├── .gitignore
├── firewall
├── iptables_ssh_and_portscan.sh
└── readme.md
├── nginx
├── example_config
│ ├── dhparam.pem
│ ├── nginx.conf
│ ├── sites-available
│ │ └── lab
│ └── snippets
│ │ ├── bot.protection.conf
│ │ ├── generic.protection.conf
│ │ └── tls_config.conf
└── readme.md
└── readme.md
/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AICDEV/annoy-the-script-kiddie/0243d79b82d10dce6c4c45efbeee686795b5986e/.gitignore
--------------------------------------------------------------------------------
/firewall/iptables_ssh_and_portscan.sh:
--------------------------------------------------------------------------------
1 | #/bin/bash
2 | # AUTHOR: aicdev
3 | # LINK: https://securityvalley.org
4 | # REPO: github.com/aicdev/annoy-the-script-kiddie
5 | # ABOUT: simple linux netfilter rules to annoy some bots and script-kiddies in the wild. rules are gonna set with iptables
6 | # you can install iptables by running: apt install iptables
7 | # IMPORTANT: if you restart your machine, all iptable rules are gone. to save them you can install iptables-persistent, simply run:
8 | # apt install iptables-persistent
9 |
10 | echo -e "\n\nCONFIGURE IPTABLES TO ANNOY THE SCRIPT-KIDDIE\n\n"
11 |
12 | # PLEASE CHANGE THIS TO THE NETWORK INTERFACE YOU WANNA PROTECT
13 | # netstat -tupln
14 | # ip a s
15 | NETWORK_INTERFACE=eth0
16 |
17 | # sometimes a good idea to move the default ssh port
18 | # just edit /etc/ssh/sshd_config and change port from 22 to f.g. 22223
19 | # most of the scan bots gonna fail
20 | SSH_PORT=22
21 |
22 | # if we detect ssh bruteforce attempt, we block all further traffic for 3 min
23 | SSH_BANN_TIME=180
24 |
25 | # custom for my web server (nginx) deployment
26 | WEB_HTTP=80
27 | WEB_TLS=443
28 |
29 | # if we detect a possible scan, we block all further traffic for 6 min
30 | PORTSCAN_BANN_TIME=360
31 |
32 | # prefix inside the iptables log
33 | # for journalctl you can run the following:
34 | # journalctl -k -f -g IPTABLES_BLOCK_
35 | BLOCK_CHAIN_LOG_PREFIX="IPTABLES_BLOCK_"
36 |
37 | create_chains()
38 | {
39 | echo "create BLOCK chain"
40 | iptables -N BLOCK
41 | }
42 |
43 | apply_rules()
44 | {
45 | echo "add rules"
46 | echo "add log "
47 | iptables -I BLOCK -j LOG --log-prefix="${BLOCK_CHAIN_LOG_PREFIX}" --log-level 7
48 | iptables -A BLOCK -j DROP
49 |
50 | # DROP INVALID PACKETS
51 | echo "add rule to drop invalid packets"
52 | iptables -i $NETWORK_INTERFACE -I INPUT -m state --state INVALID -j DROP
53 |
54 | # DROP ICMP SMURF ATTACK (https://en.wikipedia.org/wiki/Smurf_attack)
55 | echo "add rule to drop ICMP SMURF ATTACKS"
56 | iptables -i $NETWORK_INTERFACE -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
57 | iptables -i $NETWORK_INTERFACE -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
58 |
59 | # ALLOW OUTGOING TRAFFIC
60 | echo "allow outgoing traffic"
61 | iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
62 |
63 | # PROTECT SSH PORT
64 | echo "add rule to protect ssh port"
65 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --set --name SSH
66 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --update --seconds $SSH_BANN_TIME --hitcount 3 --name SSH --rsource -j BLOCK
67 |
68 | # RESTRICT POSSIBLE NOISY PORTSCANS
69 | echo "add rule to annoy the port-scanner"
70 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp -m tcp -m multiport ! --dports $SSH_PORT,$WEB_HTTP,$WEB_TLS -m recent --name PORTSCAN --set
71 | iptables -i $NETWORK_INTERFACE -A INPUT -m recent --name PORTSCAN --rcheck --seconds $PORTSCAN_BANN_TIME -j BLOCK
72 |
73 | # ALLOW SSH ACCESS
74 | echo "allow ssh access"
75 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
76 |
77 | # ALLOW WEBSERVER ACCESS
78 | echo "allow webserver access"
79 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp -m multiport --dports $WEB_HTTP,$WEB_TLS -j ACCEPT
80 |
81 | # ALLOW TRAFFIC ON LOOPBACK INTERFACE
82 | echo "allow loopback traffic"
83 | iptables -I INPUT -i lo -j ACCEPT
84 |
85 | # DROP THE REST
86 | echo "drop all the other traffic"
87 | iptables -A INPUT -j DROP
88 | }
89 |
90 | block_icmp_ping()
91 | {
92 | iptables -i $NETWORK_INTERFACE -I INPUT -p icmp -m icmp --icmp-type 8 -j DROP
93 | }
94 |
95 | show_config()
96 | {
97 | iptables -L -v --line-numbers
98 | }
99 |
100 | create_chains
101 | apply_rules
102 |
103 | # just comment that line if you wanna allow icmp ping packets
104 | block_icmp_ping
105 |
106 | show_config
107 |
--------------------------------------------------------------------------------
/firewall/readme.md:
--------------------------------------------------------------------------------
1 | # annoy-the-script-kiddie
2 |
3 | ## overview
4 | - [tutorial](#youtube-tutotial)
5 | - [information](#information)
6 | - [save and load firewall config](#save-and-load-firewall-config)
7 | - [firewall](#firewall)
8 | - [blacklist from log entries](#blacklist-from-log-entries)
9 |
10 | ## youtube tutotial
11 |
12 | A tutorial video can be found here:
13 |
14 | - [https://www.youtube.com/watch?v=i9o91Uvnz0c](https://www.youtube.com/watch?v=i9o91Uvnz0c)
15 |
16 | ## information
17 |
18 | Don't forget that iptables is only working with IPV4. In order to work with IPV6, please use ip6tables. Same syntax.
19 |
20 | - [iptabes-man](https://linux.die.net/man/8/iptables)
21 | - [ip6tables-man](https://linux.die.net/man/8/ip6tables)
22 |
23 | ## save and load firewall config
24 |
25 | ### save
26 |
27 | By default iptables rule are not being saved. If you restart your server, you need to reconfigure iptables. You can simply omit this behaviour by installing the iptables-persistant package. Simply run the following command to install:
28 | ```bash
29 | sudo apt install iptables-persistent
30 | ```
31 |
32 | You can export your rules to a file by simply running the following command:
33 | ```bash
34 | iptables-save > /etc/iptables/rules.v4
35 | ```
36 |
37 | ### load
38 |
39 | In order to load/restore you saved configuration, simply run the following command:
40 | ```bash
41 | iptables-restore < /etc/iptables/rules.v4
42 | ```
43 |
44 | ### block ip
45 | If someone starts getting on your nerves and apears again, again and again in your log file you could think about increase the default bann-time or drop the ip forever. In order to block an ip-address simply run the following command:
46 | ```bash
47 | iptables -I INPUT -s 43.153.88.134 -j DROP
48 | ```
49 |
50 | You could also block an entire ip range by using CIDR notation. The following example gonnag block ip-adresses starting from 43.153.88.0 to 43.153.88.255
51 |
52 | ```bash
53 | iptables -I INPUT -s 43.153.88.0/24 -j DROP
54 | ```
55 |
56 | ## firewall
57 |
58 | If you would like to trick bots and kids that scan and bruteforce your server, check the *iptables_ssh_and_portscan.sh* script
59 |
60 | ```bash
61 | #/bin/bash
62 | # AUTHOR: aicdev
63 | # LINK: https://securityvalley.org
64 | # REPO: github.com/aicdev/annoy-the-script-kiddie
65 | # ABOUT: simple linux netfilter rules to annoy some bots and script-kiddies in the wild. rules are gonna set with iptables
66 | # you can install iptables by running: apt install iptables
67 | # IMPORTANT: if you restart your machine, all iptable rules are gone. to save them you can install iptables-persistent, simply run:
68 | # apt install iptables-persistent
69 |
70 | echo -e "\n\nCONFIGURE IPTABLES TO ANNOY THE SCRIPT-KIDDIE\n\n"
71 |
72 | # PLEASE CHANGE THIS TO THE NETWORK INTERFACE YOU WANNA PROTECT
73 | # netstat -tupln
74 | # ip a s
75 | NETWORK_INTERFACE=eth0
76 |
77 | # sometimes a good idea to move the default ssh port
78 | # just edit /etc/ssh/sshd_config and change port from 22 to f.g. 22223
79 | # most of the scan bots gonna fail
80 | SSH_PORT=22
81 |
82 | # if we detect ssh bruteforce attempt, we block all further traffic for 3 min
83 | SSH_BANN_TIME=180
84 |
85 | # custom for my web server (nginx) deployment
86 | WEB_HTTP=80
87 | WEB_TLS=443
88 |
89 | # if we detect a possible scan, we block all further traffic for 6 min
90 | PORTSCAN_BANN_TIME=360
91 |
92 | # prefix inside the iptables log
93 | # for journalctl you can run the following:
94 | # journalctl -k -f -g IPTABLES_BLOCK_
95 | BLOCK_CHAIN_LOG_PREFIX="IPTABLES_BLOCK_"
96 |
97 | create_chains()
98 | {
99 | echo "create BLOCK chain"
100 | iptables -N BLOCK
101 | }
102 |
103 | apply_rules()
104 | {
105 | echo "add rules"
106 | echo "add log "
107 | iptables -I BLOCK -j LOG --log-prefix="${BLOCK_CHAIN_LOG_PREFIX}" --log-level 7
108 | iptables -A BLOCK -j DROP
109 |
110 | # DROP INVALID PACKETS
111 | echo "add rule to drop invalid packets"
112 | iptables -i $NETWORK_INTERFACE -I INPUT -m state --state INVALID -j DROP
113 |
114 | # DROP ICMP SMURF ATTACK (https://en.wikipedia.org/wiki/Smurf_attack)
115 | echo "add rule to drop ICMP SMURF ATTACKS"
116 | iptables -i $NETWORK_INTERFACE -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
117 | iptables -i $NETWORK_INTERFACE -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
118 |
119 | # PROTECT SSH PORT
120 | echo "add rule to protect ssh port"
121 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --set --name SSH
122 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --update --seconds $SSH_BANN_TIME --hitcount 3 --name SSH --rsource -j BLOCK
123 |
124 | # RESTRICT POSSIBLE NOISY PORTSCANS
125 | echo "add rule to annoy to port-scanner"
126 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp -m tcp -m multiport ! --dports $SSH_PORT,$WEB_HTTP,$WEB_TLS -m recent --name PORTSCAN --set
127 | iptables -i $NETWORK_INTERFACE -A INPUT -m recent --name PORTSCAN --rcheck --seconds $PORTSCAN_BANN_TIME -j BLOCK
128 |
129 | # ALLOW SSH ACCESS
130 | echo "allow ssh access"
131 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
132 |
133 | # ALLOW WEBSERVER ACCESS
134 | echo "allow webserver access"
135 | iptables -i $NETWORK_INTERFACE -A INPUT -p tcp -m multiport --dports $WEB_HTTP,$WEB_TLS -j ACCEPT
136 |
137 | # ALLOW TRAFFIC ON LOOPBACK INTERFACE
138 | echo "allow loopback traffic"
139 | iptables -I INPUT -i lo -j ACCEPT
140 |
141 | # ALLOW OUTGOING TRAFFIC
142 | echo "allow outgoing traffic"
143 | iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
144 |
145 | # DROP THE REST
146 | echo "drop all the other traffic"
147 | iptables -A INPUT -j DROP
148 | }
149 |
150 | block_icmp_ping()
151 | {
152 | iptables -i $NETWORK_INTERFACE -I INPUT -p icmp -m icmp --icmp-type 8 -j DROP
153 | }
154 |
155 | show_config()
156 | {
157 | iptables -L -v --line-numbers
158 | }
159 |
160 | create_chains
161 | apply_rules
162 |
163 | # just comment that line if you wanna allow icmp ping packets
164 | block_icmp_ping
165 |
166 | show_config
167 |
168 | ```
169 |
170 | ## blacklist from log entries
171 |
172 | If you want to have a unique list of ip addresses from your iptables chain "BLOCK", simply run the following snippet:
173 |
174 | ```bash
175 | journalctl -k -g IPTABLES_BLOCK_ | grep -E -o "SRC=([0-9]{1,3}[\.]){3}[0-9]{1,3}"| awk -F '=' '{print $2}' | sort | uniq -c | sort -nr
176 | ```
177 |
178 | You can check the ip address on https://www.abuseipdb.com/
--------------------------------------------------------------------------------
/nginx/example_config/dhparam.pem:
--------------------------------------------------------------------------------
1 | GENERATE YOUR DHPARAM.PEM BY RUNNING:
2 |
3 | openssl dhparam -out /etc/nginx/dhparam.pem 4096
--------------------------------------------------------------------------------
/nginx/example_config/nginx.conf:
--------------------------------------------------------------------------------
1 | user www-data;
2 | worker_processes auto;
3 | pid /run/nginx.pid;
4 | include /etc/nginx/modules-enabled/*.conf;
5 |
6 | events {
7 | worker_connections 768;
8 | # multi_accept on;
9 | }
10 |
11 | http {
12 | sendfile on;
13 | tcp_nopush on;
14 | types_hash_max_size 2048;
15 |
16 | include /etc/nginx/mime.types;
17 | default_type application/octet-stream;
18 |
19 | server_tokens off;
20 |
21 | ssl_protocols TLSv1.3; # Dropping SSLv3, ref: POODLE
22 | ssl_prefer_server_ciphers on;
23 |
24 | log_format sslparams '$ssl_protocol $ssl_cipher' '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$gzip_ratio"';
25 |
26 | access_log /var/log/nginx/access.log;
27 | error_log /var/log/nginx/error.log;
28 |
29 | gzip on;
30 |
31 | # custom section
32 | client_header_buffer_size 1k;
33 | client_header_timeout 15s;
34 |
35 | client_body_buffer_size 16k;
36 | client_body_timeout 20s;
37 | client_max_body_size 500k;
38 |
39 | # custom headers
40 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
41 | add_header X-XSS-Protection "1;mode=block";
42 | add_header X-Content-Type-Options nosniff;
43 | add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;
44 | add_header X-Frame-Options "SAMEORIGIN";
45 |
46 | # COOP, COEP, CORP, CORS
47 | # Update configuration to your needs
48 | add_header Access-Control-Allow-Origin "https://my.page";
49 | add_header Cross-Origin-Resource-Policy "same-origin";
50 | add_header Cross-Origin-Embedder-Policy "require-corp";
51 | add_header Cross-Origin-Opener-Policy "same-origin";
52 |
53 | # Set default CSP here
54 | # Note: If you have CSP directives specified both in a Content-Security-Policy HTTP header
55 | # and in a -element, the browser uses the most-restrictive CSP directives, wherever specified
56 | # You should probably fine-grain in server > location blockr and via site/webapp-specific meta-tags (e.g. with nonces)
57 | add_header Content-Security-Policy "default-src 'self'";
58 | add_header Referrer-Policy same-origin;
59 |
60 | include /etc/nginx/conf.d/*.conf;
61 | include /etc/nginx/sites-available/*;
62 | }
63 |
--------------------------------------------------------------------------------
/nginx/example_config/sites-available/lab:
--------------------------------------------------------------------------------
1 | limit_req_zone $binary_remote_addr zone=limitreqsbyaddr:20m rate=15r/s;
2 | limit_req_status 429;
3 |
4 | include /etc/nginx/snippets/bot.protection.conf;
5 |
