Pushdo and CutWail - Iptables + Nginx + Naxsi

-
Firewall - Server ( Iptables ) - Nginx + Naxsi

 Analysis of Impact to High Load CPU  - with spam and there is the largest botnet in terms of the amount of infected hosts. Im put this article where is ive got million parameter POST

 67.248.43.182 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_EEEFFFFFFFFFFGGGGGGGGGGHHHHHHH HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.25.79.166 - - [25/Mar/2013:23:23:31 +0700] "POST / HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.118.16.50 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_effffffffgggggggghhhhhhhhhiiii HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
189.164.7.205 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_tx147AEHLORVYbehkosvz259CFJNQT HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
190.198.28.165 - - [25/Mar/2013:23:23:31 +0700] "POST /?ptrxcz_gggghhhhhhiiiiiijjjjjjkkkkkkll HTTP/1.1" 404 564 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

and im put this code in iptables  :

 [root@tania ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Mar 26 02:33:50 2013
*filter
:INPUT ACCEPT [81472:6298313]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104280:11571047]
#-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST" --algo bm --to 80 -j REJECT --reject-with tcp-reset
#-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST" --algo bm --to 70 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m length --length 8 -m tcp --dport 80 -m string --string "POST / HTTP/1.1" --algo bm --to 70 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m length --length 0 -m tcp --dport 80 -m string --string "POST / HTTP/1.1" --algo bm --to 8 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /?ptrxcz" --algo bm --to 70 -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Mar 26 02:33:50 2013
[root@tania ~]#

 the next of this situation naxsi + nginx 

 wget http://nginx.org/download/nginx-x.x.xx.tar.gz wget http://naxsi.googlecode.com/files/naxsi-x.xx.tar.gz tar xvzf nginx-x.x.xx.tar.gz tar xvzf naxsi-x.xx.tar.gz cd nginx-x.x.xx/

put your configure

./configure --add-module=../naxsix.xx/naxsi_src/ [your options for nginx] make make install


Here is my configuration nginx.conf 
  
 user       nginx;  
 worker_processes 4;  
 pid    /var/run/nginx.pid;  
 events {  
   worker_connections 1024;  
 }  
 http {  
    open_file_cache max=1000 inactive=20s;  
    open_file_cache_valid  30s;  
    open_file_cache_min_uses 2;  
    open_file_cache_errors  on;  
    keepalive_timeout 20;  
   client_max_body_size 15m;  
   client_body_timeout 60;  
   client_header_timeout 60;  
   client_body_buffer_size 1K;  
   client_header_buffer_size 1k;  
   large_client_header_buffers 4 8k;  
    send_timeout 60;  
   error_log /var/log/nginx/error.log;  
   access_log /var/log/nginx/access.log;  
   include /etc/nginx/naxsi_core.rules;  
   include    /etc/nginx/mime.types;  
   default_type application/octet-stream;  
   log_format main '$remote_addr - $remote_user [$time_local] "$request" '  
            '$status $body_bytes_sent "$http_referer" '  
            '"$http_user_agent" "$http_x_forwarded_for"';  
 sendfile     on;  
 tcp_nopush    on;  
 tcp_nodelay    off;  
 autoindex     off;  
 keepalive_requests 100000;  
   error_log /var/log/nginx/error.log ;  
   access_log /var/log/nginx/access.log main;  
   server_tokens off;  
   fastcgi_buffers 8 16k;  
   fastcgi_buffer_size 32k;  
   limit_req_zone $binary_remote_addr zone=blitz:10m rate=10r/s;  
   #keepalive_timeout 65;  
   gzip on;  
   include /etc/nginx/naxsi_core.rules;  
   #include /etc/nginx/doxi-rules/rules.conf;  
   include /etc/nginx/conf.d/*.conf;  
  server {  
     proxy_set_header Proxy-Connection "";  
     listen    80;  
     listen    443 ssl;  
     server_name domain.com;  
     root /home/domain/www;  
     ssl_certificate   "/etc/ssl/certs/server.crt";  
     ssl_certificate_key "/etc/ssl/certs/server.key";  
      ssl_session_timeout 5m;  
      ssl_protocols SSLv3 TLSv1;  
      ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;  
      ssl_prefer_server_ciphers on;  
  client_body_timeout  10;  
  client_header_timeout 10;  
  keepalive_timeout   5 5;  
  send_timeout     10;  
   set $my_http "http";  
  set $my_ssl "off";  
  set $my_port "80";  
 #Block this too   
  if ($http_user_agent ~ "curl") { return 403; }  
   if ($http_referer ~* (ptrxcz) ) {  
    return 404;  
   }  
   location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {  
   access_log    off;  
   log_not_found   off;  
   expires      360d;  
 }  
     location / {  
     proxy_set_header Host $host;  
     proxy_set_header X-Real-IP $remote_addr;  
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
     # Most web apps can be configured to read this header and understand that the current session is actually HTTPS.  
      proxy_set_header X-Forwarded-Proto https;  
     # We expect the downsteam servers to redirect to the right hostname, so don't do any rewrites here.  
      proxy_redirect   off;  
     #proxy_set_header Host ;  
     index index.php;  
     try_files $uri $uri/ @handler;  
     }  
  error_page 403 /403.html;  
  location = /403.html {  
  root /home/domain/www;  
  internal;  
  }  
   # Deny access to specific directories no one  
   location /app/ { deny all; }  
   location /includes/ { deny all; }  
   location /lib/ { deny all; }  
   location /media/downloadable/ { deny all; }  
   location /pkginfo/ { deny all; }  
   location /report/config.xml { deny all; }  
   location /var/ { deny all; }  
   # Allow only those who have a login name and password  
   # to view the export folder. Refer to /etc/nginx/htpassword.  
   location /var/export/ {  
     auth_basic "Restricted";  
     auth_basic_user_file htpasswd;  
     autoindex on;  
   }  
   # Deny all attempts to access hidden files  
   # such as .htaccess, .htpasswd, etc...  
   location ~ /\. {  
      deny all;  
      access_log off;  
      log_not_found off;  
   }  
   if ($http_x_forwarded_proto = "https") {  
   set $my_http "https";  
   set $my_ssl "on";  
   set $my_port "443";  
   }  
   # This redirect is added so to use Magentos  
   # common front handler when handling incoming URLs.  
   location @handler {  
     rewrite / /index.php;  
   }  
   # Forward paths such as /js/index.php/x.js  
   # to their relevant handler.  
   location ~ .php/ {  
     rewrite ^(.*.php)/ $1 last;  
   }  
      if (!-e $request_filename) {  
      rewrite . /index.php last;  
      }  
      location ~ \.php$ {  
      include  /etc/nginx/test.rules;  
       fastcgi_param HTTPS on;  
       fastcgi_pass  127.0.0.1:9000;  
       fastcgi_index index.php;  
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;  
       include    fastcgi_params;  
     }  
       location ~* \.(htm|html|js|css|png|jpg|jpeg|gif|ico)$ {  
         expires max;  
         log_not_found off;  
        }  
     # deny access to .htaccess files, if Apache's document root  
     # concurs with nginx's one  
     #  
     location ~ /\.ht {  
       deny all;  
     }  
 error_page 404 /notfound.html;



  
 }  
 }

tail -f /var/log/nginx/error.log
2013/03/25 04:03:22 [error] 30036#0: *10155787 NAXSI_FMT: ip=70.45.123.74&server=domain.com&uri=/&learning=1&total_processed=235&total_blocked=234&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 70.45.123.74, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155791 NAXSI_FMT: ip=186.114.107.88&server=domain.com&uri=/&learning=1&total_processed=236&total_blocked=235&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 186.114.107.88, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155794 NAXSI_FMT: ip=181.124.39.150&server=domain.com&uri=/&learning=1&total_processed=237&total_blocked=236&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 181.124.39.150, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:22 [error] 30036#0: *10155799 NAXSI_FMT: ip=37.105.12.39&server=domain.com&uri=/&learning=1&total_processed=238&total_blocked=237&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 37.105.12.39, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155801 NAXSI_FMT: ip=71.123.47.32&server=domain.com&uri=/&learning=1&total_processed=239&total_blocked=238&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 71.123.47.32, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155804 NAXSI_FMT: ip=79.145.219.121&server=domain.com&uri=/&learning=1&total_processed=240&total_blocked=239&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 79.145.219.121, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/03/25 04:03:23 [error] 30036#0: *10155803 NAXSI_FMT: ip=189.228.72.174&server=domain.com&uri=/&learning=1&total_processed=241&total_blocked=240&zone0=HEADERS&id0=1402&var_name0=content-type&zone1=BODY&id1=11&var_name1=, client: 189.228.72.174, server: www.domain.com, request: "POST / HTTP/1.1", host: "domain.com" 

Komentar

Posting Komentar

Postingan populer dari blog ini

Mengatasi error unrecognise request di Linkaja

-
Jika ada kendala dengan status unrecognise dari link aja hal yang anda lakukan adalah : - Pastikan ada koneksi Internet. - Pastikan storage device anda cukup. - Restart Handphone. - Uninstall dan Install Aplikasi Link aja. Cara tersebut sudah saya coba dan cukup ampuh dari kendala yang dihadapi. Kalau masih ada kendala silahkan hubungi melalui situs linkaja
Baca selengkapnya

OJS and Nginx

-
Im decide to put web server nginx to OJS , make some rewrite there is problem with preety url with OJS as you can see here : http://pkp.sfu.ca/support/forum/viewtopic.php?f=8&t=9135 and  it must be : disable_path_info = On but i dont want it ,  and then i try to search google and this the link usage for me : http://coolpandaca.wordpress.com/2012/12/07/migrate-ojs-to-nginx-from-apache/ Great article and there is 2 point when value path_info and scriptname : null ...     how to made rewrite in full configuration nginx.conf ? #---------------------------------------------------------------------- # Events Module # #   http://wiki.nginx.org/NginxHttpEventsModule # #---------------------------------------------------------------------- events {     worker_connections  1024; } #---------------------------------------------------------------------- # HTTP Core Module # #   http://wiki.nginx.org/NginxHttpCoreModule # #------------------------------------------------------
Baca selengkapnya

Tentang Findtoyou.com

-
Sudah setahun berdiri akhirnya ada juga yang mereview situs ini , suka duka memulai semua dari awal membawa situs ini mengalami perubahan , memberikan terbaik untuk semua pengunjung dan semoga tidak sia-sia , bermanfaat untuk khalayak umum Findtoyou.com adalah mesin pencarian yang berguna penggunanya agar lebih mudah , lebih spesifik dan lebih praktis. Sebagai mesin pencari untuk Mesin Pencari untuk Music, Video, Images, Software, Ebook, Document, Powerpoint, Excel, File Sharing, Torrent dan Social Networking. Keunikan dari Search Engine Findtoyou adalah dapat mengklasifikasikan pencarian, sehingga user dapat mudah memilih jenis File yang ingin dicari berbeda dengan search engine sejenisnya yang hanya mampu mencari 1 atau 2 file. Sejarah : Awal mulanya berdiri pada bulan 9 juli 2009 dan berbasiskan di Surabaya dan Jakarta pendiri : Dian Arif Sutejo - founder Teuku Iqbal Maulana - co-founder - CIT setiadi - co-founder - CEO Walau baru seumur jagung meramaikan situs pencarian, trafik unt
Baca selengkapnya