How to rate-limit jorgee malware scanner?

Etienne Robillard tkadm30 at yandex.com
Mon Jul 24 14:06:24 UTC 2017 

Hi all,

Unfortunately, its impossible to use limit_req within the http location 
using a "if" statement like so:

http {

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

if ($http_user_agent ~* (Jorgee)) {

limit_req zone=one burst=5;

return 403;

}

}


As a workaround I use limit_req within a location to prevent my uwsgi 
app for being abused.

Cheers,
E

Le 2017-07-24 à 08:12, Zhang Chao a écrit :
>
> Hi!
>
> Nginx carries with the limit_req_module 
> <http://nginx.org/en/docs/http/ngx_http_limit_req_module.html>. I 
> think it is a good helper.
>
>
>
> On 24 July 2017 at 20:10:05, Gary Sellani (lists at lazygranch.com 
> <mailto:lists at lazygranch.com>) wrote:
>
>> I just detect the use agent and return 444, but every attempt to get 
>> a file will show up in your access.log.
>>
>> https://www.buildersociety.com/threads/block-unwanted-bots-on-apache-nginx-constantly-updated.1898/
>>
>> I get two or three jorgee "sessions" a day. They tend not to use the 
>> domain name but reference your server by IP, so there might be some 
>> better blocking scheme.
>>
>>   Original Message
>> From: tkadm30 at yandex.com <mailto:tkadm30 at yandex.com>
>> Sent: July 24, 2017 3:14 AM
>> To: nginx at nginx.org <mailto:nginx at nginx.org>
>> Reply-to: nginx at nginx.org <mailto:nginx at nginx.org>
>> Subject: How to rate-limit jorgee malware scanner?
>>
>> Hi,
>>
>> The Jorgee malware scanner is creating a lot of activity on my site. I
>> would like to rate-limit its connections to nginx based on the
>> User-Agent, since blocking all IP addresses with iptables seems
>> impossible. Is their a quick way of doing this ?
>>
>> Thank you in advance ,
>>
>> E
>>
>> -- 
>> Etienne Robillard
>> tkadm30 at yandex.com <mailto:tkadm30 at yandex.com>
>> http://www.isotopesoftware.ca/
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org <mailto:nginx at nginx.org>
>> http://mailman.nginx.org/mailman/listinfo/nginx
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org <mailto:nginx at nginx.org>
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-- 
Etienne Robillard
tkadm30 at yandex.com
http://www.isotopesoftware.ca/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170724/6b034b73/attachment-0001.html>

More information about the nginx mailing list