6 | upstream app.localhost {
7 | server localhost:8080;
8 | server localhost:8081;
9 | }
10 |
11 | server {
12 | listen 80;
13 | server_name app.devlab.intern;
14 |
15 | access_log /var/log/nginx/app.devlab.intern.http.access.log;
16 | error_log /var/log/nginx/app.devlab.intern.http.error.log;
17 |
18 | return 301 https://$host$request_uri;
19 | }
20 |
21 | server {
22 | listen 443 ssl;
23 | server_name app.devlab.intern;
24 |
25 | include /etc/nginx/snippets/generic.protection.conf;
26 |
27 | access_log /var/log/nginx/app.devlab.intern.tls.access.log sslparams;
28 | error_log /var/log/nginx/app.devlab.intern.tls.error.log;
29 |
30 | ssl_certificate /etc/nginx/certs/devlab_intern.crt;
31 | ssl_certificate_key /etc/nginx/certs/devlab_intern.key;
32 |
33 | include /etc/nginx/snippets/tls_config.conf;
34 |
35 | if ($blacklist_user_agents) {
36 | return 444;
37 | }
38 |
39 | if ($request_method ~ ^(PATCH|TRACE)$) {
40 | return 405;
41 | }
42 |
43 | location / {
44 | # have an request limit
45 | limit_req zone=limitreqsbyaddr burst=10;
46 | proxy_pass http://app.localhost;
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/nginx/example_config/snippets/bot.protection.conf:
--------------------------------------------------------------------------------
1 | # Please note that this is only a minimal mitigation. It is very easy to fake a user-agent
2 | # CONTEXT: HTTP
3 | map $http_user_agent $blacklist_user_agents {
4 | default 0;
5 |
6 | ~*wpscan 1;
7 | ~*dirbuster 1;
8 | ~*gobuster 1;
9 | }
10 |
--------------------------------------------------------------------------------
/nginx/example_config/snippets/generic.protection.conf:
--------------------------------------------------------------------------------
1 | # Some example settings for various things that can quickly go wrong
2 | # CONTEXT: SERVER
3 |
4 | # /.bash_history for example ends with HTTP 444.
5 | location ~ /\. {
6 | return 444;
7 | }
8 |
9 | # unless you really need HTTP PATCH and TRACE. Most applications only need GET and POST
10 | if ($request_method ~ ^(PATCH|TRACE)$) {
11 | return 405;
12 | }
13 |
--------------------------------------------------------------------------------
/nginx/example_config/snippets/tls_config.conf:
--------------------------------------------------------------------------------
1 | # Services with clients that support TLS 1.3 and dont need backward compatibility
2 | ssl_prefer_server_ciphers off;
3 | ssl_stapling on;
4 | ssl_stapling_verify on;
5 |
6 | # Diffie-Hellman group
7 | ssl_dhparam /etc/nginx/dhparam.pem;
8 |
9 | ssl_session_tickets off;
10 | ssl_session_cache shared:le_nginx_SSL:10m;
11 | ssl_session_timeout 1440m;
12 |
13 | #Cipher-Suites
14 | ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
15 |
--------------------------------------------------------------------------------
/nginx/readme.md:
--------------------------------------------------------------------------------
1 | # annoy-the-script-kiddie
2 |
3 | ## overview
4 | - [nginx](#nginx)
5 | - [headers](#headers)
6 | - [tls](#tls)
7 | - [limit request zone](#limit-request-zone)
8 | - [COOP COEP CORP CORS](#coop-coep-corp-cors)
9 | - [restrict access to specific http methods](#restrict-access-to-specific-http-methods)
10 | - [simple-bot-protection](#simple-bot-protection)
11 | - [generic-protection](#generic-protection)
12 |
13 | ## nginx
14 |
15 | A complete configuration example with reverse proxy, simple load balancing and secure config is available inside the *./example_config* folder.
