Learn about Centmin Mod LEMP Stack today
Register Now

Install Upgrade Nginx CentOS 7.x Anti-DDoS Mitigate: Automatic deploy/config Testcookie module for Centminmod (vCentminmod-DDoS)

Discussion in 'Centmin Mod User Tutorials & Guides' started by duy13, Nov 10, 2017.

  1. duy13

    duy13 New Member

    10
    2
    3
    Oct 22, 2016
    California, USA
    Ratings:
    +9
    Local Time:
    5:39 AM
    1.13.x
    MariaDB 10.x
    Anti-DDoS Mitigate: Automatic deploy/config Testcookie module for Centminmod (vCentminmod-DDoS)

    testcookie-nginx-module is a simple robot mitigation module using cookie based challenge/response. I wrote a small script that automatically deployed that module to Centminmod:

    Github: GitHub - duy13/vCentminmod-DDoS: A small shell script auto Deploy and Use "Testcookie Module" for your Centminmod.

    Centminmod from: Centmin Mod LEMP Stack Install Nginx on CentOS

    Testcookie module from: GitHub - kyprizel/testcookie-nginx-module: simple robot mitigation module using cookie based challenge/response technique

    Here's how to install and use it:

    Install:

    Step 1: Install Centminmod: Centmin Mod LEMP Stack Install Nginx on CentOS
    Code:
    yum -y update; curl -O https://centminmod.com/installer.sh && chmod 0700 installer.sh && bash installer.sh
    
    OR:
    Code:
    yum -y update; curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
    
    Code:
    cd /usr/local/src/centminmod
    ./centmin.sh
    Step 2: Install vCentminmod Antiddos Addon:
    Code:
    curl -L -O https://github.com/duy13/vCentminmod-DDoS/raw/master/vCentminmod-DDoS.sh && chmod 700 vCentminmod-DDoS.sh && bash vCentminmod-DDoS.sh
    Step 3: Re-compile Centminmod Nginx:
    Code:
    cd /usr/local/src/centminmod
    ./centmin.sh
    "Option 4" to update config: "4). Nginx Upgrade / Downgrade"

    Check:
    Code:
    [root@vDDoS ~]# nginx -V
    
    nginx version: nginx/1.x.x
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.5.5
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro' --with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --add-module=../testcookie-nginx-module-master --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.3 --add-module=../nginx-http-concat-master --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../nginx_upstream_check_module-0.3.0 --add-module=../nginx-module-vts --add-module=../headers-more-nginx-module-0.33 --with-openssl=../libressl-2.5.5 --with-libatomic --with-threads --with-stream --with-stream_ssl_module --with-pcre=../pcre-8.41 --with-pcre-jit
    Check Option "--add-module=../testcookie-nginx-module-master" is displayed.


    Using:

    Step 1: Add your website in Centminmod: Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS
    Example, I added new domain called your-domain.com:

    Code:
    Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/your-domain.com.conf
    Nginx SPDY SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/your-domain.com.ssl.conf
    Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/your-domain.com
    Vhost public web root will be at /home/nginx/domains/your-domain.com/public
    Vhost log directory will be at /home/nginx/domains/your-domain.com/log
    Step 2: Edit your website config (vhost file):
    Code:
    nano /usr/local/nginx/conf/conf.d/your-domain.com.conf
    
    ...
      root /home/nginx/domains/your-domain.com/public;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      }
     include /usr/local/nginx/conf/vCentminmod-DDoS/5s.conf;
      location / {
     include /usr/local/nginx/conf/vCentminmod-DDoS/on.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    ...
    
    Include config file in folder /usr/local/nginx/conf/vCentminmod-DDoS:
    Include 5s.conf or high.conf to select the Security Mode.
    Include on.conf or off.conf to turn on or off the Security Mode.

    Step 3: Restart Nginx:
    Code:
    service nginx stop; sleep 3; service nginx start
    Website:

    The site has a javascript challenge before reaching the original site:

    [​IMG]
    Code:
    root@vDDoS [~]# curl -L http://your-domain.com
    <!DOCTYPE html>
    <html>
    <script src="/vddosw3data.js"></script>
    <script type="text/javascript" src="/aes.min.js" ></script>
    <body>
    <div w3-include-html="/5s.html"></div>
    <noscript><h1 style="text-align:center;color:red;"><strong>Please turn JavaScript on and reload the page.</strong></h1></noscript>
    <script>
    w3IncludeHTML();
    </script>
    <script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("a9b3e90e4d7f7610b4431a9a30f17b75"),b=toNumbers("297642f1c8756257dda15de689133f2d"),c=toNumbers("a1abdc94e9101436984a80a9bd1fe758");document.cookie="vCentminmod="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=0; path=/";setTimeout("location.href='http://your-domain.com/?d=1';",5000);</script>
    <center>
    <br />
    <br />
    <center/>
    </body>
    </html>
    
    Custom-Redesign your challenge or challenge interface at: /usr/local/nginx/conf/vCentminmod-DDoS/html
    Code:
    [root@vDDoS ~]# ls -lah /usr/local/nginx/conf/vCentminmod-DDoS/html
    total 68K
    drwxr-xr-x 2 root root 4.0K Nov  9 15:27 .
    drwxr-xr-x 3 root root 4.0K Nov  9 15:27 ..
    -rw-r--r-- 1 root root 1.6K Nov  9 15:27 5s.html
    -rw-r--r-- 1 root root 1.6K Nov  9 15:27 5s.html.default
    -rw-r--r-- 1 root root  31K Nov  9 15:26 aes.min.js
    -rw-r--r-- 1 root root 1.2K Nov  9 15:27 captcha.html
    -rw-r--r-- 1 root root 1.2K Nov  9 15:27 captcha.html.default
    -rw-r--r-- 1 root root 2.3K Nov  9 15:27 cookies.html
    -rw-r--r-- 1 root root 5.8K Nov  9 15:27 vddosw3data.js
    
     
    Last edited: Nov 10, 2017
    • Informative Informative x 4
  2. RoldanLT

    RoldanLT Well-Known Member

    3,931
    960
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,311
    Local Time:
    6:39 AM
    1.11
    10.2
    Great Share, Thanks for this!
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    nice will check it out

    fyi this part will break letsencrypt domain validation
    Code (Text):
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      }

    and this part vCentminmod-DDoS/vCentminmod-DDoS.sh at master · duy13/vCentminmod-DDoS · GitHub will get overwritten on centmin.sh menu option 23 submenu option 2 updates

    123.09beta01 has reserved persistent config variables to add nginx modules of your own that persist Beta Branch - update inc/nginx_configure.inc

    so either create /etc/centminmod/custom_nginxmodules.inc or use/create persistent config /etc/centminmod/custom_config.inc with starting space then module
    Code (Text):
    DYNAMICOPT_BEGIN=' --add-module=../testcookie-nginx-module-master'
    


    or

    Code (Text):
    DYNAMICOPT_MIDDLE=' --add-module=../testcookie-nginx-module-master'
    

    BEGIN or MIDDLE determines nginx module config order in inc/nginx_configure.inc i.e. centminmod/nginx_configure.inc at 165e44f9ef1528c84b7e315d4b81e0e1f993a075 · centminmod/centminmod · GitHub

    Code (Text):
    ./configure --with-ld-opt="${LRT}${JEMALLOC_LD}${PCRE_LD} -Wl,-z,relro ${LUALD_OPT}${PCRE_LDOPT}" --with-cc-opt="${MTUNEOPT}-g$GCC_OPTLEVEL $FSTACKPROTECT${NGXEXTRA_LDGOLDCCOPT} --param=ssp-buffer-size=4 -Wformat -Werror=format-security${DEVTOOLSETSEVEN_FALLTHROUGH}${DEVTOOLSETSEVEN_EXTRAFLAGS} -Wp,-D_FORTIFY_SOURCE=2${CLANG_CCOPT}${BROTLI_CFLAG}${PCRE_CCOPT}${NGXEXTRA_CCOPT}" --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf${WITHCOMPAT_OPT}${NGINX_DEBUGOPT}${IPVSIXOPT}${DYNAMICOPT_BEGIN}${STUBSTATUSOPT}${AUTHREQOPT}${SECURELINKOPT}${FLVOPT}${MPOPT}${RTMPOPT}${WITHOPENSSL_OPT}${VTSOPT}${LIBATOMICOPT}${DYNAMICOPT_MIDDLE} --with-http_gzip_static_module${BROTLIOPT}${PGSPEEDOPT}${SUBOPT}${ADDITIONOPT}${IMAGEFILTEROPT}${GEOIPOPT}${NGINX_NJSOPT}${STREAMGEOIPOPT}${STREAMREALIPOPT}${STREAM_SSLPREREADOPT}${THREADS}${STREAM}${REALIPOPT}${ACCESSKEYOPT}${HTTPCONCATOPT}${FANCYINDEXOPT}${CACHEPURGEOPT}${GPERFOPT}${WEBDAVOPT}${RUBYMODULE}${DEVELKITOPT}${SETMISCOPT}${ECHOOPT}${REDISOPT}${HTTPREDISOPT}${LUAOPT}${STICKYOPT}${UPSTREAMOPT}${MEMCOPT}${SRCCACHEOPT}${HEADERSMOREOPT}${NGXPERLOPT}${NGXXSLTOPT}${PCREJITOPT}${ZLIBNG_OPT}${ZLIBCUSTOM_OPT}${HIDELENGTHOPT} --with-http_ssl_module${SPDYOPT}${HTTPTWOOPT}${NGX_HPACK_OPT}${HTTP_PUSHOPT}${OPENSSLOPT}${LIBRESSLOPT}${MODSEC_OPT}${RDNSOPT}
    

