.1.1.1
AUTH KEY : c8b34ff005611dd4300b91412e89xxxxxxxxxxxxxxxxxxxxxxxxxxxx
SYSTEM KERNEL : 2.6
CHECK OS : Linux
CHECK LINUX : CentOS  Linux
CHECK SELinux : Disabled
CHECK OS BIT : x86_64 (64 bit)
NGINX File Path : /usr/sbin/nginx
NGINX Version : 1.13.4
DeepFinder install path : /usr/local/deepfinder
Starting DeepFinder Agent                           [  OK  ]
Install NGINX Module : Please wait a moment..
Add to nginx.conf & configtest : ok
NEXT STEP : Reload nginx
/usr/sbin/nginx -s reload
- Finished DeepFinder WAF Install
************************************************************

5) Insert Nginx Module
If the Nginx configuration file is not registered in Linux, the following message will appear.
In this case, refer to the STEPS below to add the DeepFinder filter to your nginx.conf file and then reload.

STEP 1: Add to nginx.conf
load_module /usr/local/deepfinder/lib/ngx_http_deepfinder_module.so;
STEP 2: Check nginx configtest
/usr/local/nginx/sbin/nginx -t
STEP 3: Reload nginx
/usr/local/nginx/sbin/nginx -s reload
************************************************************
[root@localhost DeepFinder]# cd [Nginx DIR]/conf
[root@localhost conf]# vi nginx.conf
      1 #user  nobody;
      2 worker_processes  1;
      3
      4 #error_log  logs/error.log;
      5 #error_log  logs/error.log  notice;
      6 #error_log  logs/error.log  info;
      7
      8 #pid        logs/nginx.pid;
      9
     10 load_module /usr/local/deepfinder/lib/ngx_http_deepfinder_module.so;
     11
     12 events {
     13     worker_connections  1024;
     14 }
     15
[root@localhost conf]# /usr/sbin/nginx -s reload

6) Reload Nginx Service
Reload the Nginx service using the reload option.

WAS Agent Installation

1) Download the installation file
Download the DeepFinder Agent installation file from the repository.

[root@localhost ~]# wget download.deepfinder.co.kr/DeepFinder/1.0/DeepFinder.tar.gz

2) Decompress the file
Decompress the downloaded installation file.

[root@localhost ~]# tar xvfz DeepFinder.tar.gz

3) Check the installation script
Navigate into the decompressed directory and run the installation script that matches your WAS type.

WAS Type	Tomcat	Jeus	Resin	Other (Weblogic, JBoss, Websphere, etc.)
Installation Script	Tomcat.sh	Jeus.sh	Resin.sh	Agent.sh

[root@localhost ~]# cd DeepFinder
// Tomcat Install -> tomcat.sh
[root@localhost DeepFinder]# ./tomcat.sh
USAGE : ./tomcat.sh SERVER_IP AUTH_KEY [ssl] [install_path] 
// Default protocol tcp
// Default Path /usr/local/deepfinder

4) Run the script
After confirming the necessary information (Manager Server IP, Company/Domain Group Authentication Info), proceed with the installation.

[root@localhost DeepFinder]# ./tomcat.sh 1.1.1.1 ecd69098a3a6f2077cf5ffe6cxxxx
************************************************************
SERVER IP : 1.1.1.1
AUTH KEY : ecd69098a3a6f2077cf5ffe6ceb3f298dd59a4bab6d243f774afe538c518
SYSTEM KERNEL : 2.6
CHECK OS : Linux
CHECK LINUX : CentOS  Linux
CHECK SELinux : Disabled
CHECK OS BIT : x86_64 (64 bit)
DeepFinder install path : /usr/local/deepfinder
Starting DeepFinder Agent                       [  OK  ]
## Copy DfFilter.jar & Add WAS Conf file
cp /usr/local/deepfinder/lib/DfFilter.jar [Tomcat_DIR]/lib
vi [Tomcat_DIR]/conf/web.xml
  <filter>
    <filter-name>DfFilter</filter-name>
    <filter-class>com.df.filter.DfFilter</filter-class>
  <async-supported>true</async-supported>
</filter>
  <filter-mapping>
    <filter-name>DfFilter</filter-name>
        <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <servlet>
    <description></description>
    <display-name>DfError</display-name>
    <servlet-name>DfError</servlet-name>
    <servlet-class>com.df.servlet.DfError</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>DfError</servlet-name>
    <url-pattern>/DfError</url-pattern>
  </servlet-mapping>
  <servlet>
    <description></description>
    <display-name>DfDeny</display-name>
    <servlet-name>DfDeny</servlet-name>
    <servlet-class>com.df.servlet.DfDeny</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>DfDeny</servlet-name>
    <url-pattern>/DfDeny</url-pattern>
  </servlet-mapping>
- Finished DeepFinder WAF Install
************************************************************

