Problem integrating with tor hidden service

C0nw0nk / Nginx-Lua-Anti-DDoS

A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript based authentication puzzle inspired by Cloudflare I am under attack mode an Anti-DDoS authentication page protect yourself from every attack type All Layer 7 Attacks Mitigating Historic Attacks DoS DoS Implications DDoS All Brute Force Attacks Zero day exploits Social Engineering Rainbow Tables Password Cracking Tools Password Lists Dictionary Attacks Time Delay Any Hosting Provider Any CMS or Custom Website Unlimited Attempt Frequency Search Attacks HTTP Basic Authentication HTTP Digest Authentication HTML Form Based Authentication Mask Attacks Rule-Based Search Attacks Combinator Attacks Botnet Attacks Unauthorized IPs IP Whitelisting Bruter THC Hydra John the Ripper Brutus Ophcrack unauthorized logins Injection Broken Authentication and Session Management Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring Drupal WordPress Joomla Flash Magento PHP Plone WHMCS Atlassian Products malicious traffic Adult video script avs KVS Kernel Video Sharing Clip Bucket Tube sites Content Management Systems Social networks scripts backends proxy proxies PHP Python Porn sites xxx adult gaming networks servers sites forums vbulletin phpbb mybb smf simple machines forum xenforo web hosting video streaming buffering ldap upstream downstream download upload rtmp vod video over dl hls dash hds mss livestream drm mp4 mp3 swf css js html php python sex m3u zip rar archive compressed mitigation code source sourcecode chan 4chan 4chan.org 8chan.net 8ch 8ch.net infinite chan 8kun 8kun.net anonymous anon tor services .onion torproject.org nginx.org nginx.com openresty.org darknet dark net deepweb deep web darkweb dark web mirror vpn reddit reddit.com adobe flash hackthissite.org dreamhack hack hacked hacking hacker hackers hackerz hackz hacks code coding script scripting scripter source leaks leaked leaking cve vulnerability great firewall china america japan russia .gov government http1 http2 http3 quic q3 litespeedtech litespeed apache torrents torrent torrenting webtorrent bittorrent bitorrent bit-torrent cyberlocker cyberlockers cyber locker cyberbunker warez keygen key generator free irc internet relay chat peer-to-peer p2p cryptocurrency crypto bitcoin miner browser xmr monero coinhive coin hive coin-hive litecoin ethereum cpu cycles popads pop-ads advert advertisement networks banner ads protect ovh blazingfast.io amazon steampowered valve store.steampowered.com steamcommunity thepiratebay lulzsec antisec xhamster pornhub porn.com pornhub.com xhamster.com xvideos xvdideos.com xnxx xnxx.com popads popcash cpm ppc

MIT License

1.12k stars 268 forks source link

Problem integrating with tor hidden service #16

Closed RuiSiang closed 4 years ago

RuiSiang commented 4 years ago

Issue title

It is stuck in continuous loop of the five second countdown, then it auto-reloads and counts again

Issue Description

After setup on whonix-nginx server, I tested on a pc. I checked the access and error logs, all is normal. But the script is stuck in loop, please help. Thank you very much.

Versions:

Browser(s): Tor
Nginx version: 1.14.2
Operating system of web server running Nginx: whonix

Nginx config:

Only one line (the one in readme) is added, but the config doesn't seem to be the issue here

Settings:

[List here all the changes you made to the default settings]

Other optional information you want to add other than the above:

C0nw0nk commented 4 years ago

Try changing this line

local remote_addr = ngx.var.remote_addr

To this.

local remote_addr = ngx.var.http_user_agent

C0nw0nk commented 4 years ago

I think every request with Tor browser will have a different IP hence why you need to change that to something static that Tor browser will send to identify the individual connecting User-Agent is a good thing to use.

C0nw0nk commented 4 years ago

I updated the script and made a wiki to help.

https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/wiki/tor

RuiSiang commented 4 years ago

C0nw0nk, thanks. Yep, most tor service connect from localhost to web server. But the user agent method doesn't seem to work, I was sure that the user agent is the same, but still does not work. It may be a problem with other parts of the script, I'm looking into it.

C0nw0nk commented 4 years ago

Does tor browser run javascript and does it allow cookies to be set

RuiSiang commented 4 years ago

Cookies are allowed to be set in tor, you can think of it as a sandbox environment. The cookies are automatically deleted when you close the browser or when you click new identity.

As for jsp, you have to activate it manually. It can be enforced such that the site won't load if jsp is not enabled.

I think the best way for a tor site to filter bots is to show a captcha (with lua) before the site loads, which is the current solution I am implementing on my service (I'm writing my own script now). I think your script is best used for clearweb applications.

Webuser6666 commented 4 years ago

Does tor browser run javascript and does it allow cookies to be set

didn't you think yet? finish captcha?

RuiSiang commented 4 years ago

I think it would be better to use lua script to purely force load a captcha page before index page using access_by_lua, cookie, ip useragent filtering is completely no use when using tor (tor browsers all register as a same Mozilla user agent, ips are all localhost, and cookies are sometimes manually disabled by people)

C0nw0nk commented 4 years ago

@RuiSiang While captcha is a stronger defence for Tor users it still requies Javascript to function the same as this script does the same as Cloudflare, BitMitigate, Sucuri etc use Javascript to authenticate users so Tor users need Javascript enabled Mandatory

They still have an IP we just don't use it we use their User-Agent because that is static.

Cookies are allowed on Tor browser (I have checked and tested) If a random Tor user disabled cookies in their settings then the same with Cloudflare, BitMitigate, Sucuri they won't be able to access those sites lol..

I updated the script to fix a couple of bugs with the output Tor users might of seen and because of sites using this script that pass their traffic through services like Cloudflare to Tor users i fixed a bug where Tor browser would Block cookies. https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/commit/113f1dacae67934b994efa16813dc456a426cebc

So the latest version of the script should fix allot of these issues and should display their Tor browsers fake IP address correctly this time.

RuiSiang commented 4 years ago

OK, thanks a lot. I'll try the script on my server in a bit. Been a bit busy.

RuiSiang commented 4 years ago

Using user agents to id end users seem to be a good idea, should be good to use with sites less than fifty connected at most times. The method implemented by HttpGuard is better against high use rate, which uses hashed cookies with time limiting.

C0nw0nk commented 4 years ago

I have been working a rather big update i will be pushing it to the main repo soon when I do I will close this issue as it is to address Tor users problems in a automated way and solve the dilemas they would have. The previous updates I made solved the above problems but this new feature I built in makes the script intelligent enough to be able to detect a Tor user and I took it further giving server admins using this the power to decide if they want to allow or block tor users.

RuiSiang commented 4 years ago

Happy to see that. A reply to a previous comment, it is possible to implement captcha without javascript if you run the lua module in nginx. And as for the Tor user part, I think you're not grasping the point. The problem is not with Tor browser users, but the server of Tor hidden services, which is routed by torrc, and surfaces some very interesting effects on your script. I'm still sticking to my method (force users to captcha and hand out a unique key in cookie that has an expiration), and have already succeeded (for safety reasons, I cannot disclose the name of location of the site). Just some suggestions and comments here. No offense.

AndreiG6 commented 4 years ago

Doesn't sound like u have much faith in your implementation if you can't give an example. lol.

On Wed, Feb 5, 2020, 03:08 Goodx1000 notifications@github.com wrote:

Happy to see that. A reply to a previous comment, it is possible to implement captcha without javascript if you run the lua module in nginx. And as for the Tor user part, I think you're not grasping the point. The problem is not with Tor browser users, but the server of Tor hidden services, which is routed by torrc, and surfaces some very interesting effects on your script. I'm still sticking to my method (force users to captcha and hand out a unique key in cookie that has an expiration), and have already succeeded (for safety reasons, I cannot disclose the name of location of the site). Just some suggestions and comments here. No offense.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues/16?email_source=notifications&email_token=AE6DR6HV6SZ22UHH7JHK3ETRBIGP5A5CNFSM4KMAAG62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZZBCY#issuecomment-582193291, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE6DR6HKHJ5G2SBN25ZCQCTRBIGP5ANCNFSM4KMAAG6Q .

C0nw0nk commented 4 years ago

@RuiSiang

it is possible to implement captcha without javascript if you run the lua module in nginx.

With this i would have to build in a method to read/grab HTTP responses or use a third party script since that is how captcha works it needs the server side to send a message to google as a confirmation something that is not easily done in a standalone enviorment like this but with a third party Lua library what then all users of this script would need installing on their servers as a mandatory requirement for it to function not something i want to do or force upon them.

force users to captcha and hand out a unique key in cookie that has an expiration

The script already creates a unique key and cookie that has an expiration i don't see why you think it is so different from googles captcha that does that same thing just uses Pictures and a manual way of comparing matching pictures to do the same thing.

@AndreiG6

It might be legal reasons or just he does not want people penetration testing his site.

C0nw0nk commented 4 years ago

Updated : https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/commit/3563ed21f031c9f41a033a29c0a3fed28ff4855d

Closing this Issue as it is no longer relevant since the prior issues have been resolved.

RuiSiang commented 4 years ago

With this i would have to build in a method to read/grab HTTP responses or use a third party script since that is how captcha works it needs the server side to send a message to google as a confirmation something that is not easily done in a standalone enviorment like this but with a third party Lua library what then all users of this script would need installing on their servers as a mandatory requirement for it to function not something i want to do or force upon them.

Actually, a php file using gd is sufficient to draw the captcha images. You can set the script to be run on the server at an hourly status, letting the captchas to be 10k verification sets that renews every hour. At least, that is my implemented method, just thought that you should know.

And Google Recaptcha is disliked by most tor site admins, since it may reveil and uncover both server and client site MAC addresses and IPs.

C0nw0nk commented 4 years ago

PHP is a no go, With projects like this you need to think of compatibility sakes for everybody. Not everyone can use PHP and my experience with it is that running PHP upstreams in the backend of Nginx just means if i did do such a thing it would be a exploit for those to DDoS the backend PHP generator.

The script is highly secure and fine as it is it really does not need such things added to it.

Every cookie generated is encrypted every header is encrypted meaning they have to guess and because there is not one header or cookie there are multiple they don't know what one is what. Bots that crack things like this have something static to latch onto I give them nothing due to the dynamic nature of the script.

If you take Cloudflare as an example you can take other scripts they make cookies and headers static...I don't know why you can read the name and the values making it simple for bots to identify what they need to gain access hence why they get bypassed with mine nothing is static by default I give you the option in the config to make them static but it is only for debugging purposes really i wouldn't recommend you leave it at that in a production enviorment.

The other variables like IP address and User-agent change for each client meaning you can clone cookies from one computer to another but that computer won't have the same IP heance why they will see the authentication page.

Then after a certain period of time I force them to expire 86400 1 day basically unless you change it in the script. They will see the auth page again you can test by turning the script on connecting to your site once the script grants you access change the expirey time to like 30 seconds or something restart your nginx and connect to your site again and you will see it will have expired your session and want to create a new session for you.

I also obfuscate javascript something that nobody else does to improve security of it, I have a few TODO: items listed in my source code that i am going to improve allot I just have not done so yet since I have been ironing out these other bugs and things people would like.

Making this script work for Tor users was the main priority over the last week since Tor services do recieve the brunt/bulk of attacks and this is a great battle field / testing ground to fire up my script to see what it can do for such sites.