Pushdo and CutWail - Iptables + Nginx + Naxsi
Firewall - Server ( Iptables ) - Nginx + Naxsi
Analysis of Impact to High Load CPU - with spam and there is the largest botnet in terms of the amount of infected hosts. Im put this article where is ive got million parameter POST
67.248.43.182 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_EEEFFFFFFFFFFGGGGGGGGGGHHHHHHH HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.25.79.166 - - [25/Mar/2013:23:23:31 +0700] "POST / HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.118.16.50 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_effffffffgggggggghhhhhhhhhiiii HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.164.7.205 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_tx147AEHLORVYbehkosvz259CFJNQT HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.198.28.165 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_gggghhhhhhiiiiiijjjjjjkkkkkkll HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
and im put this code in iptables :
[root@tania ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Mar 26 02:33:50 2013
*filter
:INPUT ACCEPT [81472:6298313]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104280:11571047]
#-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST" --algo bm --to 80 -j REJECT --reject-with tcp-reset
#-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST" --algo bm --to 70 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m length --length 8 -m tcp --dport 80 -m string --string "POST / HTTP/1.1" --algo bm --to 70 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST / HTTP/1.1" --algo bm --to 8 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /?ptrxcz" --algo bm --to 70 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Mar 26 02:33:50 2013
[root@tania ~]#
the next of this situation naxsi + nginx
wget http://nginx.org/download/nginx-x.x.xx.tar.gz wget http://naxsi.googlecode.com/files/naxsi-x.xx.tar.gz tar xvzf nginx-x.x.xx.tar.gz tar xvzf naxsi-x.xx.tar.gz cd nginx-x.x.xx/
put your configure
./configure --add-module=../naxsix.xx/naxsi_src/ [your options for nginx] make make install
Here is my configuration nginx.conf
tail -f /var/log/nginx/error.log
2013/03/25 04:03:22 [error] 30036#0: *10155787 NAXSI_FMT: ip=70.45.123.74&server=domain.com&uri=/&learning=1&total_processed=235&total_blocked=234&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 70.45.123.74, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155791 NAXSI_FMT: ip=186.114.107.88&server=domain.com&uri=/&learning=1&total_processed=236&total_blocked=235&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 186.114.107.88, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155794 NAXSI_FMT: ip=181.124.39.150&server=domain.com&uri=/&learning=1&total_processed=237&total_blocked=236&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 181.124.39.150, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155799 NAXSI_FMT: ip=37.105.12.39&server=domain.com&uri=/&learning=1&total_processed=238&total_blocked=237&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 37.105.12.39, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155801 NAXSI_FMT: ip=71.123.47.32&server=domain.com&uri=/&learning=1&total_processed=239&total_blocked=238&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 71.123.47.32, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155804 NAXSI_FMT: ip=79.145.219.121&server=domain.com&uri=/&learning=1&total_processed=240&total_blocked=239&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 79.145.219.121, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155803 NAXSI_FMT: ip=189.228.72.174&server=domain.com&uri=/&learning=1&total_processed=241&total_blocked=240&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 189.228.72.174, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
Analysis of Impact to High Load CPU - with spam and there is the largest botnet in terms of the amount of infected hosts. Im put this article where is ive got million parameter POST
67.248.43.182 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_EEEFFFFFFFFFFGGGGGGGGGGHHHHHHH HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.25.79.166 - - [25/Mar/2013:23:23:31 +0700] "POST / HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.118.16.50 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_effffffffgggggggghhhhhhhhhiiii HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.164.7.205 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_tx147AEHLORVYbehkosvz259CFJNQT HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.198.28.165 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_gggghhhhhhiiiiiijjjjjjkkkkkkll HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
and im put this code in iptables :
[root@tania ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Mar 26 02:33:50 2013
*filter
:INPUT ACCEPT [81472:6298313]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104280:11571047]
#-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST" --algo bm --to 80 -j REJECT --reject-with tcp-reset
#-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST" --algo bm --to 70 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m length --length 8 -m tcp --dport 80 -m string --string "POST / HTTP/1.1" --algo bm --to 70 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST / HTTP/1.1" --algo bm --to 8 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /?ptrxcz" --algo bm --to 70 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Mar 26 02:33:50 2013
[root@tania ~]#
the next of this situation naxsi + nginx
wget http://nginx.org/download/nginx-x.x.xx.tar.gz wget http://naxsi.googlecode.com/files/naxsi-x.xx.tar.gz tar xvzf nginx-x.x.xx.tar.gz tar xvzf naxsi-x.xx.tar.gz cd nginx-x.x.xx/
put your configure
./configure --add-module=../naxsix.xx/naxsi_src/ [your options for nginx] make make install
Here is my configuration nginx.conf
user nginx;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
keepalive_timeout 20;
client_max_body_size 15m;
client_body_timeout 60;
client_header_timeout 60;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
send_timeout 60;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay off;
autoindex off;
keepalive_requests 100000;
error_log /var/log/nginx/error.log ;
access_log /var/log/nginx/access.log main;
server_tokens off;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
limit_req_zone $binary_remote_addr zone=blitz:10m rate=10r/s;
#keepalive_timeout 65;
gzip on;
include /etc/nginx/naxsi_core.rules;
#include /etc/nginx/doxi-rules/rules.conf;
include /etc/nginx/conf.d/*.conf;
server {
proxy_set_header Proxy-Connection "";
listen 80;
listen 443 ssl;
server_name domain.com;
root /home/domain/www;
ssl_certificate "/etc/ssl/certs/server.crt";
ssl_certificate_key "/etc/ssl/certs/server.key";
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_prefer_server_ciphers on;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
set $my_http "http";
set $my_ssl "off";
set $my_port "80";
#Block this too
if ($http_user_agent ~ "curl") { return 403; }
if ($http_referer ~* (ptrxcz) ) {
return 404;
}
location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Most web apps can be configured to read this header and understand that the current session is actually HTTPS.
proxy_set_header X-Forwarded-Proto https;
# We expect the downsteam servers to redirect to the right hostname, so don't do any rewrites here.
proxy_redirect off;
#proxy_set_header Host ;
index index.php;
try_files $uri $uri/ @handler;
}
error_page 403 /403.html;
location = /403.html {
root /home/domain/www;
internal;
}
# Deny access to specific directories no one
location /app/ { deny all; }
location /includes/ { deny all; }
location /lib/ { deny all; }
location /media/downloadable/ { deny all; }
location /pkginfo/ { deny all; }
location /report/config.xml { deny all; }
location /var/ { deny all; }
# Allow only those who have a login name and password
# to view the export folder. Refer to /etc/nginx/htpassword.
location /var/export/ {
auth_basic "Restricted";
auth_basic_user_file htpasswd;
autoindex on;
}
# Deny all attempts to access hidden files
# such as .htaccess, .htpasswd, etc...
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
if ($http_x_forwarded_proto = "https") {
set $my_http "https";
set $my_ssl "on";
set $my_port "443";
}
# This redirect is added so to use Magentos
# common front handler when handling incoming URLs.
location @handler {
rewrite / /index.php;
}
# Forward paths such as /js/index.php/x.js
# to their relevant handler.
location ~ .php/ {
rewrite ^(.*.php)/ $1 last;
}
if (!-e $request_filename) {
rewrite . /index.php last;
}
location ~ \.php$ {
include /etc/nginx/test.rules;
fastcgi_param HTTPS on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.(htm|html|js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
error_page 404 /notfound.html;
}
}
tail -f /var/log/nginx/error.log
2013/03/25 04:03:22 [error] 30036#0: *10155787 NAXSI_FMT: ip=70.45.123.74&server=domain.com&uri=/&learning=1&total_processed=235&total_blocked=234&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 70.45.123.74, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155791 NAXSI_FMT: ip=186.114.107.88&server=domain.com&uri=/&learning=1&total_processed=236&total_blocked=235&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 186.114.107.88, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155794 NAXSI_FMT: ip=181.124.39.150&server=domain.com&uri=/&learning=1&total_processed=237&total_blocked=236&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 181.124.39.150, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155799 NAXSI_FMT: ip=37.105.12.39&server=domain.com&uri=/&learning=1&total_processed=238&total_blocked=237&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 37.105.12.39, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155801 NAXSI_FMT: ip=71.123.47.32&server=domain.com&uri=/&learning=1&total_processed=239&total_blocked=238&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 71.123.47.32, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155804 NAXSI_FMT: ip=79.145.219.121&server=domain.com&uri=/&learning=1&total_processed=240&total_blocked=239&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 79.145.219.121, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155803 NAXSI_FMT: ip=189.228.72.174&server=domain.com&uri=/&learning=1&total_processed=241&total_blocked=240&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 189.228.72.174, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
Komentar
Posting Komentar