Nginx & testcookie-nginx-module

Tags

ddos, ddos attack, ddos mitigation, nginx

1. Install required modules:

$ sudo apt-get install libgeoip-dev
$ sudo apt-get install libgd2-noxpm
$ sudo apt-get install libgd2-noxpm-dev
$ sudo apt-get install libgd2-xpm-dev
$ sudo apt-get install libperl-dev
$ sudo apt-get install libpcre3 libpcre3-dev
$ sudo apt-get install libxml2-dev libxslt-dev

2. Download and Install Nginx:

# wget http://nginx.org/download/nginx-1.4.4.tar.gz
# tar -zxvf nginx-1.4.4.tar.gz
# cd nginx-1.4.4

Download testcookie-nginx-module from http://kyprizel.github.io/testcookie-nginx-module/

# tar -zxvf kyprizel-testcookie-nginx-module-8da7c62.tar.gz
# mv kyprizel-testcookie-nginx-module-8da7c62 kyprizel-testcookie-nginx-module
# mkdir /var/lib/nginx/

# ./configure—prefix=/etc/nginx —conf-path=/etc/nginx/nginx.conf —error-log-path=/var/log/nginx/error.log —http-client-body-temp-path=/var/lib/nginx/body —http-fastcgi-temp-path=/var/lib/nginx/fastcgi —http-log-path=/var/log/nginx/access.log —http-proxy-temp-path=/var/lib/nginx/proxy —http-scgi-temp-path=/var/lib/nginx/scgi —http-uwsgi-temp-path=/var/lib/nginx/uwsgi —lock-path=/var/lock/nginx.lock —pid-path=/var/run/nginx.pid —with-debug —with-http_addition_module —with-http_dav_module —with-http_flv_module —with-http_geoip_module —with-http_gzip_static_module —with-http_image_filter_module —with-http_mp4_module —with-http_perl_module —with-http_random_index_module —with-http_realip_module —with-http_secure_link_module —with-http_stub_status_module —with-http_ssl_module —with-http_sub_module —with-http_xslt_module —with-ipv6 —with-sha1=/usr/include/openssl —with-md5=/usr/include/openssl —with-mail —with-mail_ssl_module —add-module=kyprizel-testcookie-nginx-module

Nginx installed in /etc/nginx folder.

# mkdir /etc/nginx/sites-enabled/
# mkdir /etc/nginx/conf.d
# cd /etc/nginx

Download the following configuration file from pastebin:

1. nginx.conf : http://pastebin.com/23s0XNZE
2. conf.d/proxy.conf : http://pastebin.com/vzTFMJi2
3. site-available/www.bdneg.com : http://pastebin.com/jeEyhJ1P

To prevent automatic parsing, challenge cookie value can be encrypted with AES-128 in CBC mode using custom/random key and iv, and then decrypted at client side with JavaScript using SlowAES.

# svn checkout http://slowaes.googlecode.com/svn/trunk/ slowaes-read-only
# cp slowaes-read-only/js/aes.js /var/www/aes.min.js

nginx: Fight against dDOS (Part 1)

Tags

ddos, My Work, nginx, ubuntu

Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. We will compile nginx as reverse HTTP proxy and add some module to fight against dDOS attack.

Add stable repository for nginx in Ubuntu

$ sudo su
# echo “deb http://ppa.launchpad.net/nginx/stable/ubuntu lucid main” » /etc/apt/sources.list.d/nginx.list
# apt-key adv —keyserver keyserver.ubuntu.com —recv-keys C300EE8C
# apt-get install nginx
# apt-get install nginx-extras

Please check whether nginx and nginx-extras has been installed. Nginx installation location will be /etc/nginx. nginx will run on port 80. So if you have apache running on port 80, change it to 8080 or something else.

Nginx Shell Script To Block Spamhaus Lasso Drop Spam IP Address

# /etc/nginx# cd /etc/nginx/
# wget http://bash.cyberciti.biz/dl/500.sh.zip
# unzip 500.sh.zip
# mv 500.sh nginx.drop.lasso
# chmod +x nginx.drop.lasso
# rm 500.sh.zip

Edit nginx.drop.lasso as per you nginx installation location.

# ./nginx.drop.lasso

[source: http://bash.cyberciti.biz/web-server/nginx-shell-script-to-block-spamhaus-lasso-drop-spam-ip-address/]

Install Roboo to Ubuntu for DDOS protection

# mkdir /opt/local/share/nginx
# wget https://github.com/yuri-gushin/Roboo/blob/master/Roboo.pm
# vi /etc/nginx.conf [attached file]

Install bellow perl module:

# cpan
cpan[1]> install CPAN
cpan[2]> reload cpan
cpan[3]> install Net::IP::Match::Regexp
cpan[4]> install Compress::Zlib
cpan[5]> install Digest::SHA
cpan[6]> install Crypt::Random

Start nginx service

# /etc/init.d/nginx start

[Source: https://github.com/yuri-gushin/Roboo]
[Roboo howto: http://marguspala.com/install-roboo-to-ubuntu-for-ddos-protection/]

On next tutorial I will test how this nginx http proxy server whether it can handle:

– HTTP Denial of Service tools – e.g. Low Orbit Ion Cannon
– Vulnerability Scanning – e.g. Acunetix Web Vulnerability Scanner, Metasploit Pro, Nessus
– Web exploits
– Spiders, Crawlers and other robotic evil

nginx.conf
——————————————————————————————————————-
user www-data;
worker_processes 2;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
# multi_accept on;
}

http {
perl_modules /opt/local/share/nginx;
perl_require Roboo.pm;

include /etc/nginx/mime.types;
include drop.lasso.conf;
default_type application/octet-stream;
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” $status $bytes_sent “$http_referer” “$http_user_agent” “$gzip_ratio”’;
access_log /var/log/nginx/access.log;
server_names_hash_bucket_size 64;
#server_names_hash_max_size 1024;
#types_hash_bucket_size 32;
types_hash_max_size 2048;

client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
client_body_buffer_size 16k;
large_client_header_buffers 4 16k;
request_pool_size 4k;
sendfile on;

gzip off;
gzip_min_length 0;
gzip_buffers 4 8k;
gzip_types text/plain application/x-shockwave-flash text/css application/x-javascript text/xml application/xml application/xml+rss text/javascr
ipt;
gzip_proxied any;
gzip_http_version 1.0;
output_buffers 1 32k;
postpone_output 1460;

tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
server_tokens off;
proxy_cache_path /opt/local/share/nginx/cache levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000m;

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

## Server www.fakrul.com [this site is not using Roboo features]
server {
listen 80;
server_name www.fakrul.com;
add_header Cache-Control public;
access_log /var/log/nginx/www.fakrul.com.access.log;
error_log /var/log/nginx/www.fakrul.com.error.log error;
expires max;
location / {
proxy_pass http://202.4.96.15; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_cache cache; proxy_cache_valid 5m;
}
}

## Server blog.fakrul.com [this site using Roboo features]
server {
listen 80;
server_name blog.fakrul.com;
add_header Cache-Control public;
access_log /var/log/nginx/blog.fakrul.com.access.log;
error_log /var/log/nginx/blog.fakrul.com.error.log error;
expires max;
location / {
perl Roboo::handler;
set $Roboo_challenge_modes ”SWF,gzip”;

# Defaults
set $Roboo_cookie_name “Anti-Robot”; # Cookie name used for challenge/response
set $Roboo_validity_window 600; # Authentication validity time window
set $Roboo_whitelist “IP(),UA(”),URI(”)”; # Whitelist – IP addresses (CIDR), user-agents or URIs (PCRE)
set $Roboo_charset “UTF-8”; # Charset used during challenge (for proper POST resubmissions)
set $Roboo_challenge_hash_input $remote_addr;# Advanced – challenge hash basis, can add $server_name$server_port$http_host$http_user_agent
error_page 555 = @proxy;
expires epoch;
add_header Last-Modified “”;
if ($Roboo_challenge_modes ~ gzip) {
gzip on;
}
access_log /var/log/nginx/blog.fakrul.com.challenged.log;
}
location @proxy {
proxy_pass http://ghs.google.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_cache cache;
proxy_cache_valid 5m;
gzip on;
access_log /var/log/nginx/blog.fakrul.com.verified.log;
}
} ## End of blog.fakrul.com
}

NGINX™ How To

Tags

nginx, ubuntu, Web Server

Source: http://wiki.nginx.org/

http://nginx.net/

NGINX™ is advanced Internet infrastructure software. It is a high performance web server with the lowest memory footprint and it provides complete combination of the most essential features required to build modern and efficient web infrastructure.

Today NGINX is the 2nd most popular open source web server on the Internet.

NGINX functionality includes HTTP web server, HTTP and mail reverse proxy, content caching, load balancing, compression, bandwidth policing, connection multiplexing and reuse, SSL offload and media streaming.

You can install NGINX official Debian/Ubuntu packages. Append the appropriate stanza to /etc/apt/sources.list:

Ubuntu 10.04:

root@server:/# deb http://nginx.org/packages/ubuntu/ lucid nginx

root@server:/# deb-src http://nginx.org/packages/ubuntu/ lucid nginx

root@server:/# apt-get install nginx to install NGINX.

NGINX configuration file reside in /etc/nginx folder. Add following configuration to nginx.conf file.

user  nginx;

worker_processes  2;

error_log  /var/log/nginx/error.log warn;

pid        /var/run/nginx.pid;

events {

    worker_connections  1024;

use epoll;

}

http {

    server_names_hash_bucket_size 64;

    include       /etc/nginx/mime.types;

    include     drop.lasso.conf;

    default_type  application/octet-stream;

    limit_req_zone  $binary_remote_addr  zone=one:10m   rate=1r/s;

    log_format main ‘$remote_addr – $remote_user [$time_local] ‘

                    ’”$request” $status $body_bytes_sent “$http_referer” ‘

                    ‘”$http_user_agent” “$http_x_forwarded_for”’;

    access_log  /var/log/nginx/access.log;

    # spool uploads to disk instead of clobbering downstream servers

    client_body_temp_path /var/spool/nginx-client-body 1 2;

    client_max_body_size 32m;

    client_body_buffer_size    128k;

   

    server_tokens       off;

    sendfile            on;

    tcp_nopush          on;

    tcp_nodelay         off;

    keepalive_timeout   5;

  

   ## Timeouts

    client_body_timeout   60;

    client_header_timeout 60;

    expires               24h;

    send_timeout          60;

   ## General Options

    ignore_invalid_headers   on;

    keepalive_requests      100;

    limit_zone gulag $binary_remote_addr 5m;

    recursive_error_pages    on;

    server_name_in_redirect off;

    ## Compression

    gzip on;

    gzip_http_version 1.0;

    gzip_comp_level 2;

    gzip_proxied any;

    gzip_min_length  1100;

    gzip_buffers 16 8k;

    gzip_types text/plain text/css application/x-javascript

        text/xml application/xml application/xml+rss text/javascript;

    # Some version of IE 6 don’t handle compression well on some mime-types,

    # so just disable for them

    gzip_disable “MSIE [1-6].(?!.*SV1)”;

    # Set a vary header so downstream proxies don’t send cached gzipped

    # content to IE6

    gzip_vary on;

   

    # proxy settings

    proxy_redirect     off;

    proxy_set_header   Host             $host;

    proxy_set_header   X-Real-IP        $remote_addr;

    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

    proxy_max_temp_file_size 0;

    proxy_connect_timeout      90;

    proxy_send_timeout         90;

    proxy_read_timeout         90;

    proxy_buffer_size          4k;

    proxy_buffers              4 32k;

    proxy_busy_buffers_size    64k;

    proxy_temp_file_write_size 64k;

    include /etc/nginx/conf.d/*.conf;

}

Configuration:

root@server:/# cd /etc/nginx/conf.d/

root@server:/etc/nginx/conf.d# vi fakrul.com

[fakrul.com is your domain name]

server {

    listen       80;

    server_name www.fakrul.com;

    access_log  /var/log/nginx/fakrul.access.log;

    error_log   /var/log/nginx/fakrul.error.log;

     ## Only requests to our Host are allowed

      if ($host !~ ^(fakrul.com|www.fakrul.com)$ ) {

         return 444;

      }

     ## Only allow these request methods

      if ($request_method !~ ^(GET|HEAD|POST)$ ) {

         return 444;

      }

    # proxy to Apache 2 and mod_python

    location / {

        proxy_pass         http://192.168.100.100:80/; #your original web server running on 192.168.100.100.80

        proxy_redirect     off;

        proxy_set_header   Host             $host;

        proxy_set_header   X-Real-IP        $remote_addr;

        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

        proxy_max_temp_file_size 0;

        client_max_body_size       10m;

        client_body_buffer_size    128k;

        proxy_connect_timeout      90;

        proxy_send_timeout         90;

        proxy_read_timeout         90;

        proxy_buffer_size          4k;

        proxy_buffers              4 32k;

        proxy_busy_buffers_size    64k;

        proxy_temp_file_write_size 64k;

    }

}

root@server:/etc/nginx/conf.d# /etc/init.d/nginx start

Check the web server log.

root@server:/etc/nginx/conf.d# tail -f /var/log/nginx/fakrul.access.log

You can get the details performance analysis of NGINX & Apache from

http://www.joeandmotorboat.com/2008/02/28/apache-vs-nginx-web-server-performance-deathmatch/