16 |
17 | ### headers
18 |
19 | | nginx add header | description | read more |
20 | |---------|---------------|------------|
21 | | ```add_header Referrer-Policy same-origin;``` | The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. | [Referrer-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) |
22 | | ```add_header X-Frame-Options "DENY";``` | The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe, embed or object. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. | [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) |
23 | | ```add_header X-XSS-Protection "1;mode=block";``` | The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. | [X-XSS-Protection](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection) |
24 | | ```add_header X-Content-Type-Options nosniff;``` | The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured. | [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) |
25 | | ```add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";``` | The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. | [Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) |
26 | | ```add_header Content-Security-Policy default-src "self" always;``` | The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting). | [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) |
27 | | ```add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;``` | The HTTP Permissions-Policy header provides a mechanism to allow and deny the use of browser features in a document or within any iframe elements in the document. | [Permissions-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy) |
28 | | ```add_header Access-Control-Allow-Origin "https://my.page";``` | Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.| [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) |
29 | | ```add_header Cross-Origin-Resource-Policy "same-origin";``` |Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like script and img), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks.| [CORP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy) |
30 | | ```add_header Cross-Origin-Embedder-Policy "require-corp";``` | The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures embedding cross-origin resources into the document. | [COEP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) |
31 | | ```add_header Cross-Origin-Opener-Policy "same-origin";``` | The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. | [COOP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) |
32 |
33 |
34 |
35 | ### tls
36 |
37 | The TLS protocol is managed and developed by the IETF TLS Working Group. More information is available at: [https://tlswg.org/](https://tlswg.org/)
38 |
39 | TLS config example for nginx:
40 |
41 | ```
42 | # Services with clients that support TLS 1.3 and dont need backward compatibility
43 | ssl_prefer_server_ciphers off;
44 | ssl_stapling on;
45 | ssl_stapling_verify on;
46 |
47 | # Diffie-Hellman group
48 | ssl_dhparam /etc/nginx/dhparam.pem;
49 |
50 | ssl_session_tickets off;
51 | ssl_session_cache shared:le_nginx_SSL:10m;
52 | ssl_session_timeout 1440m;
53 |
54 | #Cipher-Suites
55 | ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
56 | ```
57 |
58 | Diffie-Hellman group: This is used for s.g. perfect forward secrecy [https://en.wikipedia.org/wiki/Forward_secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which generates ephemeral session keys to ensure that an intercepted communication cannot be decrypted even if the session key is compromised.
59 |
60 | ```bash
61 | openssl dhparam -out /etc/nginx/dhparam.pem 4096
62 | ```
63 |
64 | ### generate tls certificate
65 |
66 | Simple command to generate a self signed TLS certificate. Read more about at [let's encrypt](https://letsencrypt.org/docs/certificates-for-localhost/)
67 |
68 | ```bash
69 | openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/certs/self_signed.key -out /etc/nginx/certs/self_signed.crt
70 | ```
71 |
72 | ### limit request zone
73 |
74 | Rate limiting can be used for security purposes, for example to slow down brute‑force password‑guessing attacks. Read more on nginx offical blog: [https://www.nginx.com/blog/rate-limiting-nginx/](https://www.nginx.com/blog/rate-limiting-nginx/)
75 |
76 | ```
77 | limit_req_zone $binary_remote_addr zone=limitreqsbyaddr:20m rate=15r/s;
78 | limit_req_status 429;
79 |
80 | upstream app.localhost {
81 | server localhost:8080;
82 | }
83 |
84 |
85 | server {
86 | listen 443 ssl;
87 | server_name app.devlab.intern;
88 |
89 | location / {
90 | limit_req zone=limitreqsbyaddr burst=10;
91 | proxy_pass http://app.localhost;
92 | }
93 | }
94 | ```
95 |
96 | ### COOP COEP CORP CORS
97 |
98 | A very good introduction and explanation about this topic can be found in the following ressources:
99 |
100 | - [https://snigel.com/blog/a-simple-guide-to-coop-coep-corp-and-cors](https://snigel.com/blog/a-simple-guide-to-coop-coep-corp-and-cors)
101 | - [https://web.dev/coop-coep/](https://web.dev/coop-coep/)
102 | - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
103 |
104 |
105 | ```
106 | # CORS HEADER
107 | add_header Access-Control-Allow-Origin "https://my.page";
108 |
109 | # CORP HEADER
110 | add_header Cross-Origin-Resource-Policy "same-origin";
111 |
112 | # COEP HEADER
113 | add_header Cross-Origin-Embedder-Policy "require-corp";
114 |
115 | # COOP HEADER
116 | add_header Cross-Origin-Opener-Policy "same-origin";
117 | ```
118 |
119 | ### restrict access to specific http methods
120 |
121 | Sometimes it can be helpful to allow only one HTTP method.
