Welcome! Log In Create A New Profile

Advanced

Re: performance hit in using too many if's

September 24, 2016 10:10AM
I had too many false positives with Naxsi and debugging is difficult. In any event, using Naxsi doesn't eliminate the need to block bad referrals, so you still need the map module.  

I have passed tinfoilsecurity.com flogging, as well as one of the transversal testers. So this is more than just security theater. 

I flag all the hackers with a 444, then use scripts to display the 444 log entries in full line and also just a list of IPs. If I see a ridiculous number of attacks from one IP, it gets blocked even if an ISP. Otherwise I just examine the list of IPs and if it lacks eyeballs, I block the entire IP space of the entity. This eliminates having to look at the same infected servers or bulletproof hosting every time I check the logs.

  Original Message  
From: Robert Paprocki
Sent: Saturday, September 24, 2016 4:41 AM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Re: performance hit in using too many if's

Pardon me, but this thread smells terribly of bikeshedding. Comparing ifs vs maps is useless when what you're trying to accomplish should never be done through an HTTP server config. It's security theater, and no, the low-hanging fruit argument does not apply here. Use a proper waf like libmodsec or naxsi and call it a day.

> On Sep 24, 2016, at 03:02, lists@lazygranch.com wrote:
>
> Possibly map uses a hashing scheme to do the matches, so it could be more efficient than a series of ifs. That is something the programmers would know.
>
> Every situation is different. I don't find the maps I use to be detrimental, especially if you are preventing further operations by the nginx. I can tell you a trimmed about a third of my network traffic by aggressively blocking scrapers and other bots. There are real savings to be had.
>
> Returning a 404 to a bad referrer can improve your page rank as well as reduce network traffic. For instance, I 404 any referral from stumbleupon.com because I never found one to be relevant when I looked at the link. I have other referrals from knuckle head websites that I rather not be associated with, and a few that turned out to disseminate malware. One referral went to a terrorist website. Why they picked me, I don't know. The link was to nothing relevant.
>
> Just do the code and watch the system load. I think you will find you concerns are not a problem.
>
> If map bugs you, you probably wouldn't like my ipfw blocking of VPS, colos, hosting companies, etc. that have attempted to hack my website. I'm up to 14k CIDRs, but here again, you have to assume a table in IPFW is intelligently searched. The server today that you block for attempting to hack WordPress is likely to be used when the next zero day comes out. If the IP doesn't have eyeballs and it isn't the few bots you like (Google, etc.), block them.
> Original Message
> From: Anoop Alias
> Sent: Saturday, September 24, 2016 2:39 AM
> To: Nginx
> Reply To: nginx@nginx.org
> Subject: Re: performance hit in using too many if's
>
> I understand that the map may look cleaner on the config as each vhost
> don't need the if matchings ..but the variable evaluation and
> therefore the pattern matching for all possible values is still
> happening when the mapped variable in encountered? and therefore there
> is still a huge performance penalty ?
>
> I am mainly asking this..as the above type of security configs are
> mostly not seen on nginx official blogs /documentation etc .
> Just wanted to know if people who know the internals have purposefully
> omitted these setting even though they are serving the purpose of
> security.
>
>
>
>> On Sat, Sep 24, 2016 at 2:45 PM, <lists@lazygranch.com> wrote:
>> ‎I suspect the map module can do that more efficiently. There is an example of how to use the map module in this post:
>>
>> http://ask.xmodulo.com/block-specific-user-agents-nginx-web-server.html
>>
>> The code is certainly cleaner using map. I use three maps, specifically for bad user agent, bad request, and bad referrer.
>>
>>
>>
>> Original Message
>> From: Anoop Alias
>> Sent: Saturday, September 24, 2016 1:58 AM
>> To: Nginx
>> Reply To: nginx@nginx.org
>> Subject: performance hit in using too many if's
>>
>> Hi,
>>
>> I was following some suggestions on blocking user agents,sql
>> injections etc as in the following URL
>>
>> https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc
>>
>> Just wanted to know what is the performance hit when using so many of
>> these if's ( in light of the if-is-evil policy ). Especially if the
>> server is having a lot of virtual hosts and the rules are matched for
>> each of them.
>>
>> Is it like:
>>
>> If the server is capable (beefy) it should be able to handle these URL ?
>>
>> or
>>
>> There is a huge performance penalty .Significantly more than
>> apache+mod_security as an example
>>
>> or
>>
>> The is a performance penalty but not as much as other security tools
>> or WAF's like naxsi or mod_security
>>
>>
>> Thanks in advance,
>>
>> --
>> Anoop P Alias
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> --
> Anoop P Alias
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

performance hit in using too many if's

Anoop Alias September 24, 2016 05:00AM

Re: performance hit in using too many if's

gariac September 24, 2016 05:32AM

Re: performance hit in using too many if's

Anoop Alias September 24, 2016 05:40AM

Re: performance hit in using too many if's

gariac September 24, 2016 06:04AM

Re: performance hit in using too many if's

Robert Paprocki September 24, 2016 07:42AM

Re: performance hit in using too many if's

gariac September 24, 2016 10:10AM

Re: performance hit in using too many if's

Alt September 26, 2016 04:43AM

Re: performance hit in using too many if's

gariac September 26, 2016 06:10AM

Re: performance hit in using too many if's

Anoop Alias September 26, 2016 07:30AM

Re: performance hit in using too many if's

gariac September 26, 2016 11:18AM

Re: performance hit in using too many if's

c0nw0nk September 26, 2016 12:10PM

Re: performance hit in using too many if's

Robert Paprocki September 26, 2016 01:18PM

Re: performance hit in using too many if's

gariac September 26, 2016 03:00PM

Re: performance hit in using too many if's

Alt September 27, 2016 07:34AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 272
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready