banner
moeyy

moeyy

一条有远大理想的咸鱼。
github
mastodon
email
HomeArchivesNextJS BlogApps

Build website LNMP environment using OneinStack and configure WAF firewall to prevent CC attacks.

#OneinStack#WAF56
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
Using OneinStack to build a website LNMP environment and configure WAF firewall to prevent CC attacks. The tutorial explains how to set up WAF firewall using Nginx+Lua to prevent CC attacks and intercept URL keywords. It also provides instructions on installing LNMP and configuring the WAF firewall script from Github. The script helps prevent various web attacks and can be customized for specific needs. Testing the setup shows successful prevention of CC attacks and interception of keywords.

Introduction#

Nowadays, many webmasters encounter CC attacks to some extent. The best way to defend against such attacks is to use a CDN, such as CloudFlare. However, CloudFlare is not always fast and is blocked in many places, resulting in a poor user experience. In this case, we can use a script to provide some protection. Previously, I shared a script for preventing CC attacks, which can be found at: Linux VPS 防 CC 攻击一键脚本,带微信提醒. However, since it requires access logs, its effectiveness is not very good. It cannot withstand larger CC attacks, so this script is not suitable in some situations.

Here, I will explain another tutorial on preventing CC attacks. We will use Nginx + Lua to set up a WAF firewall to prevent CC attacks and intercept URL keywords. The advantages of this approach are that Nginx has a small footprint, high concurrency, and the lightweight Lua language. It can also handle attacks before they reach the user, resulting in good protection.

Since Lua modules need to be compiled before configuration, and the OneinStack LNMP package comes with the OpenResty module, I recommend using this package to install the website environment.

LNMP Installation#

First, go to the OneinStack website to obtain the one-click package. Visit the following address: https://oneinstack.com/auto/. Choose OpenResty for Nginx; if your memory is less than 1G, MySQL cannot be larger than 5.5. Adjust other settings according to your needs.

image

Copy the obtained one-click package to your SSH client and run it until the installation is complete.

LNMP operation commands:

# Please operate in the oneinstack directory before performing any operations
cd oneinstack
# Add a website
./vhost.sh
# Delete a website
./vhost.sh del
# Add other components
./addons.sh
# Website backup
./backup_setup.sh
# Update version
./upgrade.sh

For more commands and graphical operations, please refer to: https://oneinstack.com/install/.

Related directories:

# Database folder, please change phpMyAdmin to a less guessable name, such as xx, and then access the database through IP:xx
/data/wwwroot/default
# Website directory
/data/wwwroot
# Website configuration file
/usr/local/openresty/nginx/conf/vhost

After adding a website, use an FTP tool to upload the program to the root directory, create a database, and open the website configuration.

Configuring the WAF Firewall#

Here, we will use a popular WAF firewall script based on ngx_lua from GitHub to prevent CC attacks and intercept URL keywords. Its features include:

  • Preventing web attacks such as SQL injection, local inclusion, overflow, fuzzing testing, XSS, and 55RF.
  • Preventing file leaks such as SVN/backups.
  • Preventing attacks from stress testing tools like ApacheBench.
  • Blocking common scanning hacker tools and scanners.
  • Blocking abnormal network requests.
  • Blocking PHP execution permissions in image attachment directories.
  • Preventing webshell uploads.

GitHub link: https://github.com/loveshell/ngx_lua_waf.

First, download ngx_lua_waf to the conf directory:

cd /usr/local/openresty/nginx/conf
wget https://www.moeyy.cn/usr/down/waf.tar.gz
tar zxf waf.tar.gz
rm -rf waf.tar.gz

Then, edit /usr/local/openresty/nginx/conf/nginx.conf and place the following code inside the http{} block.

lua_shared_dict limit 10m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/waf.lua";

Next, run service nginx restart to restart Nginx and make the changes take effect.

Configuration file:

# Configuration file path
/usr/local/openresty/nginx/conf/waf/config.lua
# Detailed parameters, adjust according to your needs
RulePath = "/usr/local/openresty/nginx/conf/waf/wafconf/"
-- Rule storage directory
attacklog = "on"
-- Whether to enable attack information logging, logdir needs to be configured
logdir = "/data/wwwlogs/"
-- Log storage directory, this directory needs to be created by the user and requires write permissions for the nginx user
UrlDeny="on"
-- Whether to intercept URL access
Redirect="on"
-- Whether to intercept and redirect after blocking
CookieMatch = "on"
-- Whether to intercept cookie attacks
postMatch = "off"
-- Whether to intercept post attacks
whiteModule = "on"
-- Whether to enable URL whitelist
black_fileExt={"php","jsp"}
-- Specify the file extensions that are not allowed to be uploaded
ipWhitelist={"127.0.0.1"}
-- IP whitelist, multiple IPs separated by commas
ipBlocklist={"1.0.0.1"}
-- IP blacklist, multiple IPs separated by commas
CCDeny="on"
-- Whether to enable CC attack interception
CCrate = "10/60"
-- Set the frequency of CC attacks in seconds.
-- By default, the same IP can only request the same address 10 times within 1 minute

Filter rules:

# The filter rules are located in /usr/local/openresty/nginx/conf/waf/wafconf.
# The rules can be adjusted according to your needs. Each rule should be on a new line or separated by a delimiter.
The rules in args filter get parameters.
The rules in url only filter get request URLs.
The rules in post only filter post requests.
The rules in whitelist are URLs that are exempted from filtering.
The rules in user-agent filter user-agent.
# By default, get and post filtering are enabled. To enable cookie filtering, uncomment parts of the waf.lua file.
# The log file name format is as follows: virtual hostname_sec.log

Whitelist settings:

# IP whitelist
Modify ipWhitelist in /usr/local/openresty/nginx/conf/waf/wafconf/config.lua.
Multiple IPs can be specified, separated by commas, for example: {"127.0.0.1","192.155.1.1"}.

# URL whitelist
Modify /usr/local/openresty/nginx/conf/waf/wafconf/whiteurl. One URL per line. Only the URI is used for verification. Typically used for allowing API links, and cannot contain parameters.
For example, if the URL is https://xxx/Rats.php?xx, you can enter ^/Rats.php$ to allow all URIs starting with /Rats.php.

image

Effect testing:
CC attacks are intercepted and return a 503 error.

image

The firewall intercepts requests with triggered keywords.

Note that ngx_lua_waf intercepts the phpMyAdmin directory by default. Please modify it to a different name to access the database.

References:https://www.94ish.me/1730.html

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.