Install Nginx + HttpGuard to block CC attack on Centos 6.9
What is HttpGuard?
HttpGuard is based on openresty, an anti-cc attack software developed in the lua scripting language. Openresty is integrated with the high-performance web server Nginx, and a series of Nginx modules, the most important which is the nginx lua module we mainly use. Based on nginx lua development, HttpGuard inherits the high concurrency and high performance of nginx, and can prevent large-scale cc attacks with very small performance loss.
Install Dependencies
yum groupinstall 'Development Tools'
yum install readline-devel pcre-devel openssl-devel gcc
Install Nginx + lua
Download luajit from this website: http://luajit.org/download.html
cd /opt wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz tar zxf LuaJIT-2.0.5.tar.gz cd LuaJIT-2.0.5 vim Makefile export PREFIX= /opt/luajit-2.0.5 save & exit make && make install
Tell server where is the luajit file.
export LUAJIT_LIB=/opt/luajit-2.0.5/lib export LUAJIT_INC=/opt/luajit-2.0.5/include/luajit-2.0
Download nginx, ngx devel kit & lua nginx module source code file.
cd /opt wget http://nginx.org/download/nginx-1.14.0.tar.gz wget https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.tar.gz
Uncompressed all the tar files.
tar zxf nginx-1.14.0.tar.gz tar zxf v0.10.13.tar.gz tar zxf v0.3.1rc1.tar.gz
Install Nginx with lua module , you may also add the module you needed.
cd /opt/nginx-1.14.0 ./configure --prefix=/usr/local/nginx \ --with-pcre \ --with-http_stub_status_module \ --with-http_gzip_static_module \ --with-http_ssl_module \ --with-http_realip_module \ --with-http_gzip_static_module \ --user=root \ --group=root \ --error-log-path=/usr/local/nginx/logs/error.log \ --http-log-path=/usr/local/nginx/logs/access.log \ --pid-path=/var/run/nginx.pid \ --with-ld-opt="-Wl,-rpath,/opt/luajit-2.0.5/lib" \ --add-module=/opt/lua-nginx-module-0.10.13 \ --add-module=/opt/ngx_devel_kit-0.3.1rc1 make && make install
Download the HttpGuard files and put in the nginx file.
cd /usr/local/nginx/conf/ wget https://github.com/centos-bz/HttpGuard/archive/master.zip unzip master.zip mv HttpGuard-master HttpGuard cd HttpGuard vim config.lua baseDir = '/usr/local/nginx/conf/HttpGuard/' vim /usr/local/nginx/conf/nginx.conf http { . . . #HttpGuard lua_package_path "/usr/local/nginx/conf/HttpGuard/?.lua"; lua_shared_dict guard_dict 100m; lua_shared_dict dict_captcha 70m; init_by_lua_file '/usr/local/nginx/conf/HttpGuard/init.lua'; access_by_lua_file '/usr/local/nginx/conf/HttpGuard/runtime.lua'; lua_max_running_timers 1; . . . }
HttpGuard Function
- config.lua
keyDefine: Whether the key is dynamically generated, optional static, dynamic, if you select dynamic, all the following keySecret do not need to be changed. If you select static, modify the keySecret manually. limitReqModules: -- Passive defense, limit request module. Based on the number of requests counted in a certain period of time. It is recommended to always ON -- state : The status of this module, indicating On or Off -- maxReqs,amongTime : The maximum number of requests allowed in the amongTime seconds maxReqs, as the default is the maximum allowable request within 10s 50 times -- urlProtect : Specifies the url regular expression file that limits the number of requests. The default value is \.php$, which means that only php requests are restricted (of course, this rule will only work when urlMatchMode = "uri"). redirectModules : -- Active defense, 302 response header jump module. The cc console does not support parsing the characteristics of the response header to identify whether it is a normal user. It is recommended to enable it when necessary. -- state : The status of this module, indicating On or Off -- verifyMaxFail amongTime : Because this module will send a 302 response header with cckey and keyexpire. If the visitor does not jump to the url in the 302 response header if it exceeds verifyMaxFail within the amongTime time, it will be added to the blacklist. Default value It is 5 times. -- keySecret : The password used to generate the token. If the above keyDefine is dynamic, no modification is required. -- urlProtect with the interpretation of urlProtect in the limitReqModules module. JsJumpModules : -- Active defense, send js jump code module. The cc console cannot parse the characteristics of the js jump to identify whether it is a normal user. It is recommended to open it when necessary. -- state : The status of this module, indicating on or off -- verifyMaxFail amongTime : Because this module will send a response body with js jump code, if the visitor does not jump to the url in the js jump code after more than verifyMaxFail time in the ordinaryTime time, it will be added to the blacklist, the default The value is 5 times. -- keySecret : The password used to generate the token. If the above keyDefine is dynamic, no modification is required. -- urlProtect with the interpretation of urlProtect in the limitReqModules module. cookieModules : - Active defense, sending a cookie verification module. This module will send a cookie to the visitor and then wait for the visitor to return the correct cookie. This module uses the cc console to support the characteristics of the cookie to identify the cc attack and recommend opening it when necessary. -- state : The status of this module, indicating on or off -- verifyMaxFail amongTime : Because this module will send a cookie, if the visitor does not return the correct cookie after more than verifyMaxFail within the amlongTime time, it will be added to the blacklist. The default value is 5 times. -- keySecret : The password used to generate the token. If the above keyDefine is dynamic, no modification is required. -- urlProtect with the interpretation of urlProtect in the limitReqModules module. autoEnable : -- Automatically activate active defense, the principle is based on the number of connected ports of protectPort exceeds maxConnection -- state : The status of this module, indicating on or off -- interval Check the number of connections at intervals of 30 seconds. The default is 30 seconds. -- protectPort, maxConnection, normalTimes, exceedTimes : When the module in enableModule is off, when the number of connections of the port protectPort exceeds maxConnection for more than one consecutive times, the module in enableModule is enabled. -- When the module in the enableModule is enabled, when the number of connections of the port protectPort is lower than maxConnection for a consecutive normalTimes, the module in the enableModule is closed. -- ssCommand : We use the ss command to check the number of connected connections for a particular port. The ss command is much faster than the equivalent command netstat. Please change the path of the ss command to the path on your own system. -- enableModules : Which active defense module is automatically started, optional value is redirectModules JsJumpModules cookieModules captchaKey : -- Used to generate the password for the key when the verification code is passed. If the above keyDefine is dynamic, no modification is required. blockAction : -- The action that ip performs when blacklisting (optional captcha, forbidden, iptables) -- When the value is captcha, it means that ip returns the page with the verification code after blacklisting. Enter the correct verification code to allow access to the website. -- When the value is forbidden, it means that after the ip is blacklisted, the server will directly disconnect from the user. -- When the value is iptables, it means that after ip is blacklisted, http-guard will block the connection of this ip with iptables. -- When the value is iptables, you need to set a password for the nginx running user and add it to sudo to execute the iptables command. Assuming nginx runs the user as www, the setting method is: -- 1. Set the www password, the command is passwd www -- 2. Execute the visudo command with the root user, add www ALL=(root) /sbin/iptables -I INPUT -p tcp -s [0-9.]* --dport 80 -j DROP -- 3. Run the visudo command as the root user and find the Default requiretty comment, which is changed to #Default requiretty. If you can't find this setting, you don't need to change it. captchaToIptables : - User IP is blacklisted and blockAction is captcha. Accessing the verification code page exceeds a certain number of times triggers iptables blockade sudoPass : -- nginx runs the user's sudo password, blockAction value needs to be set for iptables, otherwise it is not needed blockTime : -- indicates the time when http-guard blocked ip whiteTime : -- JsJumpModules redirectModules cookieModules after validation, ip is whitelisted keyExpire : -- Key expiration time used to generate token passwords urlMatchMode : -- Match url mode, optional value requestUri, uri -- When the value requestUri, the regularity in the url-protect directory matches the address originally requested by the browser and is not decoded, with a parameterized link -- When the value is uri, the regularity in the url-protect directory matches the rewritten address, without parameters, and has been decoded. captchaPage : -- Verification code page path, generally does not need to be modified reCaptchaPage : -- Enter the page path displayed when the verification code is incorrect, generally do not need to be modified whiteIpModules : -- Whitelist ip file, the content of the file is a regular expression realIpFromHeader : -- If you need to get the real ip from the request header, this value needs to be set, such as x-forwarded-for -- This setting is valid when state is on captchaDir : -- Specify the verification code image directory, generally do not need to be modified debug : -- debug logs logPath: --Log directory, generally do not need to be modified. But you need to set the log owner to run the user as nginx. If the nginx running user is www, the command is chown www logs
Leave a Reply
Want to join the discussion?Feel free to contribute!