banner
moeyy

moeyy

一条有远大理想的咸鱼。
github
mastodon
email
HomeArchivesNextJS BlogApps

Build a website LNMP environment using OneinStack and configure a WAF firewall to prevent CC attacks.

#OneinStack#WAF33
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses how to set up a LNMP environment using OneinStack and configure a WAF firewall to prevent CC attacks. It recommends using OneinStack's LNMP package, which includes OpenResty with Lua module. The article provides instructions for installing LNMP and various commands for managing websites. It then explains how to configure the WAF firewall using the ngx_lua_waf script, which can prevent SQL injection, XSS attacks, webshell uploads, and other web attacks. The article includes instructions for downloading and configuring the ngx_lua_waf script, as well as testing its effectiveness.

Introduction#

Nowadays, many webmasters encounter CC attacks to some extent. The best way to defend against such attacks is to use a CDN, such as CloudFlare. However, CloudFlare is not always fast and is blocked in many places, resulting in a poor user experience. In this case, we can use a script to provide some protection. Previously, I shared a script to prevent CC attacks, which can be found here: Linux VPS CC Attack Prevention Script with WeChat Notification. However, this script is not very effective against larger CC attacks as it requires access to logs. Therefore, it may not be suitable in some situations.

Here, I will explain another tutorial on preventing CC attacks using Nginx + Lua to set up a WAF firewall. This method can also intercept URL keywords. The advantages of using Nginx include low resource usage, high concurrency, and the lightweight nature of the Lua language. Additionally, attacks can be handled before they reach the application, resulting in good protection.

Since Lua modules need to be compiled before configuration, I recommend using the OneinStack LNMP package, which comes with OpenResty and Lua modules.

LNMP Installation#

First, go to the OneinStack website to obtain the OneinStack package. Visit the following address: https://oneinstack.com/auto/. Choose OpenResty for Nginx. If your memory is less than 1GB, MySQL should not be larger than version 5.5. Adjust other settings according to your needs.

image

Copy the obtained OneinStack package to your SSH client and run it until the installation is complete.

LNMP operation commands:

# Please operate in the oneinstack directory before performing any operations
cd oneinstack
# Add a website
./vhost.sh
# Delete a website
./vhost.sh del
# Add other components
./addons.sh
# Website backup
./backup_setup.sh
# Update version
./upgrade.sh

For more commands and graphical operations, refer to: https://oneinstack.com/install/.

Related directories:

# Database folder, please change phpMyAdmin to a less predictable name, such as xx, and access the database through IP:xx
/data/wwwroot/default
# Website directory
/data/wwwroot
# Website configuration files
/usr/local/openresty/nginx/conf/vhost

After adding a website, use an FTP tool to upload the program to the root directory, create a database, and open the website configuration.

Configuring the WAF Firewall#

Here, we will use a popular WAF firewall script based on ngx_lua from GitHub to prevent CC attacks and intercept URL keywords. Its features include:

  • Prevention of web attacks such as SQL injection, local file inclusion, overflow, fuzzing tests, XSS, and 55RF.
  • Prevention of file leaks such as SVN/backups.
  • Prevention of attacks from stress testing tools like ApacheBench.
  • Blocking common scanning hacker tools and scanners.
  • Blocking abnormal network requests.
  • Blocking PHP execution permissions in image attachment directories.
  • Prevention of webshell uploads.

GitHub link: https://github.com/loveshell/ngx_lua_waf.

First, download ngx_lua_waf to the conf directory:

cd /usr/local/openresty/nginx/conf
wget https://www.moeyy.cn/usr/down/waf.tar.gz
tar zxf waf.tar.gz
rm -rf waf.tar.gz

Next, edit /usr/local/openresty/nginx/conf/nginx.conf and place the following code inside the http{} block.

lua_shared_dict limit 10m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/waf.lua";

Then, run service nginx restart to restart Nginx and apply the changes.

Configuration file:

# Configuration file path
/usr/local/openresty/nginx/conf/waf/config.lua
# Detailed parameters, adjust according to your needs
RulePath = "/usr/local/openresty/nginx/conf/waf/wafconf/"
-- Rule storage directory
attacklog = "on"
-- Whether to enable attack information logging, logdir needs to be configured
logdir = "/data/wwwlogs/"
-- Log storage directory, this directory needs to be created by the user and requires write permissions for the nginx user
UrlDeny="on"
-- Whether to intercept URL access
Redirect="on"
-- Whether to intercept and redirect
CookieMatch = "on"
-- Whether to intercept cookie attacks
postMatch = "off"
-- Whether to intercept post attacks
whiteModule = "on"
-- Whether to enable URL whitelist
black_fileExt={"php","jsp"}
-- Specify the file extensions that are not allowed to be uploaded
ipWhitelist={"127.0.0.1"}
-- IP whitelist, multiple IPs separated by commas
ipBlocklist={"1.0.0.1"}
-- IP blacklist, multiple IPs separated by commas
CCDeny="on"
-- Whether to enable CC attack interception
CCrate = "10/60"
-- Set the CC attack frequency in seconds.
-- By default, within 1 minute, the same IP can only request the same address 10 times

Filter rules:

# Filter rules are located in /usr/local/openresty/nginx/conf/waf/wafconf.
# Rules can be adjusted according to your needs. Each rule should be on a new line or separated by a delimiter.
Rules in the args section filter get parameters
Rules in the url section filter get request URLs        
Rules in the post section filter post requests        
Rules in the whitelist section are URLs that should not be filtered        
Rules in the user-agent section filter user-agent headers
# Get and post filtering are enabled by default. To enable cookie filtering, uncomment parts of the waf.lua file.
# Log file names are formatted as follows: virtual_host_name_sec.log

Whitelist settings:

# IP whitelist
Modify ipWhitelist in /usr/local/openresty/nginx/conf/waf/wafconf/config.lua.
You can enter multiple IPs, separated by commas, for example: {"127.0.0.1","192.155.1.1"}.

# URL whitelist
Modify /usr/local/openresty/nginx/conf/waf/wafconf/whiteurl. Each URL should be on a separate line. Only the URI is checked, and it should not contain parameters.
For example, if the URL is https://xxx/Rats.php?xx, you can enter ^/Rats.php$ to allow all URIs starting with /Rats.php.

image

Testing the effect:
CC attacks will be intercepted and return a 503 error.

image

The firewall will intercept requests that trigger keyword matches.

Note that ngx_lua_waf intercepts the phpMyAdmin directory by default. Please change it to a different name to access the database.

References:https://www.94ish.me/1730.html

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.