Welcome! Log In Create A New Profile

Advanced

Banning users based on their activity (stopping web scans)

Posted by cates 
Banning users based on their activity (stopping web scans)
June 14, 2011 04:20AM
Hi,

Does nginx have the ability to block a user when certain usage patterns occur. For example, most of my sites get blatent scans for known exploits with thousands of entries like this in the logs;
"GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 185 "-" "ZmEu"
"GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 185 "-" "ZmEu"
"GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 185 "-" "ZmEu"
...etc
(I know I can ban the useragent in this example, but often it is a 'real' browser string)

Is there an option to keep a counter and ban an IP if they get more than x '404' page not found in y amount of seconds and it is an obvious scan? I looked at fail2ban with the HttpLimitReqModule which ties into log files and iptables, but I dont think it does what I want. Ideally, if a user behaves in a certain way, I could add them to a dynamic block list for a period of time and send them a 444 response code.

Sounds quite simple to me but I cant figure out a way to do it in nginx. Any ideas??
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 139
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready