Welcome! Log In Create A New Profile

Advanced

RE: Aborting malicious requests

March 19, 2018 10:46AM
Have you considered using something like mod_security to manage this sort of thing?

From: nginx [mailto:nginx-bounces@nginx.org] On Behalf Of Friscia, Michael
Sent: Monday, March 19, 2018 9:17 AM
To: nginx@nginx.org
Subject: [IE] Re: Aborting malicious requests

Thank you Gary, I really appreciate you moving me in the right direction.
Sent from my iPhone with all its odd spell checks

On Mar 19, 2018, at 9:36 AM, Gary <lists@lazygranch.com<mailto:lists@lazygranch.com>> wrote:
Your basic idea is right, but what you want to do is use a "map." I will follow up with more details when I can pull the code off my server.

I 444 a number of services that I don't use. I have a script to find the IP addresses of those that trigger a 444 from access.log. If they come from a data center, hosting service, etc., they get on a blocking list for my firewall. I block the entire IP space.

From: michael.friscia@yale.edu<mailto:michael.friscia@yale.edu>
Sent: March 19, 2018 5:31 AM
To: nginx@nginx.org<mailto:nginx@nginx.org>
Reply-to: nginx@nginx.org<mailto:nginx@nginx.org>
Subject: Aborting malicious requests


Just a thought before I start crafting one. I am creating a location{} block with the intention of populating it with a ton of requests I want to terminate immediately with a 444 response. Before I start, I thought I’d ask to see if anyone has a really good one I can use as a base.

For example, we don’t serve PHP so I’m starting with
Location ~* .php {
Return 444;
}

Then I can just include this into all my server blocks so I can manage the aborts all in one place. This alone reduces errors in the logs significantly. But now I will have to start adding in all the wordpress stuff, then onto php myadmin, etc. I will end up with something like

Location ~* (.php|wp-admin|my-admin) {
Return 444;
}

I can imagine the chunk inside the parenthesis is going to be pretty huge which is why I thought I’d reach out to see if anyone has one already.

Thanks,
-mike

___________________________________________
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932<tel:(203)7377932> - office
(203) 931-5381<tel:(203)9315381> - mobile
http://web.yale.eduhttp://web.yale.edu/

_______________________________________________
nginx mailing list
nginx@nginx.org<mailto:nginx@nginx.org>
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=MMFd1g-YpouXJolEFUG9wADYPEA1sPlvQ_GvUe4zJHk&s=JRurMbCby9FTsTmkiXgHZcPzDsixrqBHKRyZb2qSny4&e=
This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Aborting malicious requests

wickedhangover March 19, 2018 08:34AM

Re: Aborting malicious requests

gariac March 19, 2018 09:38AM

Re: Aborting malicious requests

wickedhangover March 19, 2018 10:18AM

RE: Aborting malicious requests

jasonw March 19, 2018 10:46AM

Re: Aborting malicious requests

gariac March 19, 2018 01:44PM

Re: Aborting malicious requests

wickedhangover March 20, 2018 09:04AM

Re: Aborting malicious requests

gariac March 20, 2018 10:52PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 176
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready