The Httpgrard of anti-CC attack weapon

I. Introduction of Httpgrard

Httpguard is a openresty-based anti-CC attack software developed in the LUA scripting language. Openresty is an integrated high-performance Web server Nginx, and a series of nginx modules, the most important of which is our main use of the Nginx LUA module. Httpguard based on the Nginx LUA development, inherited the Nginx high concurrency, high performance characteristics, can be very small performance loss to prevent large-scale cc attacks.

1.1 Httpgrard anti-CC effect

• Limit the number of requests a visitor has within a certain time period
• Send a 302 steering response header to a guest to identify a malicious user and prevent it from being accessed again
• Send a JS code with a jump function to the guest to identify the malicious user and prevent it from being accessed again
• Send a cookie to a guest to identify a malicious user and prevent it from being accessed again
• Support to send visitors with a verification code page, to further identify, so as to avoid accidental injury
• Support for direct disconnection of rogue guest connections
• Supports binding iptables to prevent malicious visitors from connecting again
• White List Feature Support

Support for automatically turning anti-CC mode on or off based on statistics on the number of connections for a specific port
See GitHub address Https://github.com/centos-bz/HttpGuard

Another readme.md address https://www.centos.bz/forum/thread-119-1-1.html

1.2 Installation

Shell script installation, turn on automatic defense

#!/bin/sh#############################################################Cat/etc/redhat-release#CentOS Release 6.8 (Final)#Uname-r#2.6.32-642.13.1.el6.x86_64############################################################. /etc/init.d/functions#Defined result functionfunction Msg () {if[ $? -eq 0];then Action" $"/bin/trueElseAction" $"/bin/Falsefi} Openresty_version='1.11.2.2'php_version='5.5.38'Pyth="/usr/local/openresty/nginx/conf"Red_color='\e[1;31m'RES='\e[0m'Echo-E"$RED _color Transit IP $RES"Read-P"Input relay IP:"afunction install_openresty () {ID www&>/dev/NULLif[ $? -NE 0];then useradd-s/sbin/nologin-M Wwwfiyum Install-y readline-devel pcre-devel openssl-devel gcc unzip &>/dev/NULLCD/usr/src/[ ! -F openresty-${openresty_version}.tar.gz] &&wget https:openresty.org/download/openresty-1.11.2.2.tar.gz &>/dev/Nulltar XF openresty-${OPENRESTY_VERSION}.TAR.GZCD openresty-${openresty_version}./configure--prefix=/usr/local/Openresty--with-Luajit--with-Http_stub_status_module--with-Pcre--with-pcre-jit &>/dev/Nullgmake&>/dev/null && gmake Install &>/dev/null[!-F Master.zip] &&wget--no-check-certificate Https://github.com/centos-bz/HttpGuard/archive/master.zip &>/dev/Nullunzip Master.zip&>/dev/NULLMV Httpguard-master $PYTH/WAFCD $PYTH/Wafchown www logsmsg"Install_openresty"}function Configfile_nginx () {\CP $PYTH/nginx.conf $PYTH/Nginx.conf.bak> $PYTH/Nginx.confcat>> $PYTH/nginx.conf <<EOF User www;worker_processes1; events {Worker_connections1024;}    HTTP {include mime.types; Default_type Application/octet-stream; Lua_max_running_timers1;    Lua_shared_dict guard_dict 100m;    Lua_shared_dict Dict_captcha 70m; Init_by_lua_file'/usr/local/openresty/nginx/conf/waf/init.lua'; Access_by_lua_file'/usr/local/openresty/nginx/conf/waf/runtime.lua'; Lua_package_path"/usr/local/openresty/nginx/conf/waf/?. Lua";    Sendfile on; Keepalive_timeout65; server {Listen80;        server_name localhost; Location/{proxy_pass http://${a};            Proxy_redirect off;            Proxy_set_header Host \ $host; Proxy_set_header X-real-IP \ $remote _addr; Proxy_set_header X-forwarded-For \ $proxy _add_x_forwarded_for; } error_page500 502 503 504/50x.html; Location= /50x.html {root html; }}}eofsed-I."s#basedir = '/data/www/waf/' #baseDir = ' $PYTH/waf/' #g"$PYTH/waf/Config.lua sed-I.'90s#off#on#'$PYTH/waf/config.luased-I.'44s#off#on#'$PYTH/waf/config.luamsg"Configfile_nginx"}function install_php () {Yum-y install libjpeg libjpeg-devel libpng libpng-devel freetype FreeType-devel Libxml2-devel &>/dev/NULLCD/usr/src/[ ! -F php-${php_version}.tar.gz] &&wget http:cn.php.net/distributions/php-5.5.38.tar.gz &>/dev/Nulltar XF php-${PHP_VERSION}.TAR.GZCD PHP-${php_version}./Configure--with-png-dir--with-freetype-dir--with-jpeg-dir--WITH-GD--prefix=/usr/local/php &>/dev/Nullmake&>/dev/null && make install &>/dev/NULLCD $PYTH/waf/Captcha/usr/local/php/bin/PHP getimg.phpmsg"install_php"}function check_openresty () {/usr/local/openresty/nginx/sbin/nginx-t &>/dev/NULL/usr/local/openresty/nginx/sbin/Nginxif[' grep"Openresty"/etc/rc.local|wc-l '-eq 0];then Echo"/usr/local/openresty/nginx/sbin/nginx">>/etc/Rc.localfi MSG"Check_openresty"}function iptables_configure () {Yum-y install Ipset &>/dev/Nulliptables-F/etc/init.d/iptables Save &>/dev/NULL/etc/init.d/iptables Restart &>/dev/nullipset Create Forbidip hash:ip timeout600iptables-A input-p tcp-m set--match-set forbidip src-m TCP--dport 80-J DROP/etc/init.d/iptables Save &>/dev/nullchkconfig iptables onif[' grep"Forbidip"/etc/rc.local|wc-l '-eq 0];then Echo"ipset Create Forbidip hash:ip timeout">>/etc/rc.localfichkconfig iptables onmsg"iptables_configure"}function Main () {install_openresty Configfile_nginx install_php check_openresty Iptables_configure}mai N

Defense Module Introduction

There are three types of active defense modes

--Active defense, 302 response head Jump module

--Active defense, send JS jump code module

--Active defense, send cookie Authentication module

View the Config.lua configuration file specifically

--state: The status of this module, which indicates on or off, the optional value is on or off; --Keysecret: The password used to generate tokens, if the above keydefine is dynamic, there is no need to modify--Active defense, send JS jump code module.        The use of CC control can not parse the characteristics of JS jump to identify whether it is a normal user, when necessary, it is recommended to open. --Keysecret: The password used to generate tokens, if the above keydefine is dynamic, there is no need to modify--Urlprotect The interpretation of Urlprotect in the same limitreqmodules module. --state: The status of this module, which indicates on or off, the optional value is on or off; --Keysecret: The password used to generate tokens, if the above keydefine is dynamic, there is no need to modify--Urlprotect The interpretation of Urlprotect in the same limitreqmodules module. --automatic Active defense, based on the number of connected protectport ports over maxconnection to determine--state: The status of this module, which indicates on or off, the optional value is on or off; --interval interval 30 seconds check the number of connections, the default is 30 seconds. --when the module in the Protectport,maxconnection,normaltimes,exceedtimes:enablemodule is off state, When the number of connections of Port Protectport is exceedtimes more than maxconnection, the module in Enablemodule is opened;--When the module in the Enablemodule is turned on, the module in Enablemodule is closed when the number of connections to the Port Protectport normaltimes times below maxconnection. --Sscommand: We use the SS command to check the number of connected connections for a particular port, and the SS command is much faster than the same netstat command. Please change the path of the SS command to the > on your system.path. --Enablemodules: Automatically start which active defense module, the optional value is Redirectmodules jsjumpmodules cookiemodules

Test:-When the value is CAPTCHA, the IP is returned after the blacklist with a Verification code page, enter the correct verification code to allow continued access to the site

When the value is Blockaction = "forbidden",--is forbidden, the server disconnects the user directly after the IP is blacklisted.

" iptables "  , when cat attack-2016-12-292016-12-29 00:23:52 [WARNING] [limitreqmodules] IP 192.168.179.1 Visit Wuyi times,block it.[ [email protected] logs]#  iptables-lChain INPUT (policy ACCEPT) target     prot opt source< C12/>destination         DROP       TCP  --  bogon                anywhere            tcp dpt:http Chain FORWARD ( Policy accept) target     prot opt source               destination         Chain OUTPUT (policy accept) target     prot opt SOURCE               Destination  

Blockade Time         --Indicates that http-guard blocks the        IP time =,        -- jsjumpmodules redirectmodules Cookiemodules after the verification passes, IP on white list time         = 600,

Problem Point

When this whitelist is turned on, you need to write some IP in the white_ip_list.txt, otherwise all defenses will fail, which may be a bug

--Whitelist IP file, file content is regular expression.

Whiteipmodules = {state = "Off", IPList = BaseDir ... " Url-protect/white_ip_list.txt "},

Only PHP requests are restricted by default

--Urlprotect: Specifies a URL regular expression file that limits the number of requests, and the default value is \.php$, which means that only PHP requests are restricted (of course, this regular > can function when urlmatchmode = "uri")

Match PHP and other

\. (php|htm|html|asp) $

Match all

.*

Or

^/$
\.asp.*$
\.php.*$
\.htm.*$

Log too large

It seems to be closed, you can add a scheduled task cleanup. Cat/dev/null > Log

1.3. WAF on-line

• Early on-line log only, do not open WAF, prevent manslaughter
• WAF rule Management using the Saltstack tool
• You know, it's not safe with a WAF, there are human factors.

1.4, Modsecurity

Modsecurity principle Analysis--a discussion on the circumvention of WAF from the defense aspect

Http://www.tuicool.com/articles/rE3i63n

Installation configuration

Https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes

The Httpgrard of anti-CC attack weapon