122 |
123 | [https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except](https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except)
124 |
125 | ```
126 | # HEAD is implicit
127 | limit_except GET {
128 | deny all;
129 | }
130 | ```
131 |
132 | #### simple bot protection
133 |
134 | If bots or other stupid scanners, mostly in your default configuration, send along a "talking" user-agent, we can cause maximum confusion with an internal Nginx HTTP status. To do this, we create a file named "bot.protection.conf" in the /etc/nginx/snippets folder and add the following content:
135 |
136 | ```
137 | map $http_user_agent $blacklist_user_agents {
138 | ~*wpscan 1;
139 | ~*dirbuster 1;
140 | ~*gobuster 1;
141 | }
142 | ```
143 |
144 | Within the virtual host configuration, the file can be loaded with the following directive:
145 |
146 | ```
147 | include /etc/nginx/snippets/bot.protection.conf;
148 | ```
149 |
150 | After that you can test the variable value of $blacklist_user_agents inside the "server" block with the following statement:
151 |
152 | ```
153 | if ($blacklist_user_agents) {
154 | return 444;
155 | }
156 |
157 | ```
158 |
159 | What is HTTP 444?
160 |
161 | A non-standard status code that instructs the NGINX web server to close the connection without sending a response header to the client. Most commonly, this code is used to deny malicious or misformatted requests.
162 |
163 | #### generic protection
164 |
165 | Sometimes things just go wrong. Therefore include and update the file "generic.protection.conf" to your needs!
166 |
167 | ```
168 | include /etc/nginx/snippets/generic.protection.conf;
169 | ```
170 |
171 | Preconfigured content:
172 |
173 |
174 | ```
175 | # Some example settings for various things that can quickly go wrong
176 | # CONTEXT: SERVER
177 |
178 | # /.bash_history for example ends with HTTP 444.
179 | location ~ /\. {
180 | return 444;
181 | }
182 |
183 | # unless you really need HTTP PATCH and TRACE. Most applications only need GET and POST
184 | if ($request_method ~ ^(PATCH|TRACE)$) {
185 | return 405;
186 | }
187 | ```
188 |
--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 | # annoy-the-script-kiddie
2 |
3 | ## about
4 | This cubersome background noise on the Internet can be really tedious. Annoying bots that scan everything and script-kiddies that shout about nmap or other nonsense.
5 |
6 | Here you can find a collection of useful scripts and articles to make the life of bots and script-kiddies as hard as possible.
7 |
8 | ## firewall
9 |
10 | Check the ./firewall folder. Contains a config for netfilter bases on [iptables](https://en.wikipedia.org/wiki/Iptables)
11 |
12 |
13 | ## nginx
14 |
15 | Check the ./nginx folder. Contains best-pratices for secure your [nginx](https://www.nginx.com/) deployment
16 |
--------------------------------------------------------------------------------