Openresty ngx_lua_waf 搭建简单的WAF防护平台，为您的网站保驾护航

Jan192018

作者：Fisher 发布：2018-01-19 12:03 分类：系统, 系统安全抢沙发

[摘要] 接上一篇写过的使用nginx限制DDOS攻击，这几天比较空闲，把博客站点做了些改动，使用Openresty ngx_lua_waf 搭建简单的WAF防护平台，主要增加了 WAF 控制模块，并且将 Ningx 换成了 Openresty 作为web服务器，章同学开源的 Openresty 对lua的支持非常好，这里表示致敬和感谢！

openresty站点：https://openresty.org
ngx_lua_waf 模块：https://github.com/loveshell/ngx_lua_waf
具体安装就不说了，openresty的安装使用Nginx基本一样。只是配置稍作修改，增加lua的部分。

nginx.conf 的 http 段配置中增加如下：

    #Add ngx_lua_waf config by sudops.com
    lua_package_path "/path/nginx/conf/ngx_lua_waf/?.lua";
    lua_shared_dict limit 10m;
    init_by_lua_file  /path/nginx/conf/ngx_lua_waf/init.lua;
    access_by_lua_file /path/nginx/conf/ngx_lua_waf/waf.lua;

#Add ngx_lua_waf config by sudops.com

lua_package_path "/path/nginx/conf/ngx_lua_waf/?.lua";

lua_shared_dict limit 10m;

init_by_lua_file /path/nginx/conf/ngx_lua_waf/init.lua;

access_by_lua_file /path/nginx/conf/ngx_lua_waf/waf.lua;

waf的具体规则在如下目录：
nginx/conf/ngx_lua_waf/wafconf
args cookie post url user-agent whiteurl

ngx_lua_waf的一些规则与配置：

$cat url
\.(svn|htaccess|bash_history)
\.(bak|inc|old|mdb|sql|backup|java|class)$
(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar
(phpmyadmin|jmx-console|jmxinvokerservlet)
java\.lang
/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|
static|template|data|inc|forumdata|upload|includes|cache|avatar)/
(\\w+).(php|jsp)

$cat args
\.\./
\:\$
\$\{
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|
shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|
print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=

$cat config.lua
RulePath = "/path/nginx/conf/ngx_lua_waf/wafconf/"
attacklog = "on"
logdir = "/path/log/"
UrlDeny="on"
Redirect="on"
CookieMatch="on"
postMatch="on"
whiteModule="on"
black_fileExt={"php","jsp","html"}
ipWhitelist={"127.0.0.1"}
ipBlocklist={"1.0.0.1"}
CCDeny="on"
CCrate="100/60"
html=[[
Bad requests..
]]

$cat url

\.(svn|htaccess|bash_history)

\.(bak|inc|old|mdb|sql|backup|java|class)$

(phpmyadmin|jmx-console|jmxinvokerservlet)

java\.lang

(\\w+).(php|jsp)

$cat args

\.\./

\:\$

\$\{

select.+(from|limit)

(?:(union(.*?)select))

having|rongjitest

sleep$(\s*)(\d*)(\s*)$

benchmark$(.*)\,(.*)$

base64_decode\(

(?:from\W+information_schema\W)

(?:(?:current_)user|database|schema|connection_id)\s*\(

(?:etc\/\W*passwd)

into(\s+)+(?:dump|out)file\s*

group\s+by.+\(

xwork.MethodAccessor

print_r|var_dump|(fp)open|alert|showmodaldialog)\(

xwork\.MethodAccessor

java\.lang

(onmouseover|onerror|onload)\=

$cat config.lua

RulePath = "/path/nginx/conf/ngx_lua_waf/wafconf/"

attacklog = "on"

logdir = "/path/log/"

UrlDeny="on"

Redirect="on"

CookieMatch="on"

postMatch="on"

whiteModule="on"

black_fileExt={"php","jsp","html"}

ipWhitelist={"127.0.0.1"}

ipBlocklist={"1.0.0.1"}

CCDeny="on"

CCrate="100/60"

html=[[

Bad requests..

]]

*** 需要注意的是默认规则中部分限制的比较严格，可能会导致wp后台的一些正常操作被禁止掉，需要根据实际情况进行修改，比如upload资源部分。
下面是一个尝试访问/etc/passwd的非法请求被ngx_lua_waf挡住的样例，页面提示了『Bad requests..』，这个提示语可以在config.lua中指定：

nginx lua waf 上线后，可以观察下日志，能看到还是有不少的非法请求：

185.172.110.208 [2018-01-15 07:44:00] "GET /bbs.rar" "-"  "User-Agent	Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:46:09] "GET /flashfxp.rar" "-"  "User-Agent	Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:49:20] "GET /phpmyadmin.rar" "-"  "User-Agent	Baiduspider" "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 07:49:21] "GET /phpmyadmin.zip" "-"  "User-Agent	Baiduspider" "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 07:49:54] "GET /root.rar" "-"  "User-Agent	Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:50:21] "GET /sites.rar" "-"  "User-Agent	Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:53:44] "GET /web%20sites.rar" "-"  "User-Agent	Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:54:49] "GET /website.rar" "-"  "User-Agent	Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 07:54:52] "GET /websites.rar" "-"  "User-Agent	Baiduspider" "(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar"
185.172.110.208 [2018-01-15 17:22:09] "GET /phpMyAdmin-2.9.2/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:09] "GET /phpMyAdmin-2/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:10] "GET /phpMyAdmin-3.0.0-rc1-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:10] "GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:11] "GET /phpMyAdmin-3.0.1.0-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:11] "GET /phpMyAdmin-3.0.1.0/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:12] "GET /phpMyAdmin-3.0.1.1/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:12] "GET /phpMyAdmin-3.1.0.0-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:13] "GET /phpMyAdmin-3.1.0.0/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:13] "GET /phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:14] "GET /phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:14] "GET /phpMyAdmin-3.1.2.0-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:15] "GET /phpMyAdmin-3.1.2.0/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
185.172.110.208 [2018-01-15 17:22:15] "GET /phpMyAdmin-3.4.3.1/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"
141.101.76.77 [2018-01-17 02:53:46] "POST /wp-admin/admin-ajax.php?action=frm_forms_preview" "[su_metakey=1 post_id=1 default='print("\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x5F\x31\x30")' filter='assert']"  "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 GTB5" "(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\("
141.101.77.69 [2018-01-18 17:45:17] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php" "-"  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"
141.101.77.69 [2018-01-18 17:45:17] "GET /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php" "-"  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"
141.101.77.69 [2018-01-18 17:45:17] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php" "-"  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"
141.101.77.69 [2018-01-18 17:45:18] "GET /wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd" "-"  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "(?:etc\/\W*passwd)"
141.101.77.69 [2018-01-18 17:45:18] "GET /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php" "-"  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"
141.101.77.69 [2018-01-18 17:45:18] "GET /wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd" "-"  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "(?:etc\/\W*passwd)"
141.101.77.69 [2018-01-18 17:45:20] "POST /wp-content/plugins/wp-symposium/server/php/index.php" "--13530703071348311 ... Content-Disposition: form-data; name="uploader_url" echo '<form method="POST"><textarea cols=80 rows=20 name="src">'.htmlspecialchars(file_get_contents($_POST['path'])).'</t"  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\("

185.172.110.208 [2018-01-15 07:49:20] "GET /phpmyadmin.rar" "-" "User-Agent Baiduspider" "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 07:49:21] "GET /phpmyadmin.zip" "-" "User-Agent Baiduspider" "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:09] "GET /phpMyAdmin-2.9.2/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:09] "GET /phpMyAdmin-2/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:10] "GET /phpMyAdmin-3.0.0-rc1-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:10] "GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:11] "GET /phpMyAdmin-3.0.1.0-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:11] "GET /phpMyAdmin-3.0.1.0/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:12] "GET /phpMyAdmin-3.0.1.1/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:12] "GET /phpMyAdmin-3.1.0.0-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:13] "GET /phpMyAdmin-3.1.0.0/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:13] "GET /phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:14] "GET /phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:14] "GET /phpMyAdmin-3.1.2.0-english/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:15] "GET /phpMyAdmin-3.1.2.0/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

185.172.110.208 [2018-01-15 17:22:15] "GET /phpMyAdmin-3.4.3.1/scripts/setup.php" "-" - "(phpmyadmin|jmx-console|jmxinvokerservlet)"

141.101.77.69 [2018-01-18 17:45:17] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"

141.101.77.69 [2018-01-18 17:45:17] "GET /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"

141.101.77.69 [2018-01-18 17:45:18] "GET /wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "(?:etc\/\W*passwd)"

141.101.77.69 [2018-01-18 17:45:18] "GET /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "\.\./"

141.101.77.69 [2018-01-18 17:45:18] "GET /wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd" "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32" "(?:etc\/\W*passwd)"

以上日志能够看到几种非常明显的嗅探与攻击：
比如：
（1）尝试访问放在web发布目录的备份文件，特别是整站代码数据库的备份文件等；
（2）phpMyAdmin安装完之后setup.php文件没有清除（看来phpmyadmin确实是容易被攻击的点）
（3）wordpress相关的，访问本地目录的权限、插件的漏洞以及一些常见的XSS攻击。
（4）web目录可写，文件及目录权限全部为777等。

所以还是要提高运维最基本的安全防范意识，很多时候受到攻击都是由于流程和规范的不合理而导致的。

本文固定链接: https://www.sudops.com/openresty-ngx-lua-waf-to-protect-your-website.html | 运维·速度

该日志由 Fisher 于2018年01月19日发表在系统, 系统安全分类下，你可以发表评论，并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: Openresty ngx_lua_waf 搭建简单的WAF防护平台，为您的网站保驾护航 | 运维·速度
关键字: lua, nginx, openresty, waf

【上一篇】cloudera manager 忘记密码的解决办法
【下一篇】2018年企业云战略的4个趋势

Openresty ngx_lua_waf 搭建简单的WAF防护平台，为您的网站保驾护航

您可能还会对这些文章感兴趣！

Openresty ngx_lua_waf 搭建简单的WAF防护平台，为您的网站保驾护航：等您坐沙发呢！

发表评论

最新日志热评日志随机日志

赞助链接

标签云

最新文章

最近评论

最活跃的读者

欢迎关注运维·速度微信公众号

最新评论

标签云集

博客统计

Openresty ngx_lua_waf 搭建简单的WAF防护平台，为您的网站保驾护航

您可能还会对这些文章感兴趣！

Openresty ngx_lua_waf 搭建简单的WAF防护平台，为您的网站保驾护航：等您坐沙发呢！

发表评论

最新日志热评日志随机日志

赞助链接

标签云

最新文章

最近评论

最活跃的读者

欢迎关注 运维·速度 微信公众号

最新评论

标签云集

博客统计

欢迎关注运维·速度微信公众号