Install Upgrade Nginx CentOS 7.x Anti-DDoS Mitigate: Automatic deploy/config Testcookie module for Centminmod (vCentminmod-DDoS)

duy13 · Nov 10, 2017

Anti-DDoS Mitigate: Automatic deploy/config Testcookie module for Centminmod (vCentminmod-DDoS)

testcookie-nginx-module is a simple robot mitigation module using cookie based challenge/response. I wrote a small script that automatically deployed that module to Centminmod:

Github: GitHub - duy13/vCentminmod-DDoS: A small shell script auto Deploy and Use "Testcookie Module" for your Centminmod.

Centminmod from: Centmin Mod LEMP Stack Install Nginx on CentOS

Testcookie module from: GitHub - kyprizel/testcookie-nginx-module: simple robot mitigation module using cookie based challenge/response technique

Here's how to install and use it:

Install:

Step 1: Install Centminmod: Centmin Mod LEMP Stack Install Nginx on CentOS

Code:

yum -y update; curl -O https://centminmod.com/installer.sh && chmod 0700 installer.sh && bash installer.sh

OR:

Code:

yum -y update; curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh

Code:

cd /usr/local/src/centminmod
./centmin.sh

Step 2: Install vCentminmod Antiddos Addon:

Code:

curl -L -O https://github.com/duy13/vCentminmod-DDoS/raw/master/vCentminmod-DDoS.sh && chmod 700 vCentminmod-DDoS.sh && bash vCentminmod-DDoS.sh

Step 3: Re-compile Centminmod Nginx:

Code:

cd /usr/local/src/centminmod
./centmin.sh

"Option 4" to update config: "4). Nginx Upgrade / Downgrade"

Check:

Code:

[root@vDDoS ~]# nginx -V

nginx version: nginx/1.x.x
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.5.5
TLS SNI support enabled
configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro' --with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --add-module=../testcookie-nginx-module-master --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.3 --add-module=../nginx-http-concat-master --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../nginx_upstream_check_module-0.3.0 --add-module=../nginx-module-vts --add-module=../headers-more-nginx-module-0.33 --with-openssl=../libressl-2.5.5 --with-libatomic --with-threads --with-stream --with-stream_ssl_module --with-pcre=../pcre-8.41 --with-pcre-jit

Check Option "--add-module=../testcookie-nginx-module-master" is displayed.

Using:

Step 1: Add your website in Centminmod: Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS
Example, I added new domain called your-domain.com:

Code:

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/your-domain.com.conf
Nginx SPDY SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/your-domain.com.ssl.conf
Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/your-domain.com
Vhost public web root will be at /home/nginx/domains/your-domain.com/public
Vhost log directory will be at /home/nginx/domains/your-domain.com/log

Step 2: Edit your website config (vhost file):

Code:

nano /usr/local/nginx/conf/conf.d/your-domain.com.conf

...
  root /home/nginx/domains/your-domain.com/public;

  # prevent access to ./directories and files
  location ~ (?:^|/)\. {
   deny all;
  }
 include /usr/local/nginx/conf/vCentminmod-DDoS/5s.conf;
  location / {
 include /usr/local/nginx/conf/vCentminmod-DDoS/on.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }
...

Include config file in folder /usr/local/nginx/conf/vCentminmod-DDoS:
Include 5s.conf or high.conf to select the Security Mode.
Include on.conf or off.conf to turn on or off the Security Mode.

