• About

blog.alam.rocks

blog.alam.rocks

Tag Archives: nginx

Nginx & testcookie-nginx-module

30 Saturday Nov 2013

Posted by Fakrul Alam in Uncategorized

≈ Leave a comment

Tags

ddos, ddos attack, ddos mitigation, nginx

1. Install required modules:

$ sudo apt-get install libgeoip-dev
$ sudo apt-get install libgd2-noxpm
$ sudo apt-get install libgd2-noxpm-dev
$ sudo apt-get install libgd2-xpm-dev
$ sudo apt-get install libperl-dev
$ sudo apt-get install libpcre3 libpcre3-dev
$ sudo apt-get install libxml2-dev libxslt-dev

2. Download and Install Nginx:

# wget http://nginx.org/download/nginx-1.4.4.tar.gz
# tar -zxvf nginx-1.4.4.tar.gz
# cd nginx-1.4.4

Download testcookie-nginx-module from http://kyprizel.github.io/testcookie-nginx-module/

# tar -zxvf kyprizel-testcookie-nginx-module-8da7c62.tar.gz
# mv kyprizel-testcookie-nginx-module-8da7c62 kyprizel-testcookie-nginx-module
# mkdir /var/lib/nginx/
# ./configure—prefix=/etc/nginx —conf-path=/etc/nginx/nginx.conf —error-log-path=/var/log/nginx/error.log —http-client-body-temp-path=/var/lib/nginx/body —http-fastcgi-temp-path=/var/lib/nginx/fastcgi —http-log-path=/var/log/nginx/access.log —http-proxy-temp-path=/var/lib/nginx/proxy —http-scgi-temp-path=/var/lib/nginx/scgi —http-uwsgi-temp-path=/var/lib/nginx/uwsgi —lock-path=/var/lock/nginx.lock —pid-path=/var/run/nginx.pid —with-debug —with-http_addition_module —with-http_dav_module —with-http_flv_module —with-http_geoip_module —with-http_gzip_static_module —with-http_image_filter_module —with-http_mp4_module —with-http_perl_module —with-http_random_index_module —with-http_realip_module —with-http_secure_link_module —with-http_stub_status_module —with-http_ssl_module —with-http_sub_module —with-http_xslt_module —with-ipv6 —with-sha1=/usr/include/openssl —with-md5=/usr/include/openssl —with-mail —with-mail_ssl_module —add-module=kyprizel-testcookie-nginx-module

Nginx installed in /etc/nginx folder.

# mkdir /etc/nginx/sites-enabled/
# mkdir /etc/nginx/conf.d
# cd /etc/nginx

Download the following configuration file from pastebin:

1. nginx.conf : http://pastebin.com/23s0XNZE
2. conf.d/proxy.conf : http://pastebin.com/vzTFMJi2
3. site-available/www.bdneg.com : http://pastebin.com/jeEyhJ1P

To prevent automatic parsing, challenge cookie value can be encrypted with AES-128 in CBC mode using custom/random key and iv, and then decrypted at client side with JavaScript using SlowAES.

# svn checkout http://slowaes.googlecode.com/svn/trunk/ slowaes-read-only
# cp slowaes-read-only/js/aes.js /var/www/aes.min.js

nginx: Fight against dDOS (Part 1)

05 Thursday Jul 2012

Posted by Fakrul Alam in Uncategorized

≈ Leave a comment

Tags

ddos, My Work, nginx, ubuntu

Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. We will compile nginx as reverse HTTP proxy and add some module to fight against dDOS attack.

Add stable repository for nginx in Ubuntu

$ sudo su
# echo “deb http://ppa.launchpad.net/nginx/stable/ubuntu lucid main” » /etc/apt/sources.list.d/nginx.list
# apt-key adv —keyserver keyserver.ubuntu.com —recv-keys C300EE8C
# apt-get install nginx
# apt-get install nginx-extras

Please check whether nginx and nginx-extras has been installed. Nginx installation location will be /etc/nginx. nginx will run on port 80. So if you have apache running on port 80, change it to 8080 or something else.

