For one thing, I have trouble making fail2ban work. ;-) I run sshguard, so the major port 22 hacking is covered. And that is continous.
I don't know if fail2ban can read nginx logs. I thought you need to run swatch, which requires actual perl skill to set up.
In any event, my 444 is harmless other than someone not getting a reply. I find hackers try to log into WordPress. I find Google trys to log into WordPress. My guess is maybe Google is trying to figure out if you run WordPress, while the hackers would dictionary search if you were actually running WordPress. In my case, I am not running WordPress, but anyone trying to log into it is suspicious. Blocking Google is bad.
So I examine the IP addresses. If from a colo, VPS, etc. , they get a lifetime ban of the entire IP space. No eyeballs there, or if a VPN, they can just drop it. If the IP goes back to some ISP or occasionally Google, I figure who cares.
WordPress isn't my only trigger. I've learned the words like the Chinese use for backup, which they search for. Of course "backup" is searched as well.. I have maybe 30 triggers in the map. I also limit my verbs to "get" and "head" since I only serve static pages. Ask for php, you get 444. Use wget, curl, nutch, etc., get a 444. The bad referrals get a 404.
Since whatever I consider to be hacking is blocked in real time, no problem to the server. I then use the scripts to look at the IPs I deem shady and see who they are. The list is like four or so unique IP addresses a day. Most go to ISPs, often mobile. So I just live with it. If I find a commercial site, I block the hosting company associated with that commercial site.
When I ran Naxsi, it would trigger on words like update. I had to change all URLs with the word update in them to a non reserved word. Some triggers I couldn't even figure out. Thus I determined using the map modules and my own triggers to be a better plan.
Original Message
From: Alt
Sent: Monday, September 26, 2016 1:43 AM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Re: performance hit in using too many if's
Hello,
I don't agree with Robert Paprocki: adding modules like naxsi or modsecurity
to nginx is not a solution. They have bugs, performance hits, need patch
when there's new versions of nginx,...
gariac, you say you send 444 to hackers then use a script to display those.
Why not use fail2ban to scan the logs and ban them for some time. But of
course, fail2ban could also be a performance hit if you have tons of logs to
scan :-(
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269808,269848#msg-269848
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
