Shulou(Shulou.com)06/03 Report--

1. Introduction to related concepts of WAF:

(1) introduction to WAF:

WAF:Web Appalication Firewall,Web application firewall is a product that works in the application layer and provides security protection for Web applications through a series of security policies for HTTP/HTTPS.

(2) WAF can achieve the following functions:

A, prevent SQL injection, local inclusion, partial overflow, Fuzzing testing, XSS and other Web Attack

B. Prevent files such as SVN/ backup from leaking

C. Prevent the pressure test tool Attack such as Apache Bench

D. Shielding common Hacker scanning tools

E. Block abnormal network requests

F. Block the PHP execution permission of the attachment directory of pictures.

G, prevent Webshell upload, etc.

2. Install dependent software packages:

# yum-y install gcc gcc-c++ make zlib zlib-devel openssl openssl-devel pcre pcre-devel perl-devel perl-ExtUtils-Embed gd-devel libxml2 libxml2-devel libxslt libxslt-devel GeoIP GeoIP-devel GeoIP-data git libuuid-devel libblkid-devel libudev-devel fuse-devel libedit-devel libatomic_ops-devel httpd-tools

3. Compile and install OpenResty:

# useradd-s / sbin/nologin-M nginx

# mkdir-pv / usr/local/openresty/nginx/logs/

# tar-xf openresty-1.15.8.2.tar.gz-C / usr/src

# cd / usr/src/openresty-1.15.8.2/

# / configure-- prefix=/usr/local/openresty-- user=nginx-- group=nginx-- with-threads-- with-file-aio-- with-http_iconv_module-- with-luajit-- with-http_v2_module-- with-http_realip_module-- with-http_addition_module-- with-http_xslt_module-- with-http_image_filter_module-- with-http_geoip_module-- with-http_sub_module-- with-http_dav_module -- with-http_flv_module-- with-http_mp4_module-- with-http_gunzip_module-- with-http_gzip_static_module-- with-http_auth_request_module-- with-http_random_index_module-- with-http_secure_link_module-- with-http_degradation_module-- with-http_slice_module-- with-http_stub_status_module-- with-http_perl_module-- with-mail-- with-mail_ Ssl_module-with-stream-with-stream_ssl_module-with-stream_realip_module-with-stream_geoip_module-with-stream_ssl_preread_module-with-pcre- with-pcre-jit-with-libatomic-http-log-path=/usr/local/openresty/nginx/logs/access.log

# gmake & & gmake install

4. Configure the environment variable and start OpenResty:

# vim / etc/profile.d/openresty.sh

Export PATH=/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin:$PATH

#. / etc/profile.d/openresty.sh

# nginx-v

# nginx

# ss-tunlp | grep-w: 80

5. Test the Lua environment:

# vim / tmp/hello.lua-- > print ("Hello Lua")

# lua / tmp/hello.lua

# lua

6. Test the OpenResty Lua module:

# cd / usr/local/openresty/nginx/conf

# cp nginx.conf {, .bak}

# vim nginx.conf. Add the following location to the server configuration section:

Location / lua {

Default_type text/html

Content_by_lua_block {

Ngx.say ("Hello Lua")

}

}

# nginx-t

# nginx-s reload

7. Create a directory to save * logs:

# mkdir-pv / usr/local/openresty/nginx/logs/hack

8. Download the decompression ngx_lua_waf module:

Ngx_lua_waf: Web application firewall based on lua-nginx-module, https://github.com/loveshell/ngx_lua_waf.

# tar-xf ngx_lua_waf-0.7.2.tar.gz-C / usr/local/openresty/nginx/conf

# cd / usr/local/openresty/nginx/conf

# mv ngx_lua_waf-0.7.2 waf

# chown-R nginx.nginx / usr/local/openresty

Remarks: main structure of waf directory

(1) config.lua: configuration file

(2) init.lua: rule function

(3) waf.lua: define the WAF detection sequence

(4) wafconf: save the directory of filtering rules. Each rule needs to be wrapped or used. | split

(5) wafconf/args: filter by GET parameter (enabled by default)

(6) wafconf/cookie: filter by Cookie

(7) wafconf/post: filter according to POST request (enabled by default)

(8) wafconf/url: filter according to GET request URL

(9) wafconf/user-agent: filter by User Agent

(10) wafconf/whiteurl: match the URL in the whitelist. If the match is reached, no filtering will be performed.

9. Modify the path of the waf rule directory in the config.lua configuration file:

# vim / usr/local/openresty/nginx/conf/waf/config.lua-- > RulePath= "/ usr/local/openresty/nginx/conf/waf/wafconf/"

Remarks: config.lua configuration file

Instruction

Meaning

RulePath= "/ usr/local/openresty/nginx/conf/waf/wafconf/"

Rule storage directory

Attacklog= "on"

Open the log

Logdir= "/ usr/local/openresty/nginx/logs/hack/"

Log log directory

UrlDeny= "on"

Block URL acc

Redirect= "on"

Redirect after interception

CookieMatch= "on"

Intercept Cookie Attack

PostMatch= "on"

Intercept Post Attack

WhiteModule= "on"

Open URL whitelist

Black_fileExt= {"php", "jsp"}

Types of file suffixes that are not allowed to upload

IpWhitelist= {"127.0.0.1"}

IP whitelist, separated by commas between multiple IP

IpBlocklist= {"1.0.0.1"}

IP blacklist, separated by commas between multiple IP

CCDeny= "on"

Enable intercepting CC Attack (you need to add the code lua_shared_dict limit 10m in the http configuration section of nginx.conf)

CCrate= "100AG60"

Sets the CC Attack frequency in seconds

By default, the same IP can only request the same address 100 times per minute.

10. Modify the nginx.conf configuration file:

# vim / usr/local/openresty/nginx/conf/nginx.conf, add the following code to the http configuration section:

Lua_package_path "/ usr/local/openresty/nginx/conf/waf/?.lua"

Lua_shared_dict limit 10m

Init_by_lua_file "/ usr/local/openresty/nginx/conf/waf/init.lua"

Access_by_lua_file "/ usr/local/openresty/nginx/conf/waf/waf.lua"

# nginx-t

# nginx-s reload

11. Test the WAF application firewall:

(1) simulated URL parameter detection: http://192.168.0.121/lua?id=../etc/shadow

(2) use the ab command to simulate CC Attack:# ab-n 10000-c 10000 http://192.168.0.121/lua

Remarks: ab command option

A,-n requests: total number of requests executed. Default is 1.

B,-c concurrency: number of requests executed concurrently at one time. Default is 1.

(3) View the log: # tail-3 / usr/local/openresty/nginx/logs/hack/localhost_2020-02-18_sec.log

192.168.0.121 [2020-02-18 00:47:49] "UA localhost/lua"-"ApacheBench/2.3" (HTTrack | harvest | audit | dirbuster | pangolin | nmap | sqln |-scan | hydra | Parser | BBBike | sqlmap | w3af | Nikto | fimap | havij | PycURL | zmeu | BabyKrokodil | netsparker | httperf bench | SF/) "

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.