Ok .. reiterating my original question.
Is the usage of if / map in nginx config more efficient than say naxsi (
or libmodsecurity ) for something like blocking SQL injection ?
For example,
https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_core.rules
rules 1000-1099 - blockes sql injection attempt
So ..do (to a limited extent )
## Block SQL injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
set $block_sql_injections 1;
............
.....................
if ($block_file_injections = 1) {
return 403;
}
From the point of application performance which one is better .. ?
Performance for a shared hosting server with around 500 vhosts.
On Mon, Sep 26, 2016 at 3:39 PM, <lists@lazygranch.com> wrote:
> For one thing, I have trouble making fail2ban work. ;-) I run sshguard,
> so the major port 22 hacking is covered. And that is continous.
>
> I don't know if fail2ban can read nginx logs. I thought you need to run
> swatch, which requires actual perl skill to set up.
>
> In any event, my 444 is harmless other than someone not getting a reply. I
> find hackers try to log into WordPress. I find Google trys to log into
> WordPress. My guess is maybe Google is trying to figure out if you run
> WordPress, while the hackers would dictionary search if you were actually
> running WordPress. In my case, I am not running WordPress, but anyone
> trying to log into it is suspicious. Blocking Google is bad.
>
> So I examine the IP addresses. If from a colo, VPS, etc. , they get a
> lifetime ban of the entire IP space. No eyeballs there, or if a VPN, they
> can just drop it. If the IP goes back to some ISP or occasionally Google, I
> figure who cares.
>
> WordPress isn't my only trigger. I've learned the words like the Chinese
> use for backup, which they search for. Of course "backup" is searched as
> well. I have maybe 30 triggers in the map. I also limit my verbs to "get"
> and "head" since I only serve static pages. Ask for php, you get 444. Use
> wget, curl, nutch, etc., get a 444. The bad referrals get a 404.
>
> Since whatever I consider to be hacking is blocked in real time, no
> problem to the server. I then use the scripts to look at the IPs I deem
> shady and see who they are. The list is like four or so unique IP addresses
> a day. Most go to ISPs, often mobile. So I just live with it. If I find a
> commercial site, I block the hosting company associated with that
> commercial site.
>
> When I ran Naxsi, it would trigger on words like update. I had to change
> all URLs with the word update in them to a non reserved word. Some triggers
> I couldn't even figure out. Thus I determined using the map modules and my
> own triggers to be a better plan.
>
> Original Message
> From: Alt
> Sent: Monday, September 26, 2016 1:43 AM
> To: nginx@nginx.org
> Reply To: nginx@nginx.org
> Subject: Re: performance hit in using too many if's
>
> Hello,
>
> I don't agree with Robert Paprocki: adding modules like naxsi or
> modsecurity
> to nginx is not a solution. They have bugs, performance hits, need patch
> when there's new versions of nginx,...
>
> gariac, you say you send 444 to hackers then use a script to display those.
> Why not use fail2ban to scan the logs and ban them for some time. But of
> course, fail2ban could also be a performance hit if you have tons of logs
> to
> scan :-(
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,269808,269848#msg-269848
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
--
*Anoop P Alias*
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
