theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
𝓙𝓾𝓵𝓲𝓸
2019-05-03 22:36:14 +02:00
committed by GitHub
parent 366c336dbb
commit 74cae860a3
1 changed files with 14 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+14 -85
View File
@@ -3,106 +3,35 @@
# To-Do # To-Do
- [x] Nginx Version, Always Latest. - [x] Nginx V. each 10th release, current 1.60.0, next repo release 1.70.0!
- [x] Support Ubuntu Trusty. (14.04) - [x] Support Ubuntu Bionic. (18.04)
- [x] Support Ubuntu Xenial. (16.04)
- [x] Support Ubuntu Cosmic. (18.10)
- [x] Support Debian.
- [x] Support Centos.
- [x] Support Arch Linux.
- [x] ModSecurity Support. - [x] ModSecurity Support.
- [x] Naxsi Support. - [x] Naxsi Support.
- [x] L7 Protection. - [x] L7 Protection.
- [x] AutoBan System. - [x] AutoBan System.
- [x] Integrate Fail2Ban > IpTables. - [x] Integrate Fail2Ban > IpTables.
- [-] GUI ?
- [-] Monitor requests in live time from browser.
- [-] L7 Protection (TestCookie Module) Add Recaptcha! - [-] L7 Protection (TestCookie Module) Add Recaptcha!
- [-/x] ..... - [-/x] [Suggestions](https://github.com/theraw/The-World-Is-Yours/issues)
# Installation # Installation
For each new system ubuntu, centos or whatever your distro may be you need a update/upgrade then do one reboot! So outdates packages will be up to date your kernel will be up to date and not needed files will get removed.
1. **`apt-get install build-essential libssl-dev curl nano wget zip unzip sudo git psmisc -y`** X. **`Ubuntu`**
2. **`git clone https://github.com/theraw/The-World-Is-Yours.git`** 1. **`apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y; shutdown -r now`**
3. **`cd The-World-Is-Yours/; chmod +x *`** 2. **`apt-get install build-essential libssl-dev curl nano wget zip unzip sudo git psmisc -y`**
4. **`./install`** 3. **[Install Docker](https://docs.docker.com/install/linux/docker-ce/ubuntu/)**
4. **[Install Docker-Composer](https://github.com/docker/compose/releases) use latest version > execute provided cmds**
5. **`curl -s https:// > nginx.yml`**
6. **`docker-compose -f nginx.yml up -d`**
# Informations.
```
=> /nginx/ = Nginx Path,
=> /nginx/live/ = Vhosts Config Files Dir,
=> /nginx/logs/ = Core Logs Files,
=> /nginx/modsecurity/ = ModSecurity Rules Dir,
=> /hostdata/ = Place to store your domain folders.
=> /hostdata/yourdomain.com/ = Ex of domain dir (private folder),
=> /hostdata/yourdomain.com/public_html/ = Ex of your domain webroot (public files only),
=> /hostdata/yourdomain.com/logs/ = Place where to store your Domains logs (access.log) (private folder),
=> /hostdata/yourdomain.com/ssl/ = Place where to store domain ssl/key (private folder),
=> /hostdata/yourdomain.com/cache/ = Place where to store site cache (private folder).
// Private Folder - Means this cannot be accessed by public.
// Public Folder - Means files into this folder can be accessed by public.
```
# Check.
1 . [L7 (Cookie Based Protection)](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L15-L42)
2 . [Auto Ban System](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/jail.local#L105-L111) based on [Connection for ip](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L72-L73)
3 . [Auto Ban 444 Reqs](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/jail.local#L113-L118) A day i've been under attack of multiple proxies, and even after they got banned they still was keep trying the same thing so when you ban someone when that ip tries to access your website that request will not go on `error.log` but in `access.log` so i created this rule to ban with iptables every request who have stauts `444` so nginx will not have to handle those.
4 . [Kernel Hardening](https://github.com/theraw/The-World-Is-Yours/blob/master/static/sysctl.conf), Use this if you have a Gbps uplink 4+GB RAM, A good CPU and SSD.
5 . [Naxsi Rules Included](https://github.com/theraw/The-World-Is-Yours/blob/master/static/nginx.conf#L118)
6 . [Iptables rules](https://github.com/theraw/The-World-Is-Yours/blob/master/iptables/rules) You have to manually enable.
7 . ModSecurity is not loaded. You have to manually enable. In your server there is a folder `/nginx/modsecurity/`
where ModSecurity rules are stored, open `/nginx/modsecurity/modsecurity.conf` add those
```bash
Include crs-setup.conf
Include rules/*.conf
```
ModSecurity is by default enabled as "detect only" you can turn it on always by doing this
```bash
SecRuleEngine On
```
Using modSecurity for your site
```bash
server {
.....
modsecurity on;
modsecurity_rules_file /nginx/modsecurity/modsecurity.conf;
location / {
.....
}
}
```
Test it!
`curl 'http://localhost/?q="><script>wanna hack</script>'`
```html
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
```
# Why manual activation?
Actually i'm just creating a open source build script for nginx with some features, so this is not just a full build in pack with everything enabled, you should actually have some knowledge about how those things work so i don't think it should be hard to do by yourself?!
# Keep In Mind. # Keep In Mind.
The **L7 Protection** is the same way which **cloudflare** have that banner "Under Attack" A.K.A Cookie based authorization. Most of bots from where attacks will come doesn't support cookies so it will fail to access your site. (Test it by yourself to "curl http://yoursite.com" before you activate L7 and after you start L7 so you will understand better.) The **L7 Protection** is the same way which **cloudflare** have that banner "Under Attack" A.K.A Cookie based authorization. Most of bots from where attacks will come doesn't support cookies so it will fail to access your site. (Test it by yourself to "curl http://yoursite.com" before you activate L7 and after you start L7 so you will understand better.)