Defend Pushdo and Cutwail - Iptables - Proxy Reverse Server - Nginx + Naxsi
Why you are buy expensive device when all is opensource ?
Topology
Router ( 192.168.1.1 ) - Nginx Proxy Reverse + Naxsi ( 192.168.1.2 ) - Nginx Web Server ( 192.168.1.3 )
> Nginx Proxy Reverse + Naxsi ( 192.168.1.2 )
This step how to defend Pushdo/Cutwail where i put naxsi in proxy reverse
Configure Iptables :
This block in 4 layer "POST /?ptrxcz" on this situation block pattern string "ptrxcz"
[root@proxy ~]# vi /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [12204116:2175223599]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13308164:1687844257]
-A INPUT -p tcp -m string --string "ptrxcz" --algo bm --to 65535 -j DROP
COMMIT
*filter
:INPUT ACCEPT [12204116:2175223599]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13308164:1687844257]
-A INPUT -p tcp -m string --string "ptrxcz" --algo bm --to 65535 -j DROP
COMMIT
Install Nginx + Naxsi
[root@proxy ~]# cd /usr/local/src/
[root@proxy ~]# wget http://nginx.org/download/nginx-x.x.xx.tar.gz
[root@proxy ~]# wget http://naxsi.googlecode.com/files/naxsi-x.xx.tar.gz
[root@proxy ~]# tar xvzf nginx-x.x.xx.tar.gz
[root@proxy ~]# tar xvzf naxsi-x.xx.tar.gz
[root@proxy ~]# cd nginx-x.x.xx/
[root@proxy ~]# ./configure --conf-path=/etc/nginx/nginx.conf
--add-module=../naxsi-x.xx/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-ipv6 --prefix=/usr
[root@proxy ~]# make;make install
[root@proxy ~]# cp /usr/local/src/naxsi-x.xx/naxsi_config/default_location_config.example /etc/nginx/test.rules
[root@proxy ~]# wget http://nginx.org/download/nginx-x.x.xx.tar.gz
[root@proxy ~]# wget http://naxsi.googlecode.com/files/naxsi-x.xx.tar.gz
[root@proxy ~]# tar xvzf nginx-x.x.xx.tar.gz
[root@proxy ~]# tar xvzf naxsi-x.xx.tar.gz
[root@proxy ~]# cd nginx-x.x.xx/
[root@proxy ~]# ./configure --conf-path=/etc/nginx/nginx.conf
--add-module=../naxsi-x.xx/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-ipv6 --prefix=/usr
[root@proxy ~]# make;make install
[root@proxy ~]# cp /usr/local/src/naxsi-x.xx/naxsi_config/default_location_config.example /etc/nginx/test.rules
[root@proxy ~]# vi /etc/nginx/test.rules;
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
include "/tmp/naxsi_rules.tmp";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
[root@proxy ~]# cp /usr/local/src/naxsi-x.xx/naxsi_config/naxsi_core.rules /etc/nginx/naxsi_core.rules
Configure Nginx.confSecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
include "/tmp/naxsi_rules.tmp";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
[root@proxy ~]# cp /usr/local/src/naxsi-x.xx/naxsi_config/naxsi_core.rules /etc/nginx/naxsi_core.rules
[root@nginx ~]# vi /etc/nginx/nginx.conf
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
server_names_hash_bucket_size 64;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
tcp_nodelay on;
gzip on;
ignore_invalid_headers on;
gzip_comp_level 5;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/plain text/css image/x-icon application/x-javascript;
gzip_vary on;
include /etc/nginx/conf.d/*.conf;
}
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
server_names_hash_bucket_size 64;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
tcp_nodelay on;
gzip on;
ignore_invalid_headers on;
gzip_comp_level 5;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/plain text/css image/x-icon application/x-javascript;
gzip_vary on;
include /etc/nginx/conf.d/*.conf;
}
[root@proxy ~]# vi /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name domain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log notice;
#set your default location
location / {
include /etc/nginx/test.rules;
proxy_pass http://192.168.1.3;
proxy_read_timeout 60s;
# May not need or want to set Host. Should default to the above hostname.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /RequestDenied {
error_page 404 /404.html;
}
#set your static folder location without the proxy pass so Nginx
#will server those files. We also set expires max to add an
#expires to have the client cache the files. You will
#have to #set a version on your css and js files to prevent
#the user who has cached files from not receiving new versions.
location /static {
root /home/domain/www/media;
expires max;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
}
server {
listen 80;
server_name domain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log notice;
#set your default location
location / {
include /etc/nginx/test.rules;
proxy_pass http://192.168.1.3;
proxy_read_timeout 60s;
# May not need or want to set Host. Should default to the above hostname.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /RequestDenied {
error_page 404 /404.html;
}
#set your static folder location without the proxy pass so Nginx
#will server those files. We also set expires max to add an
#expires to have the client cache the files. You will
#have to #set a version on your css and js files to prevent
#the user who has cached files from not receiving new versions.
location /static {
root /home/domain/www/media;
expires max;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
}
[root@proxy naxsi]# vi /etc/nginx/conf.d/proxy.conf
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_header_buffer_size 64k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 16k;
proxy_buffers 32 16k;
proxy_busy_buffers_size 64k;
nginx ssl configure, enable or disable in ssl keep on your situation ....proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
client_header_buffer_size 64k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 16k;
proxy_buffers 32 16k;
proxy_busy_buffers_size 64k;
[root@proxy src]# cat /etc/nginx/conf.d/ssl.conf
#
# HTTPS server configuration
#
server {
### server port and name ###
listen 443;
ssl on;
server_name domain.com;
### SSL log files ###
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;
### SSL cert files ###
ssl_certificate "/etc/ssl/certs/domain/domain.crt";
ssl_certificate_key "/etc/ssl/certs/domain/domain.key";
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
set $my_https "off";
if ($http_x_forwarded_proto = "https") {
set $my_https "on";
}
# passenger_enabled on;
# passenger_set_cgi_param HTTPS $my_https;
server_name_in_redirect off;
location / {
# include /etc/nginx/test.rules;
proxy_pass https://192.168.1.3;
proxy_redirect off;
proxy_set_header Host $host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_set_header X-Forwarded-Proto https;
}
}
#
# HTTPS server configuration
#
server {
### server port and name ###
listen 443;
ssl on;
server_name domain.com;
### SSL log files ###
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;
### SSL cert files ###
ssl_certificate "/etc/ssl/certs/domain/domain.crt";
ssl_certificate_key "/etc/ssl/certs/domain/domain.key";
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
set $my_https "off";
if ($http_x_forwarded_proto = "https") {
set $my_https "on";
}
# passenger_enabled on;
# passenger_set_cgi_param HTTPS $my_https;
server_name_in_redirect off;
location / {
# include /etc/nginx/test.rules;
proxy_pass https://192.168.1.3;
proxy_redirect off;
proxy_set_header Host $host ;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_set_header X-Forwarded-Proto https;
}
}
[root@proxy src]# tail -f /var/log/nginx/error.log
2013/04/01 15:41:49 [error] 11322#0: *323567 NAXSI_FMT:
ip=123.50.36.241&server=domain.com&uri=/&learning=0&total_processed=9072&total_blocked=8135&zone0=HEADERS&id0=1402&var_nam
e0=content-type, client: 123.50.36.241, server: domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/04/01 15:41:49 [error] 11322#0: *323582 NAXSI_FMT:
ip=222.254.120.159&server=domain.com&uri=/&learning=0&total_processed=9073&total_blocked=8136&zone0=HEADERS&id0=1402&var_n
ame0=content-type, client: 222.254.120.159, server: domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/04/01 15:41:49 [error] 11322#0: *323586 NAXSI_FMT:
ip=105.228.161.78&server=domain.com&uri=/&learning=0&total_processed=9075&total_blocked=8137&zone0=HEADERS&id0=1402&var_na
me0=content-type, client: 105.228.161.78, server: domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/04/01 15:41:49 [error] 11322#0: *323587 NAXSI_FMT:
ip=76.67.72.71&server=domain.com&uri=/&learning=0&total_processed=9076&total_blocked=8138&zone0=HEADERS&id0=1402&var_name0
=content-type, client: 76.67.72.71, server: domain.com, request: "POST / HTTP/1.1", host: "domain.com"
2013/04/01 15:41:49 [error] 11322#0: *323588 NAXSI_FMT:
ip=37.79.119.192&server=domain.com&uri=/&learning=0&total_processed=9077&total_blocked=8139&zone0=HEADERS&id0=1402&var_nam
e0=content-type, client: 37.79.119.192, server: domain.com, request: "POST / HTTP/1.1", host: "domain.com"
Error Log id0=1402
[root@proxy src] cat /etc/nginx/naxsi_core.rules
MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-
form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4"
id:1402;
In Webserver nginx ( 192.168.1.3 )
[root@web root]# vi /etc/nginx/nginx.conf
user nginx;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
keepalive_timeout 20;
client_max_body_size 15m;
client_body_timeout 60;
client_header_timeout 60;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
send_timeout 60;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay off;
autoindex off;
keepalive_requests 100000;
error_log /var/log/nginx/error.log ;
access_log /var/log/nginx/access.log main;
server_tokens off;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
limit_req_zone $binary_remote_addr zone=blitz:10m rate=10r/s;
gzip on;
include /etc/nginx/conf.d/*.conf;
server {
proxy_set_header Proxy-Connection "";
listen 80;
listen 443 ssl;
server_name domain.com;
root /home/domain/www;
ssl_certificate "/etc/ssl/certs/server.crt";
ssl_certificate_key "/etc/ssl/certs/server.key";
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_prefer_server_ciphers on;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
set $my_http "http";
set $my_ssl "off";
set $my_port "80";
#Block this too
if ($http_user_agent ~ "curl") { return 403; }
if ($http_referer ~* (ptrxcz) ) {
return 404;
}
location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Most web apps can be configured to read this header and understand that the current session is actually HTTPS.
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
index index.php;
try_files $uri $uri/ @handler;
}
error_page 403 /403.html;
location = /403.html {
root /home/domain/www;
internal;
}
# Deny access to specific directories no one
location /app/ { deny all; }
location /includes/ { deny all; }
location /lib/ { deny all; }
location /media/downloadable/ { deny all; }
location /pkginfo/ { deny all; }
location /report/config.xml { deny all; }
location /var/ { deny all; }
# Allow only those who have a login name and password
# to view the export folder. Refer to /etc/nginx/htpassword.
location /var/export/ {
auth_basic "Restricted";
auth_basic_user_file htpasswd;
autoindex on;
}
# Deny all attempts to access hidden files
# such as .htaccess, .htpasswd, etc...
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
if ($http_x_forwarded_proto = "https") {
set $my_http "https";
set $my_ssl "on";
set $my_port "443";
}
# This redirect is added so to use Magentos
# common front handler when handling incoming URLs.
location @handler {
rewrite / /index.php;
}
# Forward paths such as /js/index.php/x.js
# to their relevant handler.
location ~ .php/ {
rewrite ^(.*.php)/ $1 last;
}
if (!-e $request_filename) {
rewrite . /index.php last;
}
location ~ \.php$ {
fastcgi_param HTTPS on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.(htm|html|js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
error_page 404 /notfound.html;
}
}
user nginx;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
keepalive_timeout 20;
client_max_body_size 15m;
client_body_timeout 60;
client_header_timeout 60;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
send_timeout 60;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay off;
autoindex off;
keepalive_requests 100000;
error_log /var/log/nginx/error.log ;
access_log /var/log/nginx/access.log main;
server_tokens off;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
limit_req_zone $binary_remote_addr zone=blitz:10m rate=10r/s;
gzip on;
include /etc/nginx/conf.d/*.conf;
server {
proxy_set_header Proxy-Connection "";
listen 80;
listen 443 ssl;
server_name domain.com;
root /home/domain/www;
ssl_certificate "/etc/ssl/certs/server.crt";
ssl_certificate_key "/etc/ssl/certs/server.key";
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
ssl_prefer_server_ciphers on;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
set $my_http "http";
set $my_ssl "off";
set $my_port "80";
#Block this too
if ($http_user_agent ~ "curl") { return 403; }
if ($http_referer ~* (ptrxcz) ) {
return 404;
}
location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Most web apps can be configured to read this header and understand that the current session is actually HTTPS.
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
index index.php;
try_files $uri $uri/ @handler;
}
error_page 403 /403.html;
location = /403.html {
root /home/domain/www;
internal;
}
# Deny access to specific directories no one
location /app/ { deny all; }
location /includes/ { deny all; }
location /lib/ { deny all; }
location /media/downloadable/ { deny all; }
location /pkginfo/ { deny all; }
location /report/config.xml { deny all; }
location /var/ { deny all; }
# Allow only those who have a login name and password
# to view the export folder. Refer to /etc/nginx/htpassword.
location /var/export/ {
auth_basic "Restricted";
auth_basic_user_file htpasswd;
autoindex on;
}
# Deny all attempts to access hidden files
# such as .htaccess, .htpasswd, etc...
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
if ($http_x_forwarded_proto = "https") {
set $my_http "https";
set $my_ssl "on";
set $my_port "443";
}
# This redirect is added so to use Magentos
# common front handler when handling incoming URLs.
location @handler {
rewrite / /index.php;
}
# Forward paths such as /js/index.php/x.js
# to their relevant handler.
location ~ .php/ {
rewrite ^(.*.php)/ $1 last;
}
if (!-e $request_filename) {
rewrite . /index.php last;
}
location ~ \.php$ {
fastcgi_param HTTPS on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.(htm|html|js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
error_page 404 /notfound.html;
}
}
Komentar
Posting Komentar