Step 3: Restart Nginx:

Code:

service nginx stop; sleep 3; service nginx start

Website:

The site has a javascript challenge before reaching the original site:

[IMG]

Code:

root@vDDoS [~]# curl -L http://your-domain.com
<!DOCTYPE html>
<html>
<script src="/vddosw3data.js"></script>
<script type="text/javascript" src="/aes.min.js" ></script>
<body>
<div w3-include-html="/5s.html"></div>
<noscript><h1 style="text-align:center;color:red;"><strong>Please turn JavaScript on and reload the page.</strong></h1></noscript>
<script>
w3IncludeHTML();
</script>
<script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("a9b3e90e4d7f7610b4431a9a30f17b75"),b=toNumbers("297642f1c8756257dda15de689133f2d"),c=toNumbers("a1abdc94e9101436984a80a9bd1fe758");document.cookie="vCentminmod="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=0; path=/";setTimeout("location.href='http://your-domain.com/?d=1';",5000);</script>
<center>
<br />
<br />
<center/>
</body>
</html>

Custom-Redesign your challenge or challenge interface at: /usr/local/nginx/conf/vCentminmod-DDoS/html

Code:

[root@vDDoS ~]# ls -lah /usr/local/nginx/conf/vCentminmod-DDoS/html
total 68K
drwxr-xr-x 2 root root 4.0K Nov  9 15:27 .
drwxr-xr-x 3 root root 4.0K Nov  9 15:27 ..
-rw-r--r-- 1 root root 1.6K Nov  9 15:27 5s.html
-rw-r--r-- 1 root root 1.6K Nov  9 15:27 5s.html.default
-rw-r--r-- 1 root root  31K Nov  9 15:26 aes.min.js
-rw-r--r-- 1 root root 1.2K Nov  9 15:27 captcha.html
-rw-r--r-- 1 root root 1.2K Nov  9 15:27 captcha.html.default
-rw-r--r-- 1 root root 2.3K Nov  9 15:27 cookies.html
-rw-r--r-- 1 root root 5.8K Nov  9 15:27 vddosw3data.js

rdan · Nov 10, 2017

Great Share, Thanks for this!

eva2000 · Nov 10, 2017

nice will check it out

fyi this part will break letsencrypt domain validation
Code (Text):
  # prevent access to ./directories and files
  location ~ (?:^|/)\. {
   deny all;
  }
and this part vCentminmod-DDoS/vCentminmod-DDoS.sh at master · duy13/vCentminmod-DDoS · GitHub will get overwritten on centmin.sh menu option 23 submenu option 2 updates

123.09beta01 has reserved persistent config variables to add nginx modules of your own that persist Beta Branch - update inc/nginx_configure.inc

so either create /etc/centminmod/custom_nginxmodules.inc or use/create persistent config /etc/centminmod/custom_config.inc with starting space then module
Code (Text):
DYNAMICOPT_BEGIN=' --add-module=../testcookie-nginx-module-master'
or
Code (Text):
DYNAMICOPT_MIDDLE=' --add-module=../testcookie-nginx-module-master'
BEGIN or MIDDLE determines nginx module config order in inc/nginx_configure.inc i.e. centminmod/nginx_configure.inc at 165e44f9ef1528c84b7e315d4b81e0e1f993a075 · centminmod/centminmod · GitHub
Code (Text):
./configure --with-ld-opt="${LRT}${JEMALLOC_LD}${PCRE_LD} -Wl,-z,relro ${LUALD_OPT}${PCRE_LDOPT}" --with-cc-opt="${MTUNEOPT}-g$GCC_OPTLEVEL $FSTACKPROTECT${NGXEXTRA_LDGOLDCCOPT} --param=ssp-buffer-size=4 -Wformat -Werror=format-security${DEVTOOLSETSEVEN_FALLTHROUGH}${DEVTOOLSETSEVEN_EXTRAFLAGS} -Wp,-D_FORTIFY_SOURCE=2${CLANG_CCOPT}${BROTLI_CFLAG}${PCRE_CCOPT}${NGXEXTRA_CCOPT}" --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf${WITHCOMPAT_OPT}${NGINX_DEBUGOPT}${IPVSIXOPT}${DYNAMICOPT_BEGIN}${STUBSTATUSOPT}${AUTHREQOPT}${SECURELINKOPT}${FLVOPT}${MPOPT}${RTMPOPT}${WITHOPENSSL_OPT}${VTSOPT}${LIBATOMICOPT}${DYNAMICOPT_MIDDLE} --with-http_gzip_static_module${BROTLIOPT}${PGSPEEDOPT}${SUBOPT}${ADDITIONOPT}${IMAGEFILTEROPT}${GEOIPOPT}${NGINX_NJSOPT}${STREAMGEOIPOPT}${STREAMREALIPOPT}${STREAM_SSLPREREADOPT}${THREADS}${STREAM}${REALIPOPT}${ACCESSKEYOPT}${HTTPCONCATOPT}${FANCYINDEXOPT}${CACHEPURGEOPT}${GPERFOPT}${WEBDAVOPT}${RUBYMODULE}${DEVELKITOPT}${SETMISCOPT}${ECHOOPT}${REDISOPT}${HTTPREDISOPT}${LUAOPT}${STICKYOPT}${UPSTREAMOPT}${MEMCOPT}${SRCCACHEOPT}${HEADERSMOREOPT}${NGXPERLOPT}${NGXXSLTOPT}${PCREJITOPT}${ZLIBNG_OPT}${ZLIBCUSTOM_OPT}${HIDELENGTHOPT} --with-http_ssl_module${SPDYOPT}${HTTPTWOOPT}${NGX_HPACK_OPT}${HTTP_PUSHOPT}${OPENSSLOPT}${LIBRESSLOPT}${MODSEC_OPT}${RDNSOPT}
if you use/create persistent config /etc/centminmod/custom_config.inc for this, centmin.sh will always source variables set there for reference in centmin.sh routines

scripted would something like
Code (Text):
# don't overwrite existing persistent variables
# only append
touch /etc/centminmod/custom_config.inc
echo "DYNAMICOPT_MIDDLE=' --add-module=../testcookie-nginx-module-master'" >> /etc/centminmod/custom_config.inc
But MIDDLE is before gzip module not after so could be a problem if order matters from centminmod/nginx_configure.inc at 165e44f9ef1528c84b7e315d4b81e0e1f993a075 · centminmod/centminmod · GitHub
Code (Text):
${DYNAMICOPT_MIDDLE} --with-http_gzip_static_module${BROTLIOPT}
maybe need a new variable for after gzip/brotli modules too

edit added new variables for DYNAMICOPT_AFTERGZIP & DYNAMICOPT_END Beta Branch - update inc/nginx_configure.inc add DYNAMICOPT_AFTERGZIP & DYNAMICOPT_…

scripted would something like
Code (Text):
# don't overwrite existing persistent variables
# only append
touch /etc/centminmod/custom_config.inc
echo "DYNAMICOPT_AFTERGZIP=' --add-module=../testcookie-nginx-module-master'" >> /etc/centminmod/custom_config.inc

duy13 · Nov 10, 2017

eva2000 said: ↑
fyi this part will break letsencrypt domain validation
Code (Text):
  # prevent access to ./directories and files
  location ~ (?:^|/)\. {
   deny all;
  }
Click to expand...
I think that is the default of the vhost you wrote

eva2000 said: ↑

and this part vCentminmod-DDoS/vCentminmod-DDoS.sh at master · duy13/vCentminmod-DDoS · GitHub will get overwritten on centmin.sh menu option 23 submenu option 2 updates
Click to expand...

It seems to have to reinstall this module, every after Centminmod automatic update
Do you have any advice for me to fix it?

eva2000 · Nov 10, 2017

duy13 said: ↑

I think that is the default of the vhost you wrote
Click to expand...

yeah 123.09beta01 removes that now

duy13 said: ↑

Do you have any advice for me to fix it?
Click to expand...

see updated reply above

eva2000 · Nov 10, 2017

@duy13 just added optional testcookie-nginx-module support into 123.09beta01 Beta Branch - add testcookie-nginx-module optional support in 123.09beta01

so scripted would be
Code (Text):
# don't overwrite existing persistent variables
# only append
touch /etc/centminmod/custom_config.inc
echo "NGXDYNAMIC_TESTCOOKIE='y'" >> /etc/centminmod/custom_config.inc
echo "NGINX_TESTCOOKIE='y'" >> /etc/centminmod/custom_config.inc
if you want to check out code wise changes on how I added testcookie-nginx-module support the diff of code is at add testcookie-nginx-module optional support in 123.09beta01 · centminmod/centminmod@a501a85 · GitHub

duy13 · Nov 10, 2017

ok, now it supports both 123.08stable & 123.09beta01 thanks @eva2000 !

eva2000 · Nov 10, 2017

FYI, only updated 123.09beta01 not 123.08stable

duy13 · Nov 10, 2017

eva2000 said: ↑

FYI, only updated 123.09beta01 not 123.08stable
Click to expand...

I mean, my scripts can be used for 123.08stable & 123.09beta01.

If anybody has any errors during setup, you can ask questions at this thread.

eva2000 · Nov 10, 2017

oh i see

pamamolf · Nov 13, 2017

So George after adding support for ths at latest Centminmod 09 what is needed to work is simple edit here:
Code:
/etc/centminmod/custom_config.inc
and add:
Code:
NGXDYNAMIC_TESTCOOKIE='y'
NGINX_TESTCOOKIE='y'
and then recompile Nginx and run:
Code:
curl -L -O https://github.com/duy13/vCentminmod-DDoS/raw/master/vCentminmod-DDoS.sh && chmod 700 vCentminmod-DDoS.sh && bash vCentminmod-DDoS.sh
and add the include lines at the bottom of the domain config?
Code:
include /usr/local/nginx/conf/vCentminmod-DDoS/5s.conf;
include /usr/local/nginx/conf/vCentminmod-DDoS/on.conf;
include /usr/local/nginx/conf/pre-staticfiles-local-vinylcollective.com.conf;
include /usr/local/nginx/conf/pre-staticfiles-global.conf;
include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/php.conf;
Anything else needed?

The issue with such solutions is that a user can get the cookie and use it for the rest of the requests when he is attacking

duy13 · Nov 13, 2017

pamamolf said: ↑
So George after adding support for ths at latest Centminmod 09 what is needed to work is simple edit here:
Code:
/etc/centminmod/custom_config.inc
and add:
Code:
NGXDYNAMIC_TESTCOOKIE='y'
NGINX_TESTCOOKIE='y'
and then recompile Nginx and run:
Code:
curl -L -O https://github.com/duy13/vCentminmod-DDoS/raw/master/vCentminmod-DDoS.sh && chmod 700 vCentminmod-DDoS.sh && bash vCentminmod-DDoS.sh
Click to expand...
No, Please do as original guide: https://community.centminmod.com/th...module-for-centminmod-vcentminmod-ddos.13258/
Just do it, do not care 123.08stable or 123.09beta01 version
(Encourage you to use 123.09beta01)
pamamolf said: ↑
and add the include lines at the bottom of the domain config?
Code:
include /usr/local/nginx/conf/vCentminmod-DDoS/5s.conf;
include /usr/local/nginx/conf/vCentminmod-DDoS/on.conf;
include /usr/local/nginx/conf/pre-staticfiles-local-vinylcollective.com.conf;
include /usr/local/nginx/conf/pre-staticfiles-global.conf;
include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/php.conf;
Click to expand...
No, Please do as original guide: https://community.centminmod.com/th...module-for-centminmod-vcentminmod-ddos.13258/
Please see how to include 2 config files 5s.conf & on.conf in the right place:
Code:
nano /usr/local/nginx/conf/conf.d/your-domain.com.conf

...
 include /usr/local/nginx/conf/vCentminmod-DDoS/5s.conf;
  location / {
 include /usr/local/nginx/conf/vCentminmod-DDoS/on.conf;
...
pamamolf said: ↑

Anything else needed?

The issue with such solutions is that a user can get the cookie and use it for the rest of the requests when he is attacking
Click to expand...

Cookies were created for each session, only valid for the client's IP, if the Ip changes it will not be valid.
So, basically, if an ip already has the ability to process and find out the cookie, it also overcomes the javascript challenge.
The above tutorial is intended to eliminate the bad bot, not able to handle javascript challenge.
If it is capable of handling javascript challenges, (like a normal browser) it will overcome the challenge.
If you want to do more, add the ability to limit the number of connections on nginx (limit_conn & limit_req):
https://www.nginx.com/blog/rate-limiting-nginx/
https://community.centminmod.com/threads/limit_conn-limit_per_ip-16-ssi-on.665/

pamamolf · Nov 13, 2017

I am asking that because at the bottom of your script at the bottom you have some lines of code that take care the testcookie Nginx module:
Code:
https://github.com/duy13/vCentminmod-DDoS/raw/master/vCentminmod-DDoS.sh
But that's already included on latest Centminmod 09 so i think that lines are not needed .... or am i missing something?

duy13 · Nov 13, 2017

pamamolf said: ↑

I am asking that because at the bottom of your script at the bottom you have some lines of code that take care the testcookie Nginx module:

But that's already included on latest Centminmod 09 so i think that lines are not needed .... or am i missing something?
Click to expand...

One line for 123.08stable and one line for 123.09beta01, this line will not work for the other version and vice versa
You can experiment on both beta and stable to make your own conclusions

eva2000 · Nov 13, 2017

duy13 said: ↑

Please do as original guide: https://community.centminmod.com/th...module-for-centminmod-vcentminmod-ddos.13258/
Click to expand...

yeah @pamamolf just follow this as @duy13 updated his script to populate the persistent config file with the settings though just for static not dynamic module install IIRC

@duy13 any reason to use static nginx module and not enable dynamic module install for testcookie-nginx-module ?

duy13 · Nov 13, 2017

eva2000 said: ↑

any reason to use static nginx module and not enable dynamic module install for testcookie-nginx-module ?
Click to expand...

I think it's faster (if attacked), but in general, does not care about how everyone installs testcookie, just typing nginx -V appears "= ../testcookie-nginx-module-master" everything will be fine

eva2000 · Nov 13, 2017

dynamic module should be more efficient resource usage wise

Sos · Dec 23, 2018

So this is great! I have installed however when I have the service running I get a 403 forbidden error. Is there a way to fix this?

eva2000 · Dec 23, 2018

unfortuantely @duy13 outline is a 3rd party solution so can't really help with that.

Sos · Dec 24, 2018

@eva2000 is there a way that’s not 3rd party?

Log in / Register

Forums

Join the community today

Install Upgrade Nginx CentOS 7.x Anti-DDoS Mitigate: Automatic deploy/config Testcookie module for Centminmod (vCentminmod-DDoS)

duy13 New Member

rdan Well-Known Member

eva2000 Administrator Staff Member

duy13 New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

duy13 New Member

eva2000 Administrator Staff Member

duy13 New Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

duy13 New Member

pamamolf Premium Member Premium Member

duy13 New Member

eva2000 Administrator Staff Member

duy13 New Member

eva2000 Administrator Staff Member

Sos New Member

eva2000 Administrator Staff Member

Sos New Member

.

Log in / Register

Useful Searches

Join the community today

Install Upgrade Nginx CentOS 7.x Anti-DDoS Mitigate: Automatic deploy/config Testcookie module for Centminmod (vCentminmod-DDoS)

duy13 New Member

rdan Well-Known Member

eva2000 Administrator Staff Member

duy13 New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

duy13 New Member

eva2000 Administrator Staff Member

duy13 New Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

duy13 New Member

pamamolf Premium Member Premium Member

duy13 New Member

eva2000 Administrator Staff Member

duy13 New Member

eva2000 Administrator Staff Member

Sos New Member

eva2000 Administrator Staff Member

Sos New Member

.