Welcome! Log In Create A New Profile

Advanced

Re: Aborting malicious requests

March 20, 2018 09:04AM
This is great, thank you again, this is a huge jumpstart!

___________________________________________
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.edu http://web.yale.edu/


On 3/19/18, 1:43 PM, "nginx on behalf of lists@lazygranch.com" <nginx-bounces@nginx.org on behalf of lists@lazygranch.com> wrote:

On Mon, 19 Mar 2018 12:31:20 +0000
"Friscia, Michael" <michael.friscia@yale.edu> wrote:

> Just a thought before I start crafting one. I am creating a
> location{} block with the intention of populating it with a ton of
> requests I want to terminate immediately with a 444 response. Before
> I start, I thought I’d ask to see if anyone has a really good one I
> can use as a base.
>
> For example, we don’t serve PHP so I’m starting with
> Location ~* .php {
> Return 444;
> }
>
> Then I can just include this into all my server blocks so I can
> manage the aborts all in one place. This alone reduces errors in the
> logs significantly. But now I will have to start adding in all the
> wordpress stuff, then onto php myadmin, etc. I will end up with
> something like
>
> Location ~* (.php|wp-admin|my-admin) {
> Return 444;
> }
>
> I can imagine the chunk inside the parenthesis is going to be pretty
> huge which is why I thought I’d reach out to see if anyone has one
> already.
>
> Thanks,
> -mike
>

What follows is how I block requests that shouldn't be made with normal
operation. I use a similar scheme for user agents and referrals. You
should block referrals from spam/porn sites since they can trigger some
browser blocking plugings. (AKA give you a bad reputation.) The
procedure is similar to the returning 444 procedure I am about to
outline, but you should 403 them or something other than 444. Remember
444 is a no reply method which is technically not kosher on the
internet (though it makes sense in this application).

Here is the procedure:

In nginx.conf in the http section, add this line:
include /etc/nginx/mapbaduri;


In the nginx.conf server section, add this line:
if ($bad_uri) { return 444; }


This is the contents of the file mapbaduri that you need to create. It
creates $bad_uri, used in the conditional statement in nginx.conf. If
you actually use any of these resources, then obviously don't put them
in the list. You can also accidentally match patterns in intended
requests, so use caution. Most I created by actual request, though a
few I found suggested on the interwebs.

map $request_uri $bad_uri {
default 0;
/cms 1;
/mscms 1;
~*\.asp 1;
~*\.cfg 1;
~*\.cgi 1;
~*\.json 1;
~*\.php 1;
~*\.ssh 1;
~*\.xml 1;
~*\.git 1;
~*\.svn 1;
~*\.hg 1;
~*docs 1;
~*id_dsa 1;
~*issmall 1;
~*moodletreinar 1;
~*new_gb 1;
~*tiny_mce 1;
~*vendor 1;
~*web 1;
~*_backup 1;
~*_core 1;
~*_sub 1;
~*authority 1;
~*/jmx 1;
~*/struts 1;
~*/action 1;
~*/lib 1;
~*/career 1;
~*/market 1;
~*elfinder1 1;
~*/assets 1;
~*place1 1;
~*/backup 1;
~*zecmd 1;
~*/mysql 1;
~*/sql 1;
~*/shop 1;
~*/plus 1;
~*/forum 1;
/engine 1;
~*license.txt 1;
~*/includes 1;
~*/sites 1;
~*/plugins 1;
~*/jeecms 1;
~*gluten 1;
~*/admin 1;
~*/invoker 1;
~*/blog 1;
~*xmlrpc 1;
~*/wordpress 1;
~*/hndUnblock.cgi 1;
~*/test/ 1;
~*/cgi 1;
~*/plus 1;
~/wp/ 1;
~/wp-admin/ 1;
~*/proxy 1;
~*/wp-login.php 1;
~*/js 1;
~*/usr 1;
~*/user 1;
~*/var 1;
~*/bin/ 1;
~*/template 1;
~*/components 1;
~*/editor 1;
~*/common 1;
~*/include 1;
~*/manage 1;
~*/script 1;
~*/system 1;
~*/upload 1;
~*/utility 1;
~*/bei 1;
~*/ebak 1;
~*piwik 1;
~*muieblackcat 1;
~*pma 1;
~*apache 1;
~*cpanel 1;
~*/phpmyadmin 1;
~*clientapi\.ipip\.net 1;
~*freeapi\.ipip\.net 1;
~*/api.ipip.net 1;
~*/joomla 1;
~^/www 1;
~*/flashfxp 1;
~*w00tw00t 1;
~*/downloader 1;
~*/category 1;
~*netcat 1;
}




>

_______________________________________________
nginx mailing list
nginx@nginx.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=DwIGaQ&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=4TqQyHIefzaJqZRZNpiUcP4n2RCgumPOM3ux8inv7DA&s=fjYC5sRWHNfUYXxcb-3dAjLJEMJjKX-thsZei2dQwo8&e=

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Aborting malicious requests

wickedhangover March 19, 2018 08:34AM

Re: Aborting malicious requests

gariac March 19, 2018 09:38AM

Re: Aborting malicious requests

wickedhangover March 19, 2018 10:18AM

RE: Aborting malicious requests

jasonw March 19, 2018 10:46AM

Re: Aborting malicious requests

gariac March 19, 2018 01:44PM

Re: Aborting malicious requests

wickedhangover March 20, 2018 09:04AM

Re: Aborting malicious requests

gariac March 20, 2018 10:52PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 204
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready