名字 | 方式 | github地址 | 代码地址 |
---|---|---|---|
tengine_waf | io.open | https://github.com/lanzsec/tengine_waf | https://github.com/lanzsec/tengine_waf/blob/8b55bd477603c772ca87948d8610a0bce258e334/conf/init.lua |
waf | io.open | https://github.com/unixhot/waf | https://github.com/unixhot/waf/blob/master/waf/lib.lua |
lua-resty-waf | 三种方式给选择 | https://github.com/p0pr0ck5/lua-resty-waf | https://github.com/p0pr0ck5/lua-resty-waf/blob/master/lib/resty/waf/log.lua |
ngx_lua_waf | io.open | https://github.com/loveshell/ngx_lua_waf | https://github.com/loveshell/ngx_lua_waf/blob/master/init.lua |
openstar | io.open | https://github.com/starjun/openstar | https://github.com/starjun/openstar/blob/master/log.lua |
ab -n 100000 -c 100 http://x.x.x.x/payload
方式 | 第一次 | 第二次 | 平均值 |
---|---|---|---|
没有WAF | 0.121 | 0.126 | 0.1235 |
syslog-ng本地日志,buffer为4096 | 0.199 | 0.193 | 0.196 |
syslog-ng本地日志,buffer为1 | 0.205 | 0.230 | 0.2175 |
syslog-ng远程日志,buffer为4096 | 0.498 | 0.165 | 0.3315 |
io.open | 0.233 | 0.241 | 0.237 |
ngx.log | 0.165 | 0.176 | 0.1705 |
local logger = require "resty.logger_socket"
-- 使用lua-resty-logger-socket向syslog-ng写入日志
-- 当满足一定的条件,syslog-ng即会进入垃圾收集状态,而暂时不再接受日志信息。这时,会造成非连接的传输协议的日志丢失(例如UDP)
function _M.logger_socket(log_data, blocktype, rulename)
if not logger.initted() then
local ok, err = logger.init {
host = "127.0.0.1",
port = 514, -- 默认使用tcp方式,使用UDP会造成日志丢失。
flush_limit = 4096, -- 大小累计到该数值,才进行socket连接。该值可以加快socket速度,不用每条都请求。
periodic_flush = 10,
}
if not ok then
ngx.log(ngx.ERR, "failed to initialize the logger: ", err)
return
end
end
local bytes, err = logger.log("data\n")
if err then
ngx.log(ngx.ERR, "failed to log message: ", err)
return
end
end
如果想要近实时的日志,需要将buffer值设置稍微小点,或者使用`periodic_flush`参数(单位是秒)来定时刷新。
logger-socket代码地址:https://github.com/cloudflare/lua-resty-logger-socket
@version:3.2
# filepath: /etc/syslog-ng/syslog-ng.conf
source s_sys {
tcp(ip(127.0.0.1) port(514));
};
destination test {
file("/var/log/syslog-ng.log");
};
log {
source(s_sys);
destination(test);
};
/bin/kill -SIGUSR1 `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null
/var/log/syslog-ng.log {
rotate 7
missingok
daily
dateext
nocompress
postrotate
/bin/kill -SIGUSR1 `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null
endscript
}
/var/run/syslogd.pid
文件记录着syslog-ng运行的pid
可以发现,利用logrotate可以执行shell命令,所以这也是一种留后门的攻击方式。
cat /etc/cron.daily/logrotate
#!/bin/sh
/usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0
$ cat /etc/anacrontab
# /etc/anacrontab: configuration file for anacron
# See anacron(8) and anacrontab(5) for details.
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# the maximal random delay added to the base delay of the jobs
RANDOM_DELAY=45
# the jobs will be started during the following hours only
START_HOURS_RANGE=3-22
#period in days delay in minutes job-identifier command
1 5 cron.daily nice run-parts /etc/cron.daily
7 25 cron.weekly nice run-parts /etc/cron.weekly
@monthly 45 cron.monthly nice run-parts /etc/cron.monthly
-rw------- 1 root root 0 Dec 15 03:25 syslog-ng.log-20171216
-rw------- 1 root root 0 Dec 14 03:17 syslog-ng.log-20171215
-rw------- 1 root root 0 Dec 13 03:41 syslog-ng.log-20171214
-rw------- 1 root root 0 Dec 12 03:17 syslog-ng.log-20171213
-rw------- 1 root root 0 Dec 11 03:18 syslog-ng.log-20171212
更多技术分享
请关注MLSRC微信公众号