DOC

apache+ddos+mod_evasive+mod_security+mod_ssl

By Steve Fox,2014-05-19 23:50
13 views 0
apache+ddos+mod_evasive+mod_security+mod_ssl

预防DOS.SYS攻击。

    如果每一个IP连接达到20个就以为在攻击了?我们就警用这个IP?我们控制单位时间内只

    能有15ip?每一个秒中只能有5连个新连接。

DOS攻击见脚本dos.sh

Httpd的安全的模块的运用、

    mod_evasive 这个只能预防DOS CC攻击

    mod_security 这个还可以预防DOS CC SQL注入攻击

我们以后做好还是两个模块一起用上。

    [root@102 ~]# rpm -ihv /mnt/yuanwenjian/epel/mod_evasive-1.10.1-3.el5.i386.rpm warning: /mnt/yuanwenjian/epel/mod_evasive-1.10.1-3.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 217521f6

    Preparing... ########################################### [100%]

     1:mod_evasive ########################################### [100%] [root@102 ~]# ll /etc/httpd/modules/mod_evasive20.so

    -rwxr-xr-x 1 root root 12348 Jul 13 2007 /etc/httpd/modules/mod_evasive20.so

[root@102 ~]# ll /etc/httpd/conf.d/mod_evasive.conf 就会有下面这个配置文件生成、

    -rw-r--r-- 1 root root 3475 Jul 12 2007 /etc/httpd/conf.d/mod_evasive.conf

[root@102 ~]# vim /etc/httpd/conf.d/mod_evasive.conf

DOSHashTableSize 3097 这个是1G数量。

    DOSPageCount 5 同一个时间同一个页面被访问的次数。对同一个用户

    DOSSiteCount 100 同一个用户同时并发的连接数是100

    DOSPageInterval 2

    DOSSiteInterval 2 间隔时间

    DOSBlockingPeriod 600 被封锁的时间是600

    DOSLogDir "/var/log/mod_evasive" 日志文件的存放位置。

#DOSWhitelist 127.0.0.1

    #DOSWhitelist 192.168.0.*这个就是白名单?这里的ip就不受上面的限制。

    [root@102 ~]# touch /var/log/mod_evasive 这样就可以了。

    ~

    [root@102 ~]# /etc/init.d/httpd restart

    Stopping httpd: [ OK ]

    Starting httpd: httpd: apr_sockaddr_info_get() failed for 102.huang.com httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for

ServerName

    [ OK ]

mod_security的是使用。

    [root@102 ~]# rpm -ihv /mnt/yuanwenjian/epel/lua-5.1.2-1.el5.i386.rpm [root@102 ~]# rpm -ihv /mnt/yuanwenjian/epel/mod_security-2.5.9-1.el5.i386.rpm Preparing... ########################################### [100%]

     1:mod_security ########################################### [100%] [root@105 ~]# ll /etc/httpd/modsecurity.d/ 就会生成下面这些文件。

    modsecurity_crs_10_config.conf

    modsecurity_crs_20_protocol_violations.conf

    modsecurity_crs_21_protocol_anomalies.conf

    modsecurity_crs_23_request_limits.conf

    modsecurity_crs_30_http_policy.conf

    modsecurity_crs_35_bad_robots.conf

    modsecurity_crs_40_generic_attacks.conf

    modsecurity_crs_45_trojans.conf

    modsecurity_crs_50_outbound.conf

    modsecurity_localrules.conf

    optional_rules/

    [root@105 ~]# ll /etc/httpd/modules/mod_security2.so

    -rwxr-xr-x 1 root root 278588 Mar 12 2009 /etc/httpd/modules/mod_security2.so

[root@105 ~]# ll /etc/httpd/conf.d/mod_security.conf

    -rw-r--r-- 1 root root 1116 Mar 12 2009 /etc/httpd/conf.d/mod_security.conf

[root@105 ~]# vim /etc/httpd/conf.d/mod_security.conf

    # Example configuration file for the mod_security Apache module

LoadModule security2_module modules/mod_security2.so

    LoadModule unique_id_module modules/mod_unique_id.so

     # This is the ModSecurity Core Rules Set.

    # Example configuration file for the mod_security Apache module

LoadModule security2_module modules/mod_security2.so

    LoadModule unique_id_module modules/mod_unique_id.so

     # This is the ModSecurity Core Rules Set.

     # Basic configuration goes in here

     Include modsecurity.d/modsecurity_crs_10_config.conf

     # Protocol violation and anomalies.

     Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf

     Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf

     # HTTP policy rules

     Include modsecurity.d/modsecurity_crs_30_http_policy.conf

     # Here comes the Bad Stuff...

     Include modsecurity.d/modsecurity_crs_35_bad_robots.conf

     Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf

     Include modsecurity.d/modsecurity_crs_45_trojans.conf

     Include modsecurity.d/modsecurity_crs_50_outbound.conf

     # Search engines and other crawlers. Only useful if you want to track

     # Google / Yahoo et. al.

     # Include modsecurity.d/modsecurity_crs_55_marketing.conf

     # Put your local rules in here.

     Include modsecurity.d/modsecurity_localrules.conf

[root@105 ~]# /etc/init.d/httpd restart

    Stopping httpd: [FAILED]

    Starting httpd: [ OK ]

    默认的日志文件。

    [root@105 ~]# vim /var/log/httpd/modsec_audit.log

    [root@105 ~]# vim /var/log/httpd/modsec_debug.log

这个我们默认就可以了。Tar安装可以去 查看一下。

httpd mod_ssl

[root@105 ~]# rpm -qa|grep httpd

    httpd-2.2.3-31.el5

httpd-devel-2.2.3-31.el5

    [root@105 ~]# rpm -qa|grep openssl

    openssl-devel-0.9.8e-12.el5

    openssl-0.9.8e-12.el5

[root@105 ~]# rpm -qa|grep mod_ssl

    mod_ssl-2.2.3-31.el5

如果这些文件不存在我们建议用yum安装。这些都是在光盘中有的。只不过有包的依赖关

    系。

     [root@105 ~]# cd /etc/pki/tls/

    [root@105 ~]# vim /etc/pki/tls/openssl.cnf

    countryName = Country Name (2 letter code) countryName_default = CN

    stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = SICHUAN

    localityName = Locality Name (eg, city) localityName_default = CHENGDU

    0.organizationName = Organization Name (eg, company) 0.organizationName_default = 102.huang.com

organizationalUnitName = Organizational Unit Name (eg, section)

    organizationalUnitName_default = DBA

[root@105 ~]# cd /etc/pki/tls/misc/

    [root@105 misc]# rm /etc/pki/CA/ -rf

[root@105 misc]# ./CA newca 生成根CA证书

    CA certificate filename (or enter to create)

Making CA certificate ...

    Generating a 1024 bit RSA private key

    ........++++++

    .........++++++

    writing new private key to '../../CA/private/./cakey.pem'

Enter PEM pass phrase:

    Verifying - Enter PEM pass phrase:

    -----

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----

    Country Name (2 letter code) [CN]:

    State or Province Name (full name) [SICHUAN]: Locality Name (eg, city) [CHENGDU]:

    Organization Name (eg, company) [102.huang.com]: Organizational Unit Name (eg, section) [DBA]: Common Name (eg, your name or your server's hostname) []:server

    Email Address []:

    Please enter the following 'extra' attributes to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/./cakey.pem: 4015:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to

    8191 characters

    Enter pass phrase for ../../CA/private/./cakey.pem: Check that the request matches the signature Signature ok

    Certificate Details:

     Serial Number: 0 (0x0)

     Validity

     Not Before: Dec 8 01:34:03 2009 GMT

     Not After : Dec 7 01:34:03 2012 GMT

     Subject:

     countryName = CN

     stateOrProvinceName = SICHUAN

     organizationName = 102.huang.com

     organizationalUnitName = DBA

     commonName = server

     X509v3 extensions:

     X509v3 Basic Constraints:

     CA:FALSE

     Netscape Comment:

     OpenSSL Generated Certificate

     X509v3 Subject Key Identifier:

     1F:82:5D:96:D0:F8:EC:EA:3F:86:E1:D5:18:67:5C:3A:EF:45:AD:F8

     X509v3 Authority Key Identifier:

     keyid:1F:82:5D:96:D0:F8:EC:EA:3F:86:E1:D5:18:67:5C:3A:EF:45:AD:F8

    Certificate is to be certified until Dec 7 01:34:03 2012 GMT (1095 days)

Write out database with 1 new entries

    Data Base Updated

[root@105 misc]# ll /etc/pki/CA/private/cakey.pem

    -rw-r--r-- 1 root root 963 Dec 8 09:33 /etc/pki/CA/private/cakey.pem

     [root@105 misc]# ll /etc/pki/CA/cacert.pem

    -rw-r--r-- 1 root root 3045 Dec 8 09:34 /etc/pki/CA/cacert.pem

生成服务器CA证书(私钥)

    [root@105 misc]# cd /etc/httpd/

    [root@105 httpd]# mkdir ssl

    [root@105 httpd]# cd ssl/

    [root@105 ssl]# openssl genrsa -des3 -out server.key

    Generating RSA private key, 512 bit long modulus

    .............++++++++++++

    ........++++++++++++

    e is 65537 (0x10001)

    Enter pass phrase for server.key:

    Verifying - Enter pass phrase for server.key:

生成服务的CA证书

    [root@105 ssl]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key:

    You are about to be asked to enter information that will be incorporated into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [CN]:

    State or Province Name (full name) [SICHUAN]:

Locality Name (eg, city) [CHENGDU]:

    Organization Name (eg, company) [102.huang.com]:

    Organizational Unit Name (eg, section) [DBA]:

    Common Name (eg, your name or your server's hostname) []:server Email Address []:

Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    生成公钥

[root@105 ssl]# openssl x509 -req -days 3650 server.crt

    Signature ok

    subject=/C=CN/ST=SICHUAN/L=CHENGDU/O=102.huang.com/OU=DBA/CN=server Getting Private key

    Enter pass phrase for server.key:

# Server Certificate:

    # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/httpd/ssl/server.crt 公钥

# Server Private Key:

    # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/httpd/ssl/server.key 私钥

# Certificate Authority (CA):

    # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt SSLCACertificateFile /etc/pki/CA/cacert.pem 跟证书

#SSLVerifyClient require

    #SSLVerifyDepth 10

    SSLVerifyClient require 是否打开只有证书才能访问。

SSLVerifyDepth 10

    现在启动APACHE就要密码。我们也可以取消。

    [root@105 ssl]# /etc/init.d/httpd restart

    Stopping httpd: [FAILED] Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases.

Server 105.huang.com:443 (RSA)

    Enter pass phrase:

OK: Pass Phrase Dialog successful.

     [ OK ] 取消密码

    [root@105 ssl]# cd /etc/httpd/ssl

    [root@105 ssl]# openssl rsaserver.keyno

    Enter pass phrase:

    writing RSA key

    [root@105 ssl]# sed 's/server.key/server.keyno/’ /etc/httpd/conf.d/ssl.conf -i

    [root@105 ssl]# /etc/init.d/httpd restart

    Stopping httpd: [ OK ] Starting httpd: [ OK ]

生成客户端证书

[root@105 ssl]# mkdir client

    [root@105 ssl]# cd client/

    [root@105 client]# openssl req -new >clent1.csr

    Generating a 1024 bit RSA private key

    .................................++++++

    ........................++++++

    writing new private key to 'privkey.pem'

    Enter PEM pass phrase:

    Verifying - Enter PEM pass phrase:

    -----

    You are about to be asked to enter information that will be incorporated into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

Country Name (2 letter code) [CN]:

    State or Province Name (full name) [SICHUAN]: Locality Name (eg, city) [CHENGDU]:

    Organization Name (eg, company) [102.huang.com]: Organizational Unit Name (eg, section) [DBA]: Common Name (eg, your name or your server's hostname) []:client1 Email Address []:

    Please enter the following 'extra' attributes to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    [root@105 client]#

    [root@105 client]# ls

    clent1.csr privkey.pem

再生成请求服务的证书

    [root@105 client]# openssl x509 -reqclent1.crt -signkey

    /etc/pki/CA/private/cakey.pem -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -days 3650 Signature ok

    subject=/C=CN/ST=SICHUAN/L=CHENGDU/O=102.huang.com/OU=DBA/CN=client1

    Getting Private key

    Enter pass phrase for /etc/pki/CA/private/cakey.pem: Getting CA Private Key

    Enter pass phrase for /etc/pki/CA/private/cakey.pem:

转成pfx格式的公钥

    [root@105 client]# openssl pkcs12 -export -in clent1.crt -inkey /etc/pki/CA/private/cakey.pem

    -out client1.pfx

    Enter pass phrase for /etc/pki/CA/private/cakey.pem: Enter Export Password: 这里输入导入证书的密码

    Verifying - Enter Export Password: 这里输入导入证书的密码

    [root@105 client]# ll client.pfx把这个文件cp给客户导入IE就可以访问了。

https://192.168.1.105/就可以访问了。

Report this document

For any questions or suggestions please email
cust-service@docsford.com