    if you use/create persistent config /etc/centminmod/custom_config.inc for this, centmin.sh will always source variables set there for reference in centmin.sh routines

    scripted would something like
    Code (Text):
    # don't overwrite existing persistent variables
    # only append
    touch /etc/centminmod/custom_config.inc
    echo "DYNAMICOPT_MIDDLE=' --add-module=../testcookie-nginx-module-master'" >> /etc/centminmod/custom_config.inc


    But MIDDLE is before gzip module not after so could be a problem if order matters from centminmod/nginx_configure.inc at 165e44f9ef1528c84b7e315d4b81e0e1f993a075 · centminmod/centminmod · GitHub
    Code (Text):
    ${DYNAMICOPT_MIDDLE} --with-http_gzip_static_module${BROTLIOPT}
    

    maybe need a new variable for after gzip/brotli modules too

    edit added new variables for DYNAMICOPT_AFTERGZIP & DYNAMICOPT_END Beta Branch - update inc/nginx_configure.inc add DYNAMICOPT_AFTERGZIP & DYNAMICOPT_…

    scripted would something like
    Code (Text):
    # don't overwrite existing persistent variables
    # only append
    touch /etc/centminmod/custom_config.inc
    echo "DYNAMICOPT_AFTERGZIP=' --add-module=../testcookie-nginx-module-master'" >> /etc/centminmod/custom_config.inc
     
    • Like Like x 2
  4. duy13

    duy13 New Member

    10
    2
    3
    Oct 22, 2016
    California, USA
    Ratings:
    +9
    Local Time:
    5:39 AM
    1.13.x
    MariaDB 10.x
    I think that is the default of the vhost you wrote

    It seems to have to reinstall this module, every after Centminmod automatic update :panda:
    Do you have any advice for me to fix it?
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah 123.09beta01 removes that now

    see updated reply above
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    @duy13 just added optional testcookie-nginx-module support into 123.09beta01 Beta Branch - add testcookie-nginx-module optional support in 123.09beta01

    so scripted would be
    Code (Text):
    # don't overwrite existing persistent variables
    # only append
    touch /etc/centminmod/custom_config.inc
    echo "NGXDYNAMIC_TESTCOOKIE='y'" >> /etc/centminmod/custom_config.inc
    echo "NGINX_TESTCOOKIE='y'" >> /etc/centminmod/custom_config.inc
    


    if you want to check out code wise changes on how I added testcookie-nginx-module support the diff of code is at add testcookie-nginx-module optional support in 123.09beta01 · centminmod/centminmod@a501a85 · GitHub
     
    Last edited: Nov 10, 2017
    • Like Like x 2
    • Winner Winner x 1
  7. duy13

    duy13 New Member

    10
    2
    3
    Oct 22, 2016
    California, USA
    Ratings:
    +9
    Local Time:
    5:39 AM
    1.13.x
    MariaDB 10.x
    ok, now it supports both 123.08stable & 123.09beta01 :cat: thanks @eva2000 !
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    FYI, only updated 123.09beta01 not 123.08stable
     
  9. duy13

    duy13 New Member

    10
    2
    3
    Oct 22, 2016
    California, USA
    Ratings:
    +9
    Local Time:
    5:39 AM
    1.13.x
    MariaDB 10.x
    I mean, my scripts can be used for 123.08stable & 123.09beta01.