Nginx Shell Script To Block Spamhaus Lasso Drop Spam IP Address

# /etc/nginx# cd /etc/nginx/
# wget http://bash.cyberciti.biz/dl/500.sh.zip
# unzip 500.sh.zip
# mv 500.sh nginx.drop.lasso
# chmod +x nginx.drop.lasso
# rm 500.sh.zip

Edit nginx.drop.lasso as per you nginx installation location.

# ./nginx.drop.lasso

[source: http://bash.cyberciti.biz/web-server/nginx-shell-script-to-block-spamhaus-lasso-drop-spam-ip-address/]

Install Roboo to Ubuntu for DDOS protection

# mkdir /opt/local/share/nginx
# wget https://github.com/yuri-gushin/Roboo/blob/master/Roboo.pm
# vi /etc/nginx.conf [attached file]

Install bellow perl module:

# cpan
cpan[1]> install CPAN
cpan[2]> reload cpan
cpan[3]> install Net::IP::Match::Regexp
cpan[4]> install Compress::Zlib
cpan[5]> install Digest::SHA
cpan[6]> install Crypt::Random

Start nginx service

# /etc/init.d/nginx start

[Source: https://github.com/yuri-gushin/Roboo]
[Roboo howto: http://marguspala.com/install-roboo-to-ubuntu-for-ddos-protection/]

On next tutorial I will test how this nginx http proxy server whether it can handle:

– HTTP Denial of Service tools – e.g. Low Orbit Ion Cannon
– Vulnerability Scanning – e.g. Acunetix Web Vulnerability Scanner, Metasploit Pro, Nessus
– Web exploits
– Spiders, Crawlers and other robotic evil

nginx.conf
——————————————————————————————————————-
user www-data;
worker_processes 2;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
# multi_accept on;
}

http {
perl_modules /opt/local/share/nginx;
perl_require Roboo.pm;

include /etc/nginx/mime.types;
include drop.lasso.conf;
default_type application/octet-stream;
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” $status $bytes_sent “$http_referer” “$http_user_agent” “$gzip_ratio”’;
access_log /var/log/nginx/access.log;
server_names_hash_bucket_size 64;
#server_names_hash_max_size 1024;
#types_hash_bucket_size 32;
types_hash_max_size 2048;

client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
client_body_buffer_size 16k;
large_client_header_buffers 4 16k;
request_pool_size 4k;
sendfile on;

gzip off;
gzip_min_length 0;
gzip_buffers 4 8k;
gzip_types text/plain application/x-shockwave-flash text/css application/x-javascript text/xml application/xml application/xml+rss text/javascr
ipt;
gzip_proxied any;
gzip_http_version 1.0;
output_buffers 1 32k;
postpone_output 1460;

tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
server_tokens off;
proxy_cache_path /opt/local/share/nginx/cache levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000m;

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

## Server www.fakrul.com [this site is not using Roboo features]
server {
listen 80;
server_name www.fakrul.com;
add_header Cache-Control public;
access_log /var/log/nginx/www.fakrul.com.access.log;
error_log /var/log/nginx/www.fakrul.com.error.log error;
expires max;
location / {
proxy_pass http://202.4.96.15; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_cache cache; proxy_cache_valid 5m;
}
}

## Server blog.fakrul.com [this site using Roboo features]
server {
listen 80;
server_name blog.fakrul.com;
add_header Cache-Control public;
access_log /var/log/nginx/blog.fakrul.com.access.log;
error_log /var/log/nginx/blog.fakrul.com.error.log error;
expires max;
location / {
perl Roboo::handler;
set $Roboo_challenge_modes ”SWF,gzip”;

# Defaults
set $Roboo_cookie_name “Anti-Robot”; # Cookie name used for challenge/response
set $Roboo_validity_window 600; # Authentication validity time window
set $Roboo_whitelist “IP(),UA(”),URI(”)”; # Whitelist – IP addresses (CIDR), user-agents or URIs (PCRE)
set $Roboo_charset “UTF-8”; # Charset used during challenge (for proper POST resubmissions)
set $Roboo_challenge_hash_input $remote_addr;# Advanced – challenge hash basis, can add $server_name$server_port$http_host$http_user_agent
error_page 555 = @proxy;
expires epoch;
add_header Last-Modified “”;
if ($Roboo_challenge_modes ~ gzip) {
gzip on;
}
access_log /var/log/nginx/blog.fakrul.com.challenged.log;
}
location @proxy {
proxy_pass http://ghs.google.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_cache cache;
proxy_cache_valid 5m;
gzip on;
access_log /var/log/nginx/blog.fakrul.com.verified.log;
}
} ## End of blog.fakrul.com
}

NGINX™ How To

04 Tuesday Oct 2011

Posted by Fakrul Alam in Uncategorized

≈ Leave a comment

Tags

nginx, ubuntu, Web Server

Source: http://wiki.nginx.org/

http://nginx.net/

NGINX™ is advanced Internet infrastructure software. It is a high performance web server with the lowest memory footprint and it provides complete combination of the most essential features required to build modern and efficient web infrastructure.

Today NGINX is the 2nd most popular open source web server on the Internet.
NGINX functionality includes HTTP web server, HTTP and mail reverse proxy, content caching, load balancing, compression, bandwidth policing, connection multiplexing and reuse, SSL offload and media streaming.
You can install NGINX official Debian/Ubuntu packages. Append the appropriate stanza to /etc/apt/sources.list:
Ubuntu 10.04:
root@server:/# deb http://nginx.org/packages/ubuntu/ lucid nginx
root@server:/# deb-src http://nginx.org/packages/ubuntu/ lucid nginx
root@server:/# apt-get install nginx to install NGINX.
NGINX configuration file reside in /etc/nginx folder. Add following configuration to nginx.conf file.
user  nginx;
worker_processes  2;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
use epoll;
}
http {
    server_names_hash_bucket_size 64;
    include       /etc/nginx/mime.types;
    include     drop.lasso.conf;
    default_type  application/octet-stream;
    limit_req_zone  $binary_remote_addr  zone=one:10m   rate=1r/s;
    log_format main ‘$remote_addr – $remote_user [$time_local] ‘
                    ’”$request” $status $body_bytes_sent “$http_referer” ‘
                    ‘”$http_user_agent” “$http_x_forwarded_for”’;
    access_log  /var/log/nginx/access.log;
    # spool uploads to disk instead of clobbering downstream servers
    client_body_temp_path /var/spool/nginx-client-body 1 2;
    client_max_body_size 32m;
    client_body_buffer_size    128k;
   
    server_tokens       off;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         off;
    keepalive_timeout   5;
  
   ## Timeouts
    client_body_timeout   60;
    client_header_timeout 60;
    expires               24h;
    send_timeout          60;
   ## General Options
    ignore_invalid_headers   on;
    keepalive_requests      100;
    limit_zone gulag $binary_remote_addr 5m;
    recursive_error_pages    on;
    server_name_in_redirect off;
    ## Compression
    gzip on;
    gzip_http_version 1.0;
    gzip_comp_level 2;
    gzip_proxied any;
    gzip_min_length  1100;
    gzip_buffers 16 8k;
    gzip_types text/plain text/css application/x-javascript
        text/xml application/xml application/xml+rss text/javascript;
    # Some version of IE 6 don’t handle compression well on some mime-types,
    # so just disable for them
    gzip_disable “MSIE [1-6].(?!.*SV1)”;
    # Set a vary header so downstream proxies don’t send cached gzipped
    # content to IE6
    gzip_vary on;
   
