MENU

Category: 安全攻防 »

nginx 软waf (Openresty)

现在企业的业务出口基本是http/https其他内部端口都可以在设备acl和iptables访问控制;那主要的web出口如何做安全防护??
我们使用nginx lua 来实现web软waf。

nginx waf防护顺序:

先检查白名单,通过即不检测;再检查黑名单,不通过即拒绝,检查UA,UA不通过即拒绝;检查cookie;URL检查;URL参数检查,post检查;

nginx 配置

http {
    # lua_waf
    lua_shared_dict limit 50m;
    #根据主机内存调合适的值  
    lua_shared_dict iplimit 20m;
    lua_shared_dict blockiplimit 5m;

    lua_package_path "/usr/local/nginx/conf/waf/?.lua";
    init_by_lua_file  /usr/local/nginx/conf/waf/init.lua;
    access_by_lua_file /usr/local/nginx/conf/waf/access.lua;
}

启用waf

cat /local/nginx/conf/waf/config.lua

config_waf_enable = "on"

nginx -s reload #载入

elk效果图


分享涛哥修改的lua,帮忙star 哈哈~:
https://github.com/richardzgt/litewaf

参考:
https://www.cnblogs.com/reblue520/p/6814072.html

防暴力破解-fail2ban

如果把端口直接暴露在公网上很容易被黑客入侵,我们通过修改默认端口来防止定向的漏洞扫描,还可以使用iptables 进行端口访问控制,但有时端口必须要暴露公网的话可以使用fail2ban来防止黑客烦人的暴力破解尝试

  • centos7

安装软件

yum -y install fail2ban
sed -i '/^#/d;/^$/d' /etc/fail2ban/fail2ban.conf

Read More

TCPServer

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# --------------------------------------------------
#Author:        LJ
#Email:         admin@attacker.club
#Site:          ops.attacker.club

#Site:ops.attacker.club  Mail:admin@attacker.club
#Date:2017-09-05 23:30:44 Last:2015-05-17 04:12:52
#Description:   
# --------------------------------------------------
import threading
import socket
bind_ip = "0.0.0.0" #全网地址
bind_port = 999 #服务器监听端口

server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((bind_ip, bind_port))
server.listen(5) #最大连接数5

print "[*] Listening on %s:%d" % (bind_ip, bind_port)


#客户端处理线程
def handle_client(client_socket):
    # 发送一些数据
    client_socket.send("连接成功\r\n")
    # 打印客户端发的数据
    request = client_socket.recv(1024)
    print "[*] Reveived: %s" % request
    # 返回一个数据包
    client_socket.send("ACK!\r\n")
    client_socket.close()
    
while True:
    client, addr = server.accept()
    print "[*] Accepted connection from: %s:%d" % (addr[0], addr[1])
    # 挂起客户端线程,处理传入的数据
    client_handler = threading.Thread(target=handle_client,args=(client,))
    client_handler.start()

TcpClient

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# --------------------------------------------------
#Author:        LJ
#Email:         admin@attacker.club
#Site:          ops.attacker.club

#Site:ops.attacker.club  Mail:admin@attacker.club
#Date:2017-09-05 23:30:43 Last:2015-05-17 04:12:52
#Description:   
# --------------------------------------------------
import  socket
target_host = "ops.attacker.club"
target_port = 999

# 建立一个socket对象
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# 连接客户端
client.connect((target_host, target_port))
# 发送一些数据
client.send("GET / HTTP/1.1\r\nHost: attacker.com\r\n\r\n")
# 接收数据
response = client.recv(4096)

print response

服务器入侵排除命令

1. 检查帐户

awk -F: '$3==0 {print $1}' /etc/passwd
#查看是否存在特权用户
awk -F: 'length($2)==0 {print $1}' /etc/shadow
#查看是否存在空口令帐户
awk -F\: '{system("passwd -S "$1)}' /etc/passwd|awk '{print $1,$3}'
#查看账户创建日期

2. 检查日志

last |head -20  #查看登录信息
grep Failed /var/log/secure |egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' |sort |uniq -c|sort -nr |head -10

Read More