    If anybody has any errors during setup, you can ask questions at this thread.
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    oh i see :)
     
  11. pamamolf

    pamamolf Well-Known Member

    2,767
    245
    63
    May 31, 2014
    Ratings:
    +436
    Local Time:
    12:39 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    So George after adding support for ths at latest Centminmod 09 what is needed to work is simple edit here:

    Code:
    /etc/centminmod/custom_config.inc
    and add:

    Code:
    NGXDYNAMIC_TESTCOOKIE='y'
    NGINX_TESTCOOKIE='y'
    and then recompile Nginx and run:

    Code:
    curl -L -O https://github.com/duy13/vCentminmod-DDoS/raw/master/vCentminmod-DDoS.sh && chmod 700 vCentminmod-DDoS.sh && bash vCentminmod-DDoS.sh
    and add the include lines at the bottom of the domain config?

    Code:
    include /usr/local/nginx/conf/vCentminmod-DDoS/5s.conf;
    include /usr/local/nginx/conf/vCentminmod-DDoS/on.conf;
    include /usr/local/nginx/conf/pre-staticfiles-local-vinylcollective.com.conf;
    include /usr/local/nginx/conf/pre-staticfiles-global.conf;
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    

    Anything else needed?

    The issue with such solutions is that a user can get the cookie and use it for the rest of the requests when he is attacking :(
     
    Last edited: Nov 13, 2017
  12. duy13

    duy13 New Member

    10
    2
    3
    Oct 22, 2016
    California, USA
    Ratings:
    +9
    Local Time:
    5:39 AM
    1.13.x
    MariaDB 10.x
    No, Please do as original guide: https://community.centminmod.com/th...module-for-centminmod-vcentminmod-ddos.13258/
    Just do it, do not care 123.08stable or 123.09beta01 version
    (Encourage you to use 123.09beta01)

    No, Please do as original guide: https://community.centminmod.com/th...module-for-centminmod-vcentminmod-ddos.13258/
    Please see how to include 2 config files 5s.conf & on.conf in the right place:
    Code:
    nano /usr/local/nginx/conf/conf.d/your-domain.com.conf
    
    ...
     include /usr/local/nginx/conf/vCentminmod-DDoS/5s.conf;
      location / {
     include /usr/local/nginx/conf/vCentminmod-DDoS/on.conf;
    ...
    
    Cookies were created for each session, only valid for the client's IP, if the Ip changes it will not be valid.
    So, basically, if an ip already has the ability to process and find out the cookie, it also overcomes the javascript challenge.
    The above tutorial is intended to eliminate the bad bot, not able to handle javascript challenge.
    If it is capable of handling javascript challenges, (like a normal browser) it will overcome the challenge.
    If you want to do more, add the ability to limit the number of connections on nginx (limit_conn & limit_req):
    https://www.nginx.com/blog/rate-limiting-nginx/
    https://community.centminmod.com/threads/limit_conn-limit_per_ip-16-ssi-on.665/
     
    Last edited: Nov 13, 2017
    • Informative Informative x 1
  13. pamamolf

    pamamolf Well-Known Member

    2,767
    245
    63
    May 31, 2014
    Ratings:
    +436
    Local Time:
    12:39 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I am asking that because at the bottom of your script at the bottom you have some lines of code that take care the testcookie Nginx module:

    Code:
    https://github.com/duy13/vCentminmod-DDoS/raw/master/vCentminmod-DDoS.sh
    
    But that's already included on latest Centminmod 09 so i think that lines are not needed .... or am i missing something?
     
  14. duy13

    duy13 New Member

    10
    2
    3
    Oct 22, 2016
    California, USA
    Ratings:
    +9
    Local Time:
    5:39 AM
    1.13.x
    MariaDB 10.x
    One line for 123.08stable and one line for 123.09beta01, this line will not work for the other version and vice versa
    You can experiment on both beta and stable to make your own conclusions
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
  16. duy13

    duy13 New Member

    10
    2
    3
    Oct 22, 2016
    California, USA
    Ratings:
    +9
    Local Time:
    5:39 AM
    1.13.x
    MariaDB 10.x
    I think it's faster (if attacked), but in general, does not care about how everyone installs testcookie, just typing nginx -V appears "= ../testcookie-nginx-module-master" everything will be fine
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:39 AM
    Nginx 1.13.x
    MariaDB 5.5
    dynamic module should be more efficient resource usage wise