    # proxy settings
    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_max_temp_file_size 0;
    proxy_connect_timeout      90;
    proxy_send_timeout         90;
    proxy_read_timeout         90;
    proxy_buffer_size          4k;
    proxy_buffers              4 32k;
    proxy_busy_buffers_size    64k;
    proxy_temp_file_write_size 64k;
    include /etc/nginx/conf.d/*.conf;
}
Configuration:
root@server:/# cd /etc/nginx/conf.d/
root@server:/etc/nginx/conf.d# vi fakrul.com
[fakrul.com is your domain name]
server {
    listen       80;
    server_name www.fakrul.com;
    access_log  /var/log/nginx/fakrul.access.log;
    error_log   /var/log/nginx/fakrul.error.log;
     ## Only requests to our Host are allowed
      if ($host !~ ^(fakrul.com|www.fakrul.com)$ ) {
         return 444;
      }
     ## Only allow these request methods
      if ($request_method !~ ^(GET|HEAD|POST)$ ) {
         return 444;
      }
    # proxy to Apache 2 and mod_python
    location / {
        proxy_pass         http://192.168.100.100:80/; #your original web server running on 192.168.100.100.80
        proxy_redirect     off;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_max_temp_file_size 0;
        client_max_body_size       10m;
        client_body_buffer_size    128k;
        proxy_connect_timeout      90;
        proxy_send_timeout         90;
        proxy_read_timeout         90;
        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;
    }
}
root@server:/etc/nginx/conf.d# /etc/init.d/nginx start
Check the web server log.
root@server:/etc/nginx/conf.d# tail -f /var/log/nginx/fakrul.access.log
You can get the details performance analysis of NGINX & Apache from
http://www.joeandmotorboat.com/2008/02/28/apache-vs-nginx-web-server-performance-deathmatch/

Social

  • View rapappu’s profile on Twitter
  • View fakrulalam’s profile on LinkedIn
  • View fakrul’s profile on GitHub
  • View FakrulAlamPappu’s profile on Google+
  • View fakrulalam’s profile on Flickr

Twitter Updates

  • #sydeny #summer https://t.co/4FhMTbgG1g 1 week ago
  • RT @protocoljournal: The August 2022 issue of IPJ is ready. Head over to protocoljournal.org for your copy! https://t.co/c0dfwBQAuu 3 weeks ago
  • RT @teamcymru: Take The first step toward clarity, visibility, and reducing external asset related risks With our free Attack Surface Asses… 3 weeks ago
  • RT @akanygren: Have you been working with tech for years and want an overview of #IPv6? I've been working on an open source "Inessential I… 1 month ago
  • blog.lastpass.com/2022/11/notice… 2 months ago
  • #bdnog15 CfP is now open bdnog.org/bdnog15/cfp.php #bdnog #bangladesh #nog #networkoperatorsgroup 2 months ago
  • RT @Cloudflare: Today we’re introducing Cloudflare Radar’s route leak data and API so that anyone can get information about route leaks acr… 2 months ago
  • Battling Zimbabwe fall short as Bangladesh win in chaotic final-over finish espncricinfo.com/series/icc-men… #t20 #worldcup #bangladeh 3 months ago
  • RT @vince2_: With the team @Free_1337, we have developed a Netflow/IPFIX collector and visualizer. It is available at https://t.co/6XtpOtm9… 6 months ago
  • RT @openbsdnow: Effective Shell effective-shell.com 7 months ago
  • RT @nocontextfooty: https://t.co/PU0JeRSrbD 7 months ago
  • smallstep.com/blog/if-openss… 7 months ago
  • github.com/tldr-pages/tldr 9 months ago
  • How to properly interpret a traceroute or MTR | APNIC Blog blog.apnic.net/2022/03/28/how… 9 months ago
  • #dayandnight #Newcastle #beachlife https://t.co/LaKATcEsFY 10 months ago
Follow @rapappu

Tags

antismap antivirus automation Azure bangladesh BASH BASH Script BDCERT bgp bind ccsp centos CentOS mirror CERT CISA cisco Cyber Security ddos dhaka dhakacom DNS DNSSEC GSM intrusion detectoin system Intrusion prevention system ips IPv6 ISACA junos linux Looking Glass lxc lxc profile lxd mailqueue mailscanner Mail Server mailwatch Meraki mikrotik monitor mpls MPLS L3 VPN mysql My Work network network management nginx NSD observium OpenVPN perl PHP ping postfix Proxy PTA python RANCID Reading RPKI Shell Script sms sms server SNMP SSH Tutorial ubuntu Ubuntu Mirror Server Virtual Box vispan vmware websvn Youtube hack খামাখা

Blog at WordPress.com.

  • Follow Following
    • blog.alam.rocks
    • Join 27 other followers
    • Already have a WordPress.com account? Log in now.
    • blog.alam.rocks
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar