Header Ads

Vultr $100

XCODE FIREWALL STRONGEST PROTECTION FOR ANY NGINX-POWERED WEBSITE WITHOUT CLOUDFLARE

by - Widono in Charleston Garden, Palo Alto, CA 94303 California on - November 08, 2022
Versi Nginx dari XCODE Firewall bekerja dengan cara yang sama persis, jadi saya tidak akan repot-repot mengulangi semuanya di sini. Satu-satunya perbedaan hanyalah pada implementasi, cara mengaturnya di server Nginx, yang akan dijelaskan dalam post ini.
XCODE NGINX
Sampeyan kudu harus terbiasa dengan Nginx dan berbagai file konfigurasinya. Artinya, ini bukan tutorial tentang pengaturan atau konfigurasi Nginx secara umum. Melainkan mengasumsikan bahwa Sampeyan udah memiliki Nginx yang berjalan, dan ingin menambahkan XCODE Firewall.

Ada dua bagian untuk Nginx XCODE Firewall: conditional logic dan firewall rules. Masing-masing bagian ini akan ditempatkan di file mereka sendiri. Kemudian setiap file perlu disertakan melalui konfigurasi Nginx.

File konfigurasi Nginx utama adalah /nginx/nginx.conf. File ini akan mencakup xcode-firewall.conf, yang berisi XCODE Firewall rule yang sebenarnya.

File konfigurasi local/site adalah /nginx/sites-enabled/example.com. file ini akan menyertakan xcode.conf, yang berisi conditional logic.

Jadi kita akan bekerja dengan empat file konfigurasi secara total:
  • nginx.conf — includes xcode-firewall.conf
  • example.com — includes xcode.conf

Installation Step 1: Add the files:

Pertama, download XCODE Firewall Nginx (file ZIP). Kemudian unzip file, maka akan terdapat file:
  • xcode-firewall.conf
    
# XCODE FIREWALL - NGINX v1.5
# @ https://aming.info/

map $query_string $bad_querystring_xcode {
	
	default 0;
	
	"~*([a-z0-9]{2000,})" 1;
	"~*(/|%2f)(:|%3a)(/|%2f)" 2;
	"~*(order(\s|%20)by(\s|%20)1--)" 3;
	"~*(/|%2f)(\*|%2a)(\*|%2a)(/|%2f)" 4;
	"~*(`|<|>|\^|\|\\|0x00|%00|%0d%0a)" 5;
	"~*(ckfinder|fck|fckeditor|fullclick)" 6;
	"~*(cmd|command)(=|%3d)(chdir|mkdir)(.*)(x20)" 7;
	"~*(globals|mosconfig([a-z_]{1,22})|request)(=|\[)" 8;
	"~*(/|%2f)((wp-)?config)((\.|%2e)inc)?((\.|%2e)php)" 9;
	"~*(thumbs?(_editor|open)?|tim(thumbs?)?)((\.|%2e)php)" 10;
	"~*(absolute_|base|root_)(dir|path)(=|%3d)(ftp|https?)" 11;
	"~*(localhost|loopback|127(\.|%2e)0(\.|%2e)0(\.|%2e)1)" 12;
	"~*(s)?(ftp|inurl|php)(s)?(:(/|%2f|%u2215)(/|%2f|%u2215))" 13;
	"~*(\.|20)(get|the)(_|%5f)(permalink|posts_page_url)(\(|%28)" 14;
	"~*((boot|win)((\.|%2e)ini)|etc(/|%2f)passwd|self(/|%2f)environ)" 15;
	"~*(((/|%2f){3,3})|((\.|%2e){3,3})|((\.|%2e){2,2})(/|%2f|%u2215))" 16;
	"~*(benchmark|char|exec|fopen|function|html)(.*)(\(|%28)(.*)(\)|%29)" 17;
	"~*(php)([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})" 18;
	"~*(e|%65|%45)(v|%76|%56)(a|%61|%31)(l|%6c|%4c)(.*)(\(|%28)(.*)(\)|%29)" 19;
	"~*(/|%2f)(=|%3d|$&|_mm|cgi(\.|-)|inurl(:|%3a)(/|%2f)|(mod|path)(=|%3d)(\.|%2e))" 20;
	"~*(<|%3c)(.*)(e|%65|%45)(m|%6d|%4d)(b|%62|%42)(e|%65|%45)(d|%64|%44)(.*)(>|%3e)" 21;
	"~*(<|%3c)(.*)(i|%69|%49)(f|%66|%46)(r|%72|%52)(a|%61|%41)(m|%6d|%4d)(e|%65|%45)(.*)(>|%3e)" 22;
	"~*(<|%3c)(.*)(o|%4f|%6f)(b|%62|%42)(j|%4a|%6a)(e|%65|%45)(c|%63|%43)(t|%74|%54)(.*)(>|%3e)" 23;
	"~*(<|%3c)(.*)(s|%73|%53)(c|%63|%43)(r|%72|%52)(i|%69|%49)(p|%70|%50)(t|%74|%54)(.*)(>|%3e)" 24;
	"~*(\+|%2b|%20)(d|%64|%44)(e|%65|%45)(l|%6c|%4c)(e|%65|%45)(t|%74|%54)(e|%65|%45)(\+|%2b|%20)" 25;
	"~*(\+|%2b|%20)(i|%69|%49)(n|%6e|%4e)(s|%73|%53)(e|%65|%45)(r|%72|%52)(t|%74|%54)(\+|%2b|%20)" 26;
	"~*(\+|%2b|%20)(s|%73|%53)(e|%65|%45)(l|%6c|%4c)(e|%65|%45)(c|%63|%43)(t|%74|%54)(\+|%2b|%20)" 27;
	"~*(\+|%2b|%20)(u|%75|%55)(p|%70|%50)(d|%64|%44)(a|%61|%41)(t|%74|%54)(e|%65|%45)(\+|%2b|%20)" 28;
	"~*(\\x00|(\"|%22|\'|%27)?0(\"|%22|\'|%27)?(=|%3d)(\"|%22|\'|%27)?0|cast(\(|%28)0x|or%201(=|%3d)1)" 29;
	"~*(g|%67|%47)(l|%6c|%4c)(o|%6f|%4f)(b|%62|%42)(a|%61|%41)(l|%6c|%4c)(s|%73|%53)(=|\[|%[0-9A-Z]{0,2})" 30;
	"~*(_|%5f)(r|%72|%52)(e|%65|%45)(q|%71|%51)(u|%75|%55)(e|%65|%45)(s|%73|%53)(t|%74|%54)(=|\[|%[0-9A-Z]{2,})" 31;
	"~*(j|%6a|%4a)(a|%61|%41)(v|%76|%56)(a|%61|%31)(s|%73|%53)(c|%63|%43)(r|%72|%52)(i|%69|%49)(p|%70|%50)(t|%74|%54)(:|%3a)(.*)(;|%3b|\)|%29)" 32;
	"~*(b|%62|%42)(a|%61|%41)(s|%73|%53)(e|%65|%45)(6|%36)(4|%34)(_|%5f)(e|%65|%45|d|%64|%44)(e|%65|%45|n|%6e|%4e)(c|%63|%43)(o|%6f|%4f)(d|%64|%44)(e|%65|%45)(.*)(\()(.*)(\))" 33;
	"~*(@copy|\$_(files|get|post)|allow_url_(fopen|include)|auto_prepend_file|blexbot|browsersploit|(c99|php)shell|curl(_exec|test)|disable_functions?|document_root|elastix|encodeuricom|exploit|fclose|fgets|file_put_contents|fputs|fsbuff|fsockopen|gethostbyname|grablogin|hmei7|input_file|null|open_basedir|outfile|passthru|phpinfo|popen|proc_open|quickbrute|remoteview|root_path|safe_mode|shell_exec|site((.){0,2})copier|sux0r|trojan|user_func_array|wget|xertive)" 34;
	"~*(;|<|>|\'|\"|\)|%0a|%0d|%22|%27|%3c|%3e|%00)(.*)(/\*|alter|base64|benchmark|cast|concat|convert|create|encode|declare|delete|drop|insert|md5|request|script|select|set|union|update)" 35;
	"~*((\+|%2b)(concat|delete|get|select|union)(\+|%2b))" 36;
	"~*(union)(.*)(select)(.*)(\(|%28)" 37;
	"~*(concat|eval)(.*)(\(|%28)" 38;
	
}

map $request_uri $bad_request_xcode {
	
	default 0;
	
	"~*(\^|`|<|>|\\|\|)" 1;
	"~*([a-z0-9]{2000,})" 2;
	"~*(=?\\\(\'|%27)/?)(\.)" 3;
	"~*(/)(\*|\"|\'|\.|,|&|&?)/?$" 4;
	"~*(\.)(php)(\()?([0-9]+)(\))?(/)?$" 5;
	"~*(/)(vbulletin|boards|vbforum)(/)?" 6;
	"~*(/)((.*)header:|(.*)set-cookie:(.*)=)" 7;
	"~*(/)(ckfinder|fck|fckeditor|fullclick)" 8;
	"~*(\.(s?ftp-?)config|(s?ftp-?)config\.)" 9;
	"~*(\{0\}|\"?0\"?=\"?0|\(/\(|\.\.\.|\+\+\+|\\\")" 10;
	"~*(thumbs?(_editor|open)?|tim(thumbs?)?)(\.php)" 11;
	"~*(\.|20)(get|the)(_)(permalink|posts_page_url)(\()" 12;
	"~*(///|\?\?|/&&|/\*(.*)\*/|/:/|\\\\|0x00|%00|%0d%0a)" 13;
	"~*(/%7e)(root|ftp|bin|nobody|named|guest|logs|sshd)(/)" 14;
	"~*(/)(etc|var)(/)(hidden|secret|shadow|ninja|passwd|tmp)(/)?$" 15;
	"~*(s)?(ftp|http|inurl|php)(s)?(:(/|%2f|%u2215)(/|%2f|%u2215))" 16;
	"~*(/)(=|\$&?|&?(pws|rk)=0|_mm|_vti_|cgi(\.|-)?|(=|/|;|,)nt\.)" 17;
	"~*(\.)(ds_store|htaccess|htpasswd|init?|mysql-select-db)(/)?$" 18;
	"~*(/)(bin)(/)(cc|chmod|chsh|cpp|echo|id|kill|mail|nasm|perl|ping|ps|python|tclsh)(/)?$" 19;
	"~*(/)(::[0-9999]|%3a%3a[0-9999]|127\.0\.0\.1|localhost|loopback|makefile|pingserver|wwwroot)(/)?" 20;
	"~*(\(null\)|\{\$itemURL\}|cAsT\(0x|echo(.*)kae|etc/passwd|eval\(|self/environ|\+union\+all\+select)" 21;
	"~*(/)?j((\s)+)?a((\s)+)?v((\s)+)?a((\s)+)?s((\s)+)?c((\s)+)?r((\s)+)?i((\s)+)?p((\s)+)?t((\s)+)?(%3a|:)" 22;
	"~*(/)(awstats|(c99|php|web)shell|document_root|error_log|listinfo|muieblack|remoteview|site((.){0,2})copier|sqlpatch|sux0r)" 23;
	"~*(/)((php|web)?shell|crossdomain|fileditor|locus7|nstview|php(get|remoteview|writer)|r57|remview|sshphp|storm7|webadmin)(.*)(\.|\()" 24;
	"~*(/)(author-panel|bitrix|class|database|(db|mysql)-?admin|filemanager|htdocs|httpdocs|https?|mailman|mailto|msoffice|mysql|_?php-my-admin(.*)|tmp|undefined|usage|var|vhosts|webmaster|www)(/)" 25;
	"~*(base64_(en|de)code|benchmark|child_terminate|curl_exec|e?chr|eval|function|fwrite|(f|p)open|html|leak|passthru|p?fsockopen|phpinfo|posix_(kill|mkfifo|setpgid|setsid|setuid)|proc_(close|get_status|nice|open|terminate)|(shell_)?exec|system)(.*)(\()(.*)(\))" 26;
	"~*(/)(^$|00.temp00|0day|3index|3xp|70bex?|admin_events|bkht|(php|web)?shell|c99|config(\.)?bak|curltest|db|dompdf|filenetworks|hmei7|index\.php/index\.php/index|jahat|kcrew|keywordspy|libsoft|marg|mobiquo|mysql|nessus|php-?info|racrew|sql|vuln|(web-?|wp-)?(conf\b|config(uration)?)|xertive)(\.php)" 27;
	"~*(\.)(7z|ab4|ace|afm|ashx|aspx?|bash|ba?k?|bin|bz2|cfg|cfml?|cgi|conf\b|config|ctl|dat|db|dist|dll|eml|engine|env|et2|exe|fec|fla|git|hg|inc|ini|inv|jsp|log|lqd|make|mbf|mdb|mmw|mny|module|old|one|orig|out|passwd|pdb|phtml|pl|profile|psd|pst|ptdb|pwd|py|qbb|qdf|rar|rdf|save|sdb|sql|sh|soa|svn|swf|swl|swo|swp|stx|tar|tax|tgz|theme|tls|tmd|wow|xtmpl|ya?ml|zlib)$" 28;
	
}

map $http_user_agent $bad_bot_xcode {
	
	default 0;
	
	"~*([a-z0-9]{2000,})" 1;
	"~*(<|%0a|%0d|%27|%3c|%3e|%00|0x00)" 2;
	"~*(ahrefs|alexibot|majestic|mj12bot|rogerbot)" 3;
	"~*((c99|php|web)shell|remoteview|site((.){0,2})copier)" 4;
	"~*(econtext|eolasbot|eventures|liebaofast|nominet|oppo\sa33)" 5;
	"~*(base64_decode|bin/bash|disconnect|eval|lwp-download|unserialize|\\\x22)" 6;
	"~*(acapbot|acoonbot|asterias|attackbot|backdorbot|becomebot|binlar|blackwidow|blekkobot|blexbot|blowfish|bullseye|bunnys|butterfly|careerbot|casper|checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|cy_cho|datacha|demon|diavol|discobot|dittospyder|dotbot|dotnetdotcom|dumbot|emailcollector|emailsiphon|emailwolf|extract|eyenetie|feedfinder|flaming|flashget|flicky|foobot|g00g1e|getright|gigabot|go-ahead-got|gozilla|grabnet|grafula|harvest|heritrix|httrack|icarus6j|jetbot|jetcar|jikespider|kmccrew|leechftp|libweb|linkextractor|linkscan|linkwalker|loader|masscan|miner|mechanize|morfeus|moveoverbot|netmechanic|netspider|nicerspro|nikto|ninja|nutch|octopus|pagegrabber|petalbot|planetwork|postrank|proximic|purebot|pycurl|python|queryn|queryseeker|radian6|radiation|realdownload|scooter|seekerspider|semalt|siclab|sindice|sistrix|sitebot|siteexplorer|sitesnagger|skygrid|smartdownload|snoopy|sosospider|spankbot|spbot|sqlmap|stackrambler|stripper|sucker|surftbot|sux0r|suzukacz|suzuran|takeout|teleport|telesoft|true_robots|turingos|turnit|vampire|vikspider|voideye|webleacher|webreaper|webstripper|webvac|webviewer|webwhacker|winhttp|wwwoffle|woxbot|xaldon|xxxyy|yamanalab|yioopbot|youda|zeus|zmeu|zune|zyborg)" 7;
	
}

map $http_referer $bad_referer_xcode {
	
	default 0;
	
	"~*(semalt.com|todaperfeita)" 1;
	"~*(order(\s|%20)by(\s|%20)1--)" 2;
	"~*(blue\spill|cocaine|ejaculat|erectile|erections|hoodia|huronriveracres|impotence|levitra|libido|lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby|ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)" 3;
	
}

map $request_method $not_allowed_method_xcode {
	
	default 0;
	
	"~*^(connect)" 1;
	"~*^(debug)" 2;
	"~*^(move)" 3;
	"~*^(trace)" 4;
	"~*^(track)" 5;
	
}
  • xcode.conf
    
# XCODE FIREWALL - NGINX v1.5
# @ https://aming.info/

set $xcode_reason "";
set $xcode_drop_bad_bot 0;
set $xcode_drop_bad_referer 0;
set $xcode_drop_bad_query_string 0;
set $xcode_drop_bad_request 0;
set $xcode_drop_bad_method 0;
set $xcode_drop 0;

if ($bad_bot_xcode) {

	set $xcode_reason "${xcode_reason}:bad_bot_${bad_bot_xcode}:"; 
	set $xcode_drop_bad_bot 1;

}

if ($bad_referer_xcode) { 

	set $xcode_reason "${xcode_reason}:bad_referer_${bad_referer_xcode}:"; 
	set $xcode_drop_bad_referer 1;

}

if ($bad_querystring_xcode) {

	set $xcode_reason "${xcode_reason}:bad_querystring_${bad_querystring_xcode}:"; 
	set $xcode_drop_bad_query_string 1;

}

if ($bad_request_xcode) {

	set $xcode_reason "${xcode_reason}:bad_request_${bad_request_xcode}:"; 
	set $xcode_drop_bad_request 1;

}

if ($not_allowed_method_xcode) {

	set $xcode_reason "${xcode_reason}:not_allowed_method_${not_allowed_method_xcode}:"; 
	set $xcode_drop_bad_method 2;

}

if ($xcode_drop_bad_bot) {

	set $args "${xcode_reason}";
	set $xcode_drop 1;

}

if ($xcode_drop_bad_referer) {

	set $args "${xcode_reason}";
	set $xcode_drop 1;

}

if ($xcode_drop_bad_query_string) {

	set $args "${xcode_reason}";
	set $xcode_drop 1;

}

if ($xcode_drop_bad_request) {

	set $args "${xcode_reason}";
	set $xcode_drop 1;

}

if ($xcode_drop_bad_method) {

	set $args "${xcode_reason}";
	set $xcode_drop 2;

}

if ($xcode_drop = 1) {

	return 403;

}

if ($xcode_drop = 2) {

	return 405;

}

Installation Step 2: Include the firewall rules:

Tambahkan kedua file tersebut pada direktori /nginx/conf.d/. Setelah file-file terupload, maka harus dimasukkan dalam konfigurasi Nginx.


http {
	.
	.
	.
	include /etc/nginx/conf.d/xcode-firewall.conf;
	.
	.
	.
}
Pastikan struktur sudah benar berdasarkan direktori di server Sampeyan.

Installation Step 3: Include conditional logic:

Pada local/site file konfigurasi /nginx/sites-enabled/example.com, tambahkan statement berikut. Dimana hal ini akan mencakup file yang berisi aturan XCODE Firewall.

server {
	.
	.
	.
	include /etc/nginx/conf.d/xcode.conf;
	.
	.
	.
}

Installation Step 4: Restart Nginx server

Setelah membuat perubahan pada konfigurasi Nginx, maka Sampeyan wajib me-restart server agar perubahan diterapkan. Cek juga dokumentasi webhost Sampeyan cara terbaik untuk melakukan hal ini.

Installation Step 5: Testing

Pada point ini, Sampeyan harusnya memiliki dua file XCODE Firewall yang disertakan dalam konfigurasi Nginx. Dan server dimulai ulang sehingga aturan baru berlaku.

Langkah selanjutnya adalah memulai pengujian menyeluruh, untuk memastikan semuanya berfungsi dengan baik. Sampeyan wajib memeriksa bahwa website beroperasi secara normal. Dan juga memeriksa apakah XCODE Firewall berfungsi dengan benar, memblokir bad query dan sebagainya.

Installation Alternative

Untuk Nginx versi 1.18 dan lebih baru lagi, Sampeyan dapat memanfaatkan snippets directory, membuat segalanya lebih mudah untuk diterapkan. Berikut langkah-langkahnya:
  • Add xcode-firewall.conf to /etc/nginx/conf.d
  • Add xcode.conf to /etc/nginx/snippets
  • Add include /etc/nginx/snippets/xcode.conf; pada server directive
DONE!
Tags