5) Copy DfFilter Library (Only for Tomcat versions 7.0.29 and earlier)
Copy DfFilter.jar from the lib directory of the DeepFinder installation path (/usr/local/deepfinder/lib) to the WAS's lib path.

• For Tomcat 7.0.29 and higher - Applying DfFilter.jar
  For Tomcat versions 7.0.29 and higher, the filter can be applied without the filter insertion step (5-1) below.
  

[root@df /]# cp /usr/local/Deepfinder/lib/DfFilter.jar [Tomcat_DIR]/lib

• For Jeus 7 and higher - Applying DfFilter.jar
  For Jeus versions 7 and higher, the filter can be applied without the filter insertion step (5-1) below.
  If the screen does not display correctly after application, please adjust the res_type.
  

[root@df /]# cp /usr/local/Deepfinder/lib/DfFilter.jar [JEUS_DIR]/lib/system

• For Resin 4.0.17 and higher - Applying DfFilter.jar
  For Resin versions 4.0.17 and higher, the filter can be applied without the filter insertion step (5-1) below.
  

[root@df /]# [root@df /]# cp /usr/local/Deepfinder/lib/DfFilter.jar [Resin_DIR]/webapp-jars

• For WebLogic 12.1.3 and higher - Applying DfFilter.jar
  For WebLogic versions 12.1.3 and higher, the filter can be applied without the filter insertion step (5-1) below.
  

[root@df /]# cp /usr/local/Deepfinder/lib/DfFilter.jar Oracle_Home\user_projects \domain\wlserver\lib

• For GlassFish 3.1 and higher - Applying DfFilter.jar
  For GlassFish versions 3.1 and higher, the filter can be applied without the filter insertion step (5-1) below.
  

[root@df /]# cp /usr/local/Deepfinder/lib/DfFilter.jar [GlassFish_DIR]/lib

5-1) Insert Filter
In the WAS conf directory, modify the file corresponding to web.xml as shown below. Insert the contents of /usr/local/deepfinder/conf/web.xml between the tags in your web.xml file.
For the web.xml script, please refer to the WAS Filter Script.
* Tomcat – Insert web.xml filter

[root@localhost ~]# cd [Tomcat_DIR]/conf
[root@localhost conf]# cp web.xml web.xml.bak
[root@localhost conf]# vi web.xml

• Jeus – Insert webcommon.xml filter
  Jeus - If multiple Servlets are used during WAS installation, the DeepFinder filter must be inserted into the webcommon.xml file of each servlet. After inserting the filter, please verify that the web firewall is operating correctly for each Servlet. If the screen does not display correctly after application, adjust the res_type.
  

[root@df ~]# cd [Jeus_DIR]/config/servlet/webcommon.xml
[root@df conf]# cp webcommon.xml webcommon.xml.bak
[root@df conf]# vi webcommon.xml

• Resin – Insert into app-default.xml then copy DfFliter.jar library
  For Weblogic, JBoss, WebSphere, and GlassFish WAS, DfFilter.jar must be added to each project (war file).
  

[root@localhost ~]# cd [Tomcat_DIR]/conf
[root@localhost conf]# cp web.xml web.xml.bak
[root@localhost conf]# vi web.xml

When applying to WebSphere, please modify wastype="WEBSPHERE" in the Agent's config.xml.

7) Reload Tomcat
Restart Tomcat.

[root@localhost ~]# %Tomcat PATH%/bin/shutdown.sh
[root@localhost ~]# %Tomcat PATH%/bin/startup.sh

Jeus Agent Installation

1) Download the installation file
Download the DeepFinder Agent installation file from the repository.

[root@localhost ~]# wget download.deepfinder.co.kr/DeepFinder/1.0/DeepFinder.tar.gz

2) Decompress the file
Decompress the downloaded installation file.

[root@localhost ~]# tar xvfz DeepFinder.tar.gz

3) Check the installation script
Navigate into the decompressed directory and run the installation script.

[root@localhost ~]# cd DeepFinder
// Jeus Install -> jeus.sh
[root@localhost DeepFinder]# ./jeus.sh
USAGE : ./jeus.sh SERVER_IP AUTH_KEY [ssl] [install_path] 
// Default protocol tcp
// Default Path /usr/local/deepfinder

4) Run the script
After confirming the necessary information (Manager Server IP, Company/Domain Group Authentication Info), proceed with the installation.

[root@localhost DeepFinder]# ./jeus.sh 1.1.1.1 ecd69098a3a6f2077cf5ffe6xxxx
************************************************************
SERVER IP : 1.1.1.1
AUTH KEY : ecd69098a3a6f2077cf5ffe6ceb3f298dd59a4bab6d243f774afe538c518
SYSTEM KERNEL : 2.6
CHECK OS : Linux
CHECK LINUX : CentOS  Linux
CHECK SELinux : Disabled
CHECK OS BIT : x86_64 (64 bit)
DeepFinder install path : /usr/local/deepfinder
Starting DeepFinder Agent                       [  OK  ]
## Modify JEUS Conf file
vi $jeus7/webcommon.xml
  <filter>
    <filter-name>DfFilter</filter-name>
    <filter-class>com.df.filter.DfFilter</filter-class>
</filter>
  <filter-mapping>
    <filter-name>DfFilter</filter-name>
        <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <servlet>
    <description></description>
    <display-name>DfError</display-name>
    <servlet-name>DfError</servlet-name>
    <servlet-class>com.df.servlet.DfError</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>DfError</servlet-name>
    <url-pattern>/DfError</url-pattern>
  </servlet-mapping>
  <servlet>
    <description></description>
    <display-name>DfDeny</display-name>
    <servlet-name>DfDeny</servlet-name>
    <servlet-class>com.df.servlet.DfDeny</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>DfDeny</servlet-name>
    <url-pattern>/DfDeny</url-pattern>
  </servlet-mapping>
- Finished DeepFinder WAF Install
************************************************************

5) Copy DfFilter Library
Copy DfFilter.jar from the lib directory of the DeepFinder installation path (/usr/local/deepfinder/lib) to the Jeus lib/system path.

[root@localhost ~]# cd /usr/local/Deepfinder/lib
[root@localhost lib]# cp DfFilter.jar [JEUS_DIR]/lib/system

6) Insert Filter
In the conf directory of the Jeus installation path ([Jeus_DIR]/config/servlet/webcommon.xml), modify webcommon.xml as shown below.
※ In the case of Jeus WAS, multiple Servlets can be used, so the filter must be inserted into the webcommon.xml file of each servlet. After inserting the filter, please verify that the web firewall is operating correctly for each Servlet.

[root@localhost ~]# cd [Jeus_DIR]/config/servlet/webcommon.xml
[root@localhost conf]# cp webcommon.xml webcommon.xml.bak
[root@localhost conf]# vi webcommon.xml

Insert the Filter configuration statement between the <web-app> tags of [Jeus_DIR]/config/servlet/webcommon.xml.
For the web.xml script, please refer to the WAS Filter Script.

7) Reload Jeus
Restart Jeus.

[root@localhost ~]# %Jeus PATH%/bin/jboot
[root@localhost ~]# %Jeus PATH%/bin/jdown

Verifying the Linux Agent

Verifying Agent Connection

• Check Agent Process
  Check if the Agent process is running correctly using the PS command.
  

[root@localhost ~]# ps -ef | grep deepfinder
root     14632     1  0 Jun21 ?        00:00:01 /usr/local/deepfinder/bin/starter
root     14906 14632  0 Jun27 ?        00:11:15 /usr/local/deepfinder/bin/agent
root     17272 23916  0 01:08 pts/3    00:00:00 grep --color=auto deepfinder

• Check Agent Log
  Review the Agent Log to check for any errors.
  

[root@localhost ~]# cd /usr/local/deepfinder/log
[root@localhost log]# cat agent.log
2020-03-27  5:02:29 [AGENT] Init ---------------------------
2020-03-27  5:02:29 Connect Server [15.164.139.121:10012]
2020-03-27  5:02:29 Server Connected OK
2020-03-27  5:02:29 Agent Start
2020-03-27  5:02:29 [AGENT] Unique ID : 0A0177316C60
2020-03-27  5:02:29 Connect Server [15.164.139.121:10013]
2020-03-27  5:02:29 Server Connected OK
2020-03-27  5:02:29 [AGENT] Unique ID : 0A0177316C60
2020-03-27  5:02:29 ===== POLICY INSERT START =====
2020-03-27  5:02:29 AgentProperty [20] [OK]
2020-03-27  5:02:29 LogTypeSeq [54] [OK]
2020-03-27  5:02:29 PatternGroupSeq [51] [OK]
2020-03-27  5:02:29 PatternSeq [266] [OK]
2020-03-27  5:02:29 CountryInfoSeq [252] [OK]
2020-03-27  5:02:29 DomainPolicySeq [1] [OK]
2020-0_27  5:02:29 DomainPolicy [27]
2020-03-27  5:02:29 > DomainPolicy [27] : DomainSeq [0]
2020-03-27  5:02:29 > DomainPolicy [27] : BasePolicy
2020-03-27  5:02:29 > DomainPolicy [27] : LimitPolicy
2020-03-27  5:02:29 > DomainPolicy [27] : MethodPolicySeq [4]
2020-03-27  5:02:29 > DomainPolicy [27] : RequestUriPolicySeq [7]
2020-03-27  5:02:29 > DomainPolicy [27] : CookiePolicySeq [10]
2020-03-27  5:02:29 > DomainPolicy [27] : HeadNamePolicySeq [4]
2020-03-27  5:02:29 > DomainPolicy [27] : HeadValuePolicySeq [5]
2020-03-27  5:02:29 > DomainPolicy [27] : URLPolicySeq [1]
2020-03-27  5:02:29 > URLPolicy [27:1]
2020-03-27  5:02:29 >> URLPolicy [27:1] : URLBasePolicy
2020-03-27  5:02:29 >> URLPolicy [27:1] : ParamPatternPolicySeq [27]
2020-03-27  5:02:29 >> URLPolicy [27:1] : UploadPolicySeq [13]
2020-03-27  5:02:29 ===== POLICY INSERT END =====
2020-03-27  5:02:39 Filter Policy Update Status : OK

• Check Communication Connection Status
  Check if the communication between the Manager and Agent is connected using the NETSTAT command.
  

[root@localhost log]# netstat -atunp | grep 100
tcp   0   0   10.0.1.20:34203    52.79.17.21:10014   ESTABLISHED    14906/agent

• Check Manager Connection
  Check if the agent registered on the manager server is properly connected (green light).
  
  

Verifying Module Configuration

• Check Filter Log
  Check the Filter Log to verify that the web server has loaded the module correctly. The module is loaded when the web server starts.
  

[root@localhost ~]# tail -f /usr/local/deepfinder/log/filter.log
2020-04-01 00:02:16 : [4052] Filter Init OK
2020-04-01 06:12:02 : [4988] Filter Init OK
2020-04-02 00:01:56 : [3296] Filter Init OK

• Check Module Setting
  Check if the module is configured in the web server.
  

[root@localhost ~]# ps -ef | grep httpd
apache   29515 31785  0 09:23 ?        00:00:00 /usr/sbin/httpd
apache   29516 31785  0 09:23 ?        00:00:00 /usr/sbin/httpd
apache   29522 31785  0 09:23 ?        00:00:00 /usr/sbin/httpd
[root@localhost ~]# tail -n1 /etc/httpd/conf/httpd.conf
LoadModule deepfinder_module /usr/local/deepfinder/lib/mod_deepfinder22.so

• Check Module Load
  Check if the module is loaded into the web server process using the LSOF command.
  

[root@localhost ~]# ps -ef | grep httpd    
apache   29515 31785  0 09:23 ?        00:00:00 /usr/sbin/httpd
apache   29516 31785  0 09:23 ?        00:00:00 /usr/sbin/httpd
apache   29522 31785  0 09:23 ?        00:00:00 /usr/sbin/httpd 
[root@localhost log]# lsof -p 31785 | grep deepfinder
httpd 31785 root mem REG  202,1 9429 4056 /deepfinder/lib/mod_deepfinder22.so

• Check Manager Log
  Generate a detection log and check it on the manager server.