Welcome! Log In Create A New Profile

Advanced

Re: performance hit in using too many if's

September 26, 2016 06:10AM
For one thing, I have trouble making fail2ban work. ;-)  I run sshguard, so the major port 22 hacking is covered. And that is continous.

I don't know if fail2ban can read nginx logs. I thought you need to run swatch, which requires actual perl skill to set up.

In any event, my 444 is harmless other than someone not getting a reply. I find hackers try to log into WordPress. I find Google trys to log into WordPress. My guess is maybe Google is trying to figure out if you run WordPress, while the hackers would dictionary search if you were actually running WordPress. In my case, I am not running WordPress, but anyone trying to log into it is suspicious. Blocking Google is bad. 

So I examine the IP addresses. If from a colo, VPS, etc. , they get a lifetime ban of the entire IP space. No eyeballs there, or if a VPN, they can just drop it. If the IP goes back to some ISP or occasionally Google, I figure who cares.

WordPress isn't my only trigger. I've learned the words like the Chinese use for backup, which they search for. Of course "backup" is searched as well.. I have maybe 30 triggers in the map. I also limit my verbs to "get" and "head" since I only serve static pages. Ask for php, you get 444. Use wget, curl, nutch, etc., get a 444. The bad referrals get a 404.

Since whatever I consider to be hacking is blocked in real time, no problem to the server. I then use the scripts to look at the IPs I deem shady and see who they are. The list is like four or so unique IP addresses a day. Most go to ISPs, often mobile. So I just live with it. If I find a commercial site, I block the hosting company associated with that commercial site.

When I ran Naxsi, it would trigger on words like update. I had to change all URLs with the word update in them to a non reserved word. Some triggers I couldn't even figure out. Thus I determined using the map modules and my own triggers to be a better plan.

  Original Message  
From: Alt
Sent: Monday, September 26, 2016 1:43 AM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Re: performance hit in using too many if's

Hello,

I don't agree with Robert Paprocki: adding modules like naxsi or modsecurity
to nginx is not a solution. They have bugs, performance hits, need patch
when there's new versions of nginx,...

gariac, you say you send 444 to hackers then use a script to display those.
Why not use fail2ban to scan the logs and ban them for some time. But of
course, fail2ban could also be a performance hit if you have tons of logs to
scan :-(

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269808,269848#msg-269848

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

performance hit in using too many if's

Anoop Alias September 24, 2016 05:00AM

Re: performance hit in using too many if's

gariac September 24, 2016 05:32AM

Re: performance hit in using too many if's

Anoop Alias September 24, 2016 05:40AM

Re: performance hit in using too many if's

gariac September 24, 2016 06:04AM

Re: performance hit in using too many if's

Robert Paprocki September 24, 2016 07:42AM

Re: performance hit in using too many if's

gariac September 24, 2016 10:10AM

Re: performance hit in using too many if's

Alt September 26, 2016 04:43AM

Re: performance hit in using too many if's

gariac September 26, 2016 06:10AM

Re: performance hit in using too many if's

Anoop Alias September 26, 2016 07:30AM

Re: performance hit in using too many if's

gariac September 26, 2016 11:18AM

Re: performance hit in using too many if's

c0nw0nk September 26, 2016 12:10PM

Re: performance hit in using too many if's

Robert Paprocki September 26, 2016 01:18PM

Re: performance hit in using too many if's

gariac September 26, 2016 03:00PM

Re: performance hit in using too many if's

Alt September 27, 2016 07:34AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 171
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready