Thursday, March 28, 2013

Pushdo and CutWail - Iptables + Nginx + Naxsi

Firewall - Server ( Iptables ) - Nginx + Naxsi

Analysis of Impact to High Load CPU  - with spam and there is the largest botnet in terms of the amount of infected hosts. Im put this article where is ive got million parameter POST

67.248.43.182 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_EEEFFFFFFFFFFGGGGGGGGGGHHHHHHH HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.25.79.166 - - [25/Mar/2013:23:23:31 +0700] "POST / HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.118.16.50 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_effffffffgggggggghhhhhhhhhiiii HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.164.7.205 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_tx147AEHLORVYbehkosvz259CFJNQT HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.198.28.165 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_gggghhhhhhiiiiiijjjjjjkkkkkkll HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

and im put this code in iptables  :

[root@tania ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Mar 26 02:33:50 2013
*filter
:INPUT ACCEPT [81472:6298313]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104280:11571047]
#-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST" --algo bm --to 80 -j REJECT --reject-with tcp-reset
#-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST" --algo bm --to 70 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m length --length 8 -m tcp --dport 80 -m string --string "POST / HTTP/1.1" --algo bm --to 70 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST / HTTP/1.1" --algo bm --to 8 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /?ptrxcz" --algo bm --to 70 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Mar 26 02:33:50 2013
[root@tania ~]#


the next of this situation naxsi + nginx 

wget http://nginx.org/download/nginx-x.x.xx.tar.gz wget http://naxsi.googlecode.com/files/naxsi-x.xx.tar.gz tar xvzf nginx-x.x.xx.tar.gz tar xvzf naxsi-x.xx.tar.gz cd nginx-x.x.xx/

put your configure

./configure --add-module=../naxsix.xx/naxsi_src/ [your options for nginx] make make install


Here is my configuration nginx.conf 



 
 user       nginx;  
 worker_processes 4;  
 pid    /var/run/nginx.pid;  
 events {  
   worker_connections 1024;  
 }  
 http {  
    open_file_cache max=1000 inactive=20s;  
    open_file_cache_valid  30s;  
    open_file_cache_min_uses 2;  
    open_file_cache_errors  on;  
    keepalive_timeout 20;  
   client_max_body_size 15m;  
   client_body_timeout 60;  
   client_header_timeout 60;  
   client_body_buffer_size 1K;  
   client_header_buffer_size 1k;  
   large_client_header_buffers 4 8k;  
    send_timeout 60;  
   error_log /var/log/nginx/error.log;  
   access_log /var/log/nginx/access.log;  
   include /etc/nginx/naxsi_core.rules;  
   include    /etc/nginx/mime.types;  
   default_type application/octet-stream;  
   log_format main '$remote_addr - $remote_user [$time_local] "$request" '  
            '$status $body_bytes_sent "$http_referer" '  
            '"$http_user_agent" "$http_x_forwarded_for"';  
 sendfile     on;  
 tcp_nopush    on;  
 tcp_nodelay    off;  
 autoindex     off;  
 keepalive_requests 100000;  
   error_log /var/log/nginx/error.log ;  
   access_log /var/log/nginx/access.log main;  
   server_tokens off;  
   fastcgi_buffers 8 16k;  
   fastcgi_buffer_size 32k;  
   limit_req_zone $binary_remote_addr zone=blitz:10m rate=10r/s;  
   #keepalive_timeout 65;  
   gzip on;  
   include /etc/nginx/naxsi_core.rules;  
   #include /etc/nginx/doxi-rules/rules.conf;  
   include /etc/nginx/conf.d/*.conf;  
  server {  
     proxy_set_header Proxy-Connection "";  
     listen    80;  
     listen    443 ssl;  
     server_name domain.com;  
     root /home/domain/www;  
     ssl_certificate   "/etc/ssl/certs/server.crt";  
     ssl_certificate_key "/etc/ssl/certs/server.key";  
      ssl_session_timeout 5m;  
      ssl_protocols SSLv3 TLSv1;  
      ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;  
      ssl_prefer_server_ciphers on;  
  client_body_timeout  10;  
  client_header_timeout 10;  
  keepalive_timeout   5 5;  
  send_timeout     10;  
   set $my_http "http";  
  set $my_ssl "off";  
  set $my_port "80";  
 #Block this too   
  if ($http_user_agent ~ "curl") { return 403; }  
   if ($http_referer ~* (ptrxcz) ) {  
    return 404;  
   }  
   location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {  
   access_log    off;  
   log_not_found   off;  
   expires      360d;  
 }  
     location / {  
     proxy_set_header Host $host;  
     proxy_set_header X-Real-IP $remote_addr;  
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
     # Most web apps can be configured to read this header and understand that the current session is actually HTTPS.  
      proxy_set_header X-Forwarded-Proto https;  
     # We expect the downsteam servers to redirect to the right hostname, so don't do any rewrites here.  
      proxy_redirect   off;  
     #proxy_set_header Host ;  
     index index.php;  
     try_files $uri $uri/ @handler;  
     }  
  error_page 403 /403.html;  
  location = /403.html {  
  root /home/domain/www;  
  internal;  
  }  
   # Deny access to specific directories no one  
   location /app/ { deny all; }  
   location /includes/ { deny all; }  
   location /lib/ { deny all; }  
   location /media/downloadable/ { deny all; }  
   location /pkginfo/ { deny all; }  
   location /report/config.xml { deny all; }  
   location /var/ { deny all; }  
   # Allow only those who have a login name and password  
   # to view the export folder. Refer to /etc/nginx/htpassword.  
   location /var/export/ {  
     auth_basic "Restricted";  
     auth_basic_user_file htpasswd;  
     autoindex on;  
   }  
   # Deny all attempts to access hidden files  
   # such as .htaccess, .htpasswd, etc...  
   location ~ /\. {  
      deny all;  
      access_log off;  
      log_not_found off;  
   }  
   if ($http_x_forwarded_proto = "https") {  
   set $my_http "https";  
   set $my_ssl "on";  
   set $my_port "443";  
   }  
   # This redirect is added so to use Magentos  
   # common front handler when handling incoming URLs.  
   location @handler {  
     rewrite / /index.php;  
   }  
   # Forward paths such as /js/index.php/x.js  
   # to their relevant handler.  
   location ~ .php/ {  
     rewrite ^(.*.php)/ $1 last;  
   }  
      if (!-e $request_filename) {  
      rewrite . /index.php last;  
      }  
      location ~ \.php$ {  
      include  /etc/nginx/test.rules;  
       fastcgi_param HTTPS on;  
       fastcgi_pass  127.0.0.1:9000;  
       fastcgi_index index.php;  
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;  
       include    fastcgi_params;  
     }  
       location ~* \.(htm|html|js|css|png|jpg|jpeg|gif|ico)$ {  
         expires max;  
         log_not_found off;  
        }  
     # deny access to .htaccess files, if Apache's document root  
     # concurs with nginx's one  
     #  
     location ~ /\.ht {  
       deny all;  
     }  
 error_page 404 /notfound.html;



  
 }  
 }  

tail -f /var/log/nginx/error.log


2013/03/25 04:03:22 [error] 30036#0: *10155787 NAXSI_FMT: ip=70.45.123.74&server=domain.com&uri=/&learning=1&total_processed=235&total_blocked=234&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 70.45.123.74, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155791 NAXSI_FMT: ip=186.114.107.88&server=domain.com&uri=/&learning=1&total_processed=236&total_blocked=235&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 186.114.107.88, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155794 NAXSI_FMT: ip=181.124.39.150&server=domain.com&uri=/&learning=1&total_processed=237&total_blocked=236&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 181.124.39.150, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155799 NAXSI_FMT: ip=37.105.12.39&server=domain.com&uri=/&learning=1&total_processed=238&total_blocked=237&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 37.105.12.39, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155801 NAXSI_FMT: ip=71.123.47.32&server=domain.com&uri=/&learning=1&total_processed=239&total_blocked=238&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 71.123.47.32, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155804 NAXSI_FMT: ip=79.145.219.121&server=domain.com&uri=/&learning=1&total_processed=240&total_blocked=239&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 79.145.219.121, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155803 NAXSI_FMT: ip=189.228.72.174&server=domain.com&uri=/&learning=1&total_processed=241&total_blocked=240&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 189.228.72.174, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"