[摘要] 接上一篇写过的 使用nginx限制DDOS攻击,这几天比较空闲,把博客站点做了些改动,使用Openresty ngx_lua_waf 搭建简单的WAF防护平台,主要增加了 WAF 控制模块,并且将 Ningx 换成了 Openresty 作为web服务器,章同学开源的 Openresty 对lua的支持非常好,这里表示致敬和感谢!
openresty站点:https://openresty.org
ngx_lua_waf 模块:https://github.com/loveshell/ngx_lua_waf
具体安装就不说了,openresty的安装使用Nginx基本一样。只是配置稍作修改,增加lua的部分。
nginx.conf 的 http 段配置中增加如下:
#Add ngx_lua_waf config by sudops.com
lua_package_path "/path/nginx/conf/ngx_lua_waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /path/nginx/conf/ngx_lua_waf/init.lua;
access_by_lua_file /path/nginx/conf/ngx_lua_waf/waf.lua;
waf的具体规则在如下目录:
nginx/conf/ngx_lua_waf/wafconf
args cookie post url user-agent whiteurl
ngx_lua_waf的一些规则与配置:
$cat url
\.(svn|htaccess|bash_history)
\.(bak|inc|old|mdb|sql|backup|java|class)$
(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar
(phpmyadmin|jmx-console|jmxinvokerservlet)
java\.lang
/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|
static|template|data|inc|forumdata|upload|includes|cache|avatar)/
(\\w+).(php|jsp)
$cat args
\.\./
\:\$
\$\{
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|
shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|
print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=
$cat config.lua
RulePath = "/path/nginx/conf/ngx_lua_waf/wafconf/"
attacklog = "on"
logdir = "/path/log/"
UrlDeny="on"
Redirect="on"
CookieMatch="on"
postMatch="on"
whiteModule="on"
black_fileExt={"php","jsp","html"}
ipWhitelist={"127.0.0.1"}
ipBlocklist={"1.0.0.1"}
CCDeny="on"
CCrate="100/60"
html=[[
Bad requests..
]]
*** 需要注意的是默认规则中部分限制的比较严格,可能会导致wp后台的一些正常操作被禁止掉,需要根据实际情况进行修改,比如upload资源部分。
下面是一个尝试访问/etc/passwd的非法请求被ngx_lua_waf挡住的样例,页面提示了『Bad requests..』,这个提示语可以在config.lua中指定:
nginx lua waf 上线后,可以观察下日志,能看到还是有不少的非法请求:
185.172.110.208 [2018-01-15 07:44:00] "GET /bbs.rar" "-" "User-Agent Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:46:09] "GET /flashfxp.rar" "-" "User-Agent Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:49:20] "GET /phpmyadmin.rar" "-" "User-Agent Baiduspider" "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 07:49:21] "GET /phpmyadmin.zip" "-" "User-Agent Baiduspider" "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 07:49:54] "GET /root.rar" "-" "User-Agent Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:50:21] "GET /sites.rar" "-" "User-Agent Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:53:44] "GET /web%20sites.rar" "-" "User-Agent Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:54:49] "GET /website.rar" "-" "User-Agent Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:54:52] "GET /websites.rar" "-" "User-Agent Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 17:22:09] "GET /phpMyAdmin-2.9.2/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:09] "GET /phpMyAdmin-2/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:10] "GET /phpMyAdmin-3.0.0-rc1-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:10] "GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:11] "GET /phpMyAdmin-3.0.1.0-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:11] "GET /phpMyAdmin-3.0.1.0/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:12] "GET /phpMyAdmin-3.0.1.1/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:12] "GET /phpMyAdmin-3.1.0.0-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:13] "GET /phpMyAdmin-3.1.0.0/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:13] "GET /phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:14] "GET /phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:14] "GET /phpMyAdmin-3.1.2.0-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:15] "GET /phpMyAdmin-3.1.2.0/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:15] "GET /phpMyAdmin-3.4.3.1/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
141.101.76.77 [2018-01-17 02:53:46] "POST /wp-admin/admin-ajax.php?action=frm_forms_preview" "[su_metakey=1 post_id=1 default='print("\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x5F\x31\x30")' filter='assert']" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 GTB5" "(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\("
141.101.77.69 [2018-01-18 17:45:17] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"
141.101.77.69 [2018-01-18 17:45:17] "GET /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"
141.101.77.69 [2018-01-18 17:45:17] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"
141.101.77.69 [2018-01-18 17:45:18] "GET /wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "(?:etc\/\W*passwd)"
141.101.77.69 [2018-01-18 17:45:18] "GET /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"
141.101.77.69 [2018-01-18 17:45:18] "GET /wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "(?:etc\/\W*passwd)"
141.101.77.69 [2018-01-18 17:45:20] "POST /wp-content/plugins/wp-symposium/server/php/index.php" "--13530703071348311 ... Content-Disposition: form-data; name="uploader_url" echo '<form method="POST"><textarea cols=80 rows=20 name="src">'.htmlspecialchars(file_get_contents($_POST['path'])).'</t" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\("
以上日志能够看到几种非常明显的嗅探与攻击:
比如:
(1)尝试访问放在web发布目录的备份文件,特别是整站代码数据库的备份文件等;
(2)phpMyAdmin安装完之后setup.php文件没有清除(看来phpmyadmin确实是容易被攻击的点)
(3)wordpress相关的,访问本地目录的权限、插件的漏洞以及一些常见的XSS攻击。
(4)web目录可写,文件及目录权限全部为777等。
所以还是要提高运维最基本的安全防范意识,很多时候受到攻击都是由于流程和规范的不合理而导致的。
