Welcome! Log In Create A New Profile

Advanced

Re: Aborting malicious requests

March 19, 2018 10:18AM
Thank you Gary, I really appreciate you moving me in the right direction.

Sent from my iPhone with all its odd spell checks

On Mar 19, 2018, at 9:36 AM, Gary <lists@lazygranch.com<mailto:lists@lazygranch.com>> wrote:

Your basic idea is right, but what you want to do is use a "map." I will follow up with more details when I can pull the code off my server.

I 444 a number of services that I don't use. I have a script to find the IP addresses of those that trigger a 444 from access.log. If they come from a data center, hosting service, etc., they get on a blocking list for my firewall. I block the entire IP space.

From: michael.friscia@yale.edu<mailto:michael.friscia@yale.edu>
Sent: March 19, 2018 5:31 AM
To: nginx@nginx.org<mailto:nginx@nginx.org>
Reply-to: nginx@nginx.org<mailto:nginx@nginx.org>
Subject: Aborting malicious requests


Just a thought before I start crafting one. I am creating a location{} block with the intention of populating it with a ton of requests I want to terminate immediately with a 444 response. Before I start, I thought I’d ask to see if anyone has a really good one I can use as a base.

For example, we don’t serve PHP so I’m starting with
Location ~* .php {
Return 444;
}

Then I can just include this into all my server blocks so I can manage the aborts all in one place. This alone reduces errors in the logs significantly. But now I will have to start adding in all the wordpress stuff, then onto php myadmin, etc. I will end up with something like

Location ~* (.php|wp-admin|my-admin) {
Return 444;
}

I can imagine the chunk inside the parenthesis is going to be pretty huge which is why I thought I’d reach out to see if anyone has one already.

Thanks,
-mike

___________________________________________
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932<tel:(203)7377932> - office
(203) 931-5381<tel:(203)9315381> - mobile
http://web.yale.eduhttp://web.yale.edu/

_______________________________________________
nginx mailing list
nginx@nginx.org<mailto:nginx@nginx.org>
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=MMFd1g-YpouXJolEFUG9wADYPEA1sPlvQ_GvUe4zJHk&s=JRurMbCby9FTsTmkiXgHZcPzDsixrqBHKRyZb2qSny4&e=
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Aborting malicious requests

wickedhangover March 19, 2018 08:34AM

Re: Aborting malicious requests

gariac March 19, 2018 09:38AM

Re: Aborting malicious requests

wickedhangover March 19, 2018 10:18AM

RE: Aborting malicious requests

jasonw March 19, 2018 10:46AM

Re: Aborting malicious requests

gariac March 19, 2018 01:44PM

Re: Aborting malicious requests

wickedhangover March 20, 2018 09:04AM

Re: Aborting malicious requests

gariac March 20, 2018 10:52PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 219
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready