That captcha was generated just for you. And look at what you did. Ignoring the captcha... not even giving an incorrect answer to his meaningless existence. You couldn't even give him false hope. Shame on you.
") + ngx.say("Don't immedately refresh for a new captcha! Try and fail. You must now wait about a minute for a new captcha to load.
") + ngx.flush() + ngx.exit(200) + end + + -- captcha generator functions + require "caphtml_d" + + local expired = nil + + if (tonumber(cookdata[2]) + session_timeout) < ngx.now() then + expired = true + caperror = "Session expired" + end + + if cookdata[1] ~= "captcha_solved" or expired then + displaycap(session_timeout) + ngx.flush() + ngx.exit(200) + end + end end end --- captcha generator functions -require "caphtml_d" - -local field, err = cookie:get("dcap") -if not field or field == nil then - displaycap() - ngx.flush() - ngx.exit(200) -end - --- check if cookie is blacklisted by rate limiter. if it is show the client a message and exit. can get creative with this. -local blocked_cookies = ngx.shared.blocked_cookies -local bct, btcflags = blocked_cookies:get(field) -if bct then - ngx.log(ngx.ERR, "Cookie " .. field .. " blacklisted.") - ngx.header.content_type = 'text/plain' - ngx.say("403 DDOS fliter killed your path. (You probably sent too many requests at once). Not calling you a bot, bot, but grab a new identity and try again.") - ngx.flush() - ngx.exit(200) -end - if ngx.var.request_method == "POST" then local field, err = cookie:get("dcap") if err then @@ -172,24 +210,28 @@ if ngx.var.request_method == "POST" then end cookdata = split(plaintext,"|") local expired = nil - if (tonumber(cookdata[2]) + session_timeout) < ngx.now() then - expired = true - caperror = "Session expired" - displaycap() - ngx.flush() - ngx.exit(200) - end - if cookdata[1] == "captcha_solved" and not expired then + if (cookdata[1] == "cap_not_solved") then + if (tonumber(cookdata[2]) + session_timeout) < ngx.now() then + expired = true + require "caphtml_d" + caperror = "Session expired" + displaycap(session_timeout) + ngx.flush() + ngx.exit(200) + end + elseif (cookdata[1] == "captcha_solved") then return end end + require "caphtml_d" + -- resty has a library for parsing POST data but it's not really needed ngx.req.read_body() local dataraw = ngx.req.get_body_data() if dataraw == nil then caperror = "You didn't submit anything. Try again." - displaycap() + displaycap(session_timeout) ngx.flush() ngx.exit(200) end @@ -213,24 +255,25 @@ if ngx.var.request_method == "POST" then if (tonumber(cookdata[2]) + 60) < ngx.now() then caperror = "Captcha expired" - displaycap() + displaycap(session_timeout) ngx.flush() ngx.exit(200) end - if sentcap == cookdata[3] then + if string.lower(sentcap) == string.lower(cookdata[3]) then local newcookdata = "" cookdata[1] = "captcha_solved" for k,v in pairs(cookdata) do newcookdata = newcookdata .. "|" .. v end + newcookdata = newcookdata .. "|" .. random.token(random.number(10,20)) local tstamp = ngx.now() local ciphertext = tohex(aes_128_cbc_sha512x1:encrypt(newcookdata)) local ok, err = cookie:set({ key = "dcap", value = ciphertext, path = "/", domain = ngx.var.host, httponly = true, - max_age = 21600, - samesite = "Strict" + max_age = session_timeout, + samesite = "Lax" }) if not ok then ngx.say("cookie error") @@ -244,39 +287,8 @@ if ngx.var.request_method == "POST" then else caperror = "You Got That Wrong. Try again" end - - else - caperror = "Session invalid or expired" - displaycap() + displaycap(session_timeout) ngx.flush() ngx.exit(200) end -end - -plaintext = aes_128_cbc_sha512x1:decrypt(fromhex(field)) -if not plaintext then - ngx.header.content_type = 'text/plain' - ngx.say("403 DDOS fliter killed your path. (You probably sent too many requests at once). Not calling you a bot, bot, but grab a new identity and try again.") - ngx.flush() - ngx.exit(200) -end -cookdata = split(plaintext,"|") - -if not cookdata then - displaycap() - ngx.flush() - ngx.exit(200) -end - -local expired = nil -if (tonumber(cookdata[2]) + session_timeout) < ngx.now() then - expired = true - caperror = "Session expired" -end - -if cookdata[1] ~= "captcha_solved" or expired then - displaycap() - ngx.flush() - ngx.exit(200) -end - +end \ No newline at end of file diff --git a/naxsi_core.rules b/naxsi_core.rules index 6870a54..a6a5cb3 100644 --- a/naxsi_core.rules +++ b/naxsi_core.rules @@ -1,3 +1,5 @@ + + ################################## ## INTERNAL RULES IDS:1-999 ## ################################## @@ -16,30 +18,30 @@ ################################## ## SQL Injections IDs:1000-1099 ## ################################## -MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000; -MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001; -MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002; +#MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000; +#MainRule "str:\"" "msg:double quote" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001; +MainRule "str:0x" "msg:0x, possible hex encoding" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002; ## Hardcore rules -MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003; -MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004; -MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005; -MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006; +MainRule "str:/*" "msg:mysql comment (/*)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003; +MainRule "str:*/" "msg:mysql comment (*/)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004; +MainRule "str:|" "msg:mysql keyword (|)" "mz:URL|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005; +MainRule "str:&&" "msg:mysql keyword (&&)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006; ## end of hardcore rules -MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007; -MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008; -MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009; -MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010; -MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011; -MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013; -MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015; -MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016; -MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017; +MainRule "str:--" "msg:mysql comment (--)" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007; +#MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008; +#MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009; +MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010; +MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011; +MainRule "str:'" "msg:simple quote" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013; +#MainRule "str:," "msg:, in stuff" "mz:URL|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015; +#MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016; +MainRule "str:@@" "msg:double @@" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017; ############################### ## OBVIOUS RFI IDs:1100-1199 ## ############################### -MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100; -MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101; +#MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100; +#MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101; MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102; MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103; MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104; @@ -48,41 +50,37 @@ MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" " MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107; MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108; MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109; -MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110; +MainRule "str:gopher://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110; ####################################### ## Directory traversal IDs:1200-1299 ## -####################################### -MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200; +####################################### +MainRule "str:.." "msg:double dot" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200; MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202; MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203; MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204; -MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205; +MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205; #MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206; ######################################## ## Cross Site Scripting IDs:1300-1399 ## ######################################## -MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302; -MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303; -MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310; -MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311; -MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312; -MainRule "str:`" "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314; -MainRule "rx:%[2|3]." "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315; +MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302; +MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303; +#MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310; +#MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311; +MainRule "str:~" "msg:~ character" "mz:URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312; +MainRule "str:`" "msg:grave accent !" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314; +#MainRule "rx:%[2|3]." "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315; #################################### ## Evading tricks IDs: 1400-1500 ## #################################### -MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400; -MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401; +MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400; +MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401; ############################# ## File uploads: 1500-1600 ## ############################# -MainRule "rx:\.ph|\.asp|\.ht" "msg:asp/php file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500; +MainRule "rx:\.ph|\.asp|\.ht*" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500; -MainRule "str:/public/uploads/" "msg:Access to uploads" "mz:URL" "s:$UWA:8" id:42000400; -MainRule "str:/public/image/" "msg:Access to image folder" "mz:URL" "s:$UWA:8" id:42000401; -MainRule "str:/public/" "msg:Access to public folder" "mz:URL" "s:$UWA:8" id:42000402; -MainRule "str:/system/" "msg:Access to system folder" "mz:URL" "s:$UWA:8" id:42000403; \ No newline at end of file diff --git a/naxsi_whitelist.rules b/naxsi_whitelist.rules index 58aa7bb..ccc8a38 100644 --- a/naxsi_whitelist.rules +++ b/naxsi_whitelist.rules @@ -1,4 +1,7 @@ BasicRule wl:10; BasicRule wl:20; BasicRule wl:16; -BasicRule wl:12; \ No newline at end of file +BasicRule wl:12; +BasicRule wl:13; +BasicRule wl:1310; +BasicRule wl:1311; \ No newline at end of file diff --git a/nginx-update.sh b/nginx-update.sh index 92fc50f..fe01bf0 100644 --- a/nginx-update.sh +++ b/nginx-update.sh @@ -70,18 +70,14 @@ cd .. git clone https://github.com/bungle/lua-resty-session cp -a lua-resty-session/lib/resty/session* /usr/local/lib/lua/resty/ -git clone https://github.com/ittner/lua-gd/ -cd lua-gd -gcc -o gd.so -DGD_XPM -DGD_JPEG -DGD_FONTCONFIG -DGD_FREETYPE -DGD_PNG -DGD_GIF -O2 -Wall -fPIC -fomit-frame-pointer -I/usr/local/include/luajit-2.1 -DVERSION=\"2.0.33r3\" -shared -lgd luagd.c -mv gd.so /usr/local/lib/lua/5.1/gd.so -cd .. - wget -O /usr/local/lib/lua/resty/aes_functions.lua https://github.com/c64bob/lua-resty-aes/raw/master/lib/resty/aes_functions.lua #include seems to be a bit mssed up with luajit mkdir /etc/nginx/resty ln -s /usr/local/lib/lua/resty/ /etc/nginx/resty/ +wget -O /usr/local/lib/lua/resty/random.lua https://raw.githubusercontent.com/bungle/lua-resty-random/master/lib/resty/random.lua + make -j16 modules cp -r objs modules diff --git a/nginx.conf b/nginx.conf index e5144cb..54e4e2f 100644 --- a/nginx.conf +++ b/nginx.conf @@ -2,6 +2,7 @@ user www-data; worker_processes auto; worker_priority -5; worker_rlimit_nofile 1024000; +timer_resolution 10000ms; pid /run/nginx.pid; load_module modules/modules/ngx_http_headers_more_filter_module.so; load_module modules/modules/ngx_http_naxsi_module.so; @@ -11,7 +12,9 @@ load_module modules/modules/ndk_http_module.so; load_module modules/modules/ngx_http_lua_module.so; events { - worker_connections 4096; + worker_connections 8096; + use epoll; + multi_accept on; } http { @@ -28,18 +31,19 @@ http { reset_timedout_connection on; - lua_shared_dict blocked_cookies 100M; + lua_shared_dict blocked_cookies 100M; # Timeouts - client_body_timeout 10s; - client_header_timeout 10s; + client_body_timeout 30s; + client_header_timeout 30s; keepalive_timeout 240s; + keepalive_requests 200000; send_timeout 120s; client_max_body_size 10m; client_body_buffer_size 10m; - proxy_connect_timeout 30s; - proxy_send_timeout 30s; - proxy_read_timeout 30s; + proxy_connect_timeout 120s; + proxy_send_timeout 120s; + proxy_read_timeout 120s; log_format detailed escape=json '{' @@ -57,7 +61,6 @@ http { '"http_user_agent": "$http_user_agent"' '}'; #access_log /var/log/site.access.log detailed; - proxy_redirect off; # Gzipping Content @@ -75,7 +78,7 @@ http { include /etc/nginx/naxsi_core.rules; add_header X-Content-Type-Options "nosniff"; - add_header X-Frame-Options "DENY"; + add_header X-Frame-Options "SAMEORIGIN"; add_header X-Xss-Protection "1; mode=block"; ## diff --git a/queue.html b/queue.html new file mode 100644 index 0000000..5e289c6 --- /dev/null +++ b/queue.html @@ -0,0 +1 @@ +You have been placed in a queue, awaiting forwarding to the platform.
Your estimated wait time is <2 minutes
Please do not refresh the page, you will be automatically redirected.
Error: " .. caperror .. "
") else -ngx.say("Due to on-going DDOS attacks against our servers, you must complete a captcha challenge to prove you are human.
") +ngx.say("Prove that you are human. Select the time shown on the clock image.
") end - ngx.say(" \ \ \ diff --git a/resty/core/random.lua b/resty/core/random.lua new file mode 100644 index 0000000..f36ec6f --- /dev/null +++ b/resty/core/random.lua @@ -0,0 +1,86 @@ +local require = require +local ffi = require "ffi" +local ffi_cdef = ffi.cdef +local ffi_new = ffi.new +local ffi_str = ffi.string +local ffi_typeof = ffi.typeof +local C = ffi.C +local type = type +local random = math.random +local randomseed = math.randomseed +local concat = table.concat +local tostring = tostring +local pcall = pcall + +ffi_cdef[[ +typedef unsigned char u_char; +u_char * ngx_hex_dump(u_char *dst, const u_char *src, size_t len); +int RAND_bytes(u_char *buf, int num); +]] + +local ok, new_tab = pcall(require, "table.new") +if not ok then + new_tab = function () return {} end +end + +local alnum = { + 'A','B','C','D','E','F','G','H','I','J','K','L','M', + 'N','O','P','Q','R','S','T','U','V','W','X','Y','Z', + 'a','b','c','d','e','f','g','h','i','j','k','l','m', + 'n','o','p','q','r','s','t','u','v','w','x','y','z', + '0','1','2','3','4','5','6','7','8','9' +} + +local t = ffi_typeof "uint8_t[?]" + +local function bytes(len, format) + local s = ffi_new(t, len) + C.RAND_bytes(s, len) + if not s then return nil end + if format == "hex" then + local b = ffi_new(t, len * 2) + C.ngx_hex_dump(b, s, len) + return ffi_str(b, len * 2), true + else + return ffi_str(s, len), true + end +end + +local function seed() + local a,b,c,d = bytes(4):byte(1, 4) + return randomseed(a * 0x1000000 + b * 0x10000 + c * 0x100 + d) +end + +local function number(min, max, reseed) + if reseed then seed() end + if min and max then return random(min, max) + elseif min then return random(min) + else return random() end +end + +local function token(len, chars, sep) + chars = chars or alnum + local count + local token = new_tab(len, 0) + if type(chars) ~= "table" then + chars = tostring(chars) + count = #chars + local n + for i=1,len do + n = number(1, count) + token[i] = chars:sub(n, n) + end + else + count = #chars + for i=1,len do token[i] = chars[number(1, count)] end + end + return concat(token, sep) +end + +seed() + +return { + bytes = bytes, + number = number, + token = token +} diff --git a/setup.sh b/setup.sh old mode 100644 new mode 100755 index 5251680..110c18d --- a/setup.sh +++ b/setup.sh @@ -3,15 +3,22 @@ #OPTIONS! MASTERONION="dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion" -TORAUTHPASSWORD="password" +TORAUTHPASSWORD="changethispassowrd" +BACKENDONIONURL="biblemeowimkh3utujmhm6oh2oeb3ubjw2lpgeq3lahrfr2l6ev6zgyd.onion" + +#set to true if you want to setup local proxy instead of proxy over Tor +LOCALPROXY=false +PROXYPASSURL="10.10.10.10:80" #Shared Front Captcha Key. Key alphanumeric between 64-128. Salt needs to be exactly 8 chars. KEY="encryption_key" -SALT="salt1234" +SALT="1saltkey" +SESSION_LENGTH=3600 #CSS Branding HEXCOLOR="#9b59b6" +SITENAME="dread" #There is more branding you need to do in the resty/caphtml_d.lua file near the end. @@ -25,7 +32,7 @@ NC='\033[0m' # No Color printf "\r\nProvided by your lovely ${BLUE}/u/Paris${NC} from dread. \r\n" printf "with help from ${BLUE}/u/mr_white${NC} from whitehousemarket.\n" echo "For the full effects of the DDOS prevention you will need to make sure to setup v3 onionbalance." -echo "Max 6-9 backend instances for each onion. This script will help make the backend instances." +echo "Onionbalance v3 does have distinct descriptors in a forked version. Read the README.MD in the onionbalance folder for more information. " if [ ${#MASTERONION} -lt 62 ]; then echo "MASTEWRONION doesn't have the correct length. The url needs to include the .onion at the end." @@ -38,9 +45,18 @@ then exit 0 fi -sleep 5 -echo "Proceeding to do the configuration and setup. This will take awhile." +shopt -s nullglob dotglob +directory=(dependencies/*) +if [ ${#directory[@]} -gt 0 ] +then +echo "Dependency Folder Found!" +else +echo "You need to get the dependencies first. Run './getdependencies.sh'" +exit 0 +fi +echo "Proceeding to do the configuration and setup. This will take awhile." +sleep 5 ### Configuration string="s/masterbalanceonion/" @@ -49,7 +65,17 @@ string+="/g" sed -i $string site.conf string="s/torauthpassword/" -string+="$torinput" +string+="$TORAUTHPASSWORD" +string+="/g" +sed -i $string site.conf + +string="s/backendurl/" +string+="$BACKENDONIONURL" +string+="/g" +sed -i $string site.conf + +string="s/proxypassurl/" +string+="$PROXYPASSURL" string+="/g" sed -i $string site.conf @@ -63,16 +89,44 @@ string+="$SALT" string+="/g" sed -i $string lua/cap.lua +string="s/sessionconfigvalue/" +string+="$SESSION_LENGTH" +string+="/g" +sed -i $string lua/cap.lua + string="s/HEXCOLOR/" string+="$HEXCOLOR" string+="/g" sed -i $string cap_d.css +string="s/HEXCOLOR/" +string+="$HEXCOLOR" +string+="/g" +sed -i $string queue.html + +string="s/SITENAME/" +string+="$SITENAME" +string+="/g" +sed -i $string queue.html + string="s/SITENAME/" string+="$SITENAME" string+="/g" sed -i $string resty/caphtml_d.lua +if $LOCALPROXY +then +string="s/#proxy_pass/" +string+="proxy_pass" +string+="/g" +sed -i $string site.conf +else +string="s/#socks_/" +string+="socks_" +string+="/g" +sed -i $string site.conf +fi + apt-get update apt-get install -y apt-transport-https lsb-release ca-certificates dirmngr @@ -84,44 +138,49 @@ echo "deb https://nginx.org/packages/debian/ buster nginx" > /etc/apt/sources.li gpg --import A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - + apt-key add nginx_signing.key apt-get update apt-get install -y tor nyx nginx apt-get install -y vanguards +apt-get install -y build-essential zlib1g-dev libpcre3 libpcre3-dev uuid-dev gcc git wget curl libgd3 libgd-dev command="nginx -v" nginxv=$( ${command} 2>&1 ) NGINXVERSION=$(echo $nginxv | grep -o '[0-9.]*$') + NGINXOPENSSL="1.1.1d" wget https://nginx.org/download/nginx-$NGINXVERSION.tar.gz tar -xzvf nginx-$NGINXVERSION.tar.gz + +cp -R dependencies/* nginx-$NGINXVERSION/ + cd nginx-$NGINXVERSION -apt-get install -y build-essential zlib1g-dev libpcre3 libpcre3-dev uuid-dev gcc git wget curl libgd3 libgd-dev - -git clone https://github.com/yorkane/socks-nginx-module.git -git clone https://github.com/nbs-system/naxsi.git wget https://www.openssl.org/source/openssl-$NGINXOPENSSL.tar.gz tar -xzvf openssl-$NGINXOPENSSL.tar.gz -git clone https://github.com/openresty/headers-more-nginx-module.git -git clone https://github.com/openresty/echo-nginx-module.git -#some required stuff for lua/luajit. obviously versions should be ckecked with every install/update -git clone https://github.com/openresty/lua-nginx-module -cd lua-nginx-module -git checkout v0.10.16 -cd .. -git clone https://github.com/openresty/luajit2 -cd luajit2 -git checkout v2.1-20200102 -cd .. -git clone https://github.com/vision5/ngx_devel_kit cd luajit2 make -j8 && make install cd .. +cd lua-resty-string +make install +cd .. + +cd lua-resty-cookie +make install +cd .. + +cd lua-gd +gcc -o gd.so -DGD_XPM -DGD_JPEG -DGD_FONTCONFIG -DGD_FREETYPE -DGD_PNG -DGD_GIF -O2 -Wall -fPIC -fomit-frame-pointer -I/usr/local/include/luajit-2.1 -DVERSION=\"2.0.33r3\" -shared -lgd luagd.c +mv gd.so /usr/local/lib/lua/5.1/gd.so +cd .. + +cp -a lua-resty-session/lib/resty/session* /usr/local/lib/lua/resty/ + export LUAJIT_LIB=/usr/local/lib export LUAJIT_INC=/usr/local/include/luajit-2.1 ./configure --with-cc-opt='-Wno-stringop-overflow -Wno-stringop-truncation -Wno-cast-function-type' \ @@ -135,67 +194,66 @@ export LUAJIT_INC=/usr/local/include/luajit-2.1 --add-dynamic-module=ngx_devel_kit \ --add-dynamic-module=lua-nginx-module -git clone https://github.com/openresty/lua-resty-string -cd lua-resty-string -make install -cd .. - -git clone https://github.com/cloudflare/lua-resty-cookie -cd lua-resty-cookie -make install -cd .. - -git clone https://github.com/bungle/lua-resty-session -cp -a lua-resty-session/lib/resty/session* /usr/local/lib/lua/resty/ - -git clone https://github.com/ittner/lua-gd/ -cd lua-gd -gcc -o gd.so -DGD_XPM -DGD_JPEG -DGD_FONTCONFIG -DGD_FREETYPE -DGD_PNG -DGD_GIF -O2 -Wall -fPIC -fomit-frame-pointer -I/usr/local/include/luajit-2.1 -DVERSION=\"2.0.33r3\" -shared -lgd luagd.c -mv gd.so /usr/local/lib/lua/5.1/gd.so -cd .. - -wget -O /usr/local/lib/lua/resty/aes_functions.lua https://github.com/c64bob/lua-resty-aes/raw/master/lib/resty/aes_functions.lua +#https://github.com/c64bob/lua-resty-aes/raw/master/lib/resty/aes_functions.lua +mv resty/aes_functions.lua /usr/local/lib/lua/resty/aes_functions.lua +mkdir /etc/nginx/resty/ #include seems to be a bit mssed up with luajit -mkdir /etc/nginx/resty ln -s /usr/local/lib/lua/resty/ /etc/nginx/resty/ make -j16 modules cp -r objs modules +rm -R /etc/nginx/modules +mkdir /etc/nginx/modules mv modules /etc/nginx/modules cd .. +rm /etc/nginx/nginx.conf mv nginx.conf /etc/nginx/nginx.conf +rm /etc/nginx/naxsi_core.rules mv naxsi_core.rules /etc/nginx/naxsi_core.rules +rm /etc/nginx/naxsi_whitelist.rules mv naxsi_whitelist.rules /etc/nginx/naxsi_whitelist.rules +rm -R /etc/nginx/lua/ mv lua /etc/nginx/ mv resty/* /etc/nginx/resty/resty/ +rm /etc/nginx/resty/caphtml_d.lua mv /etc/nginx/resty/resty/caphtml_d.lua /etc/nginx/resty/caphtml_d.lua +rm /etc/nginx/resty/resty/random.lua +mv random.lua /etc/nginx/resty/resty/random.lua +mv queue.html /etc/nginx/queue.html +rm -R /etc/nginx/sites-enabled/ mkdir /etc/nginx/sites-enabled/ mv site.conf /etc/nginx/sites-enabled/site.conf - -#background generation -apt-get install -y python3-pil -mv gen_background.py /etc/nginx/gen_background.py -echo "* * * * * root python3 /etc/nginx/gen_background.py" > /etc/cron.d/background-generate -mv font.ttf /etc/nginx/font.ttf +rm /etc/nginx/cap_d.css mv cap_d.css /etc/nginx/cap_d.css chown -R www-data:www-data /etc/nginx/ chown -R www-data:www-data /usr/local/lib/lua chmod 755 startup.sh +rm /startup.sh mv startup.sh /startup.sh chmod 755 rc.local +rm /etc/rc.local mv rc.local /etc/rc.local +rm /etc/sysctl.conf mv sysctl.conf /etc/sysctl.conf pkill tor mv torrc /etc/tor/torrc +if $LOCALPROXY +then +echo "localproxy enabled" +else +mv torrc2 /etc/tor/torrc2 +mv torrc3 /etc/tor/torrc3 +fi + torhash=$(tor --hash-password $TORAUTHPASSWORD| tail -c 62) string="s/hashedpassword/" string+="$torhash" @@ -215,7 +273,7 @@ string+="$HOSTNAME" string+="/g" sed -i $string /etc/nginx/sites-enabled/site.conf -echo "MasterOnionAddress $MASTERONION" >> /etc/tor/hidden_service/ob_config +echo "MasterOnionAddress $MASTERONION" > /etc/tor/hidden_service/ob_config pkill tor sleep 10 @@ -223,8 +281,19 @@ sleep 10 sed -i "s/#HiddenServiceOnionBalanceInstance/HiddenServiceOnionBalanceInstance/g" /etc/tor/torrc tor + +if $LOCALPROXY +then +echo "localproxy enabled" +else +tor -f /etc/tor/torrc2 +tor -f /etc/tor/torrc3 +fi + nginx service vanguards start +nginx -s stop +nginx clear diff --git a/site.conf b/site.conf index 4801ed5..52c50a5 100644 --- a/site.conf +++ b/site.conf @@ -6,13 +6,16 @@ #keepalive 128; or proxy_bind on multiple local ips can be used to mitigate local port exhaustion #most likely with this setup it's not the case #if this runs on the same machine as the application server UNIX sockets should be used instead of TCP - +upstream tor { + server 127.0.0.1:9060; + server 127.0.0.1:9070; +} access_by_lua_no_postpone on; lua_package_path "/etc/nginx/resty/?.lua;;"; init_by_lua_block { allowed_hosts = { "mainonion", - "masterbalanceonion" + "dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion" } function in_array(tab, val) @@ -63,17 +66,18 @@ init_by_lua_block { function kill_circuit(premature, clientip, headerip) local circuitid = calc_circuit(headerip) + local sockfile = "unix:/etc/tor/c1" local response = "Closing circuit " .. circuitid .. " " local sock = ngx.socket.tcp() sock:settimeout(1000) - local ok, err = sock:connect(clientip, 9051) + local ok, err = sock:connect(sockfile) if not ok then ngx.log(ngx.ERR, "failed to connect to tor: " .. err) return end ngx.log(ngx.ERR, "connected to tor") - local bytes, err = sock:send("authenticate \"torauthpassword\"\n") + local bytes, err = sock:send("authenticate \"changethispassowrd\"\n") if not bytes then ngx.log(ngx.ERR, "failed authenticate to tor: " .. err) return @@ -107,15 +111,15 @@ init_by_lua_block { #limiting by proxy_protocol_addr won't work with V2 onions and maybe should be disabled. #limiting by cookie_It seems this endgame front doesn't have a stable connection to the backend right now.
To fix it you can try to reload the page. If that doesn't work, and you end back here, get a new circuit.
If getting a new circuit doesn't work. Try to get a brand new Tor identity.
If getting a new Tor identity doesn't work come back later.