WordPress pingback mitigation

lists at lazygranch.com lists at lazygranch.com
Sat May 20 15:43:15 UTC 2017 

I had run Naxsi with Doxi. Trouble is when it cause problems, it was really hard to figure out what rule was the problem. I suppose if you knew what each rule did, Naxsi would be fine. 

That said, my websites are so unsophisticated that it is far easier for me just to use maps. 

Case in point. When all this adobe struts hacking started, I noticed lots of 404s with the word "action" in the url request. I just added "action" to the map map and 444 them. 

If you have an url containing any word used in SQL, Naxsi/Doxi goes in blocking mode. I recall it was flagging on the word "update". I had a updates.html and Nasxi/Doxi was having a fit. 

In the end, it was far easier just to use maps. Other than a few modern constructs like "object-fit contain"‎, my sites have a 1990s look. Keeping things simple reduces the attack surface. 

I think even with Naxsi, you would need to set up a map to block bad referrers. I'm amazed at the nasty websites that link to me for no apparent reason. Case in point, I had a referral from the al Aqsa Martyrs Brigade. ‎ Terrorists! And numerous porn sites, all irrelevant. So Naxsi alone isn't sufficient. 

  Original Message  
From: c0nw0nk
Sent: Saturday, May 20, 2017 3:36 AM
To: nginx at nginx.org
Reply To: nginx at nginx.org
Subject: Re: WordPress pingback mitigation

I take it you don't use a WAF of any kind i also think you should add it to
a MAP at least instead of using IF.

The WAF I use for these same rules is found here.

https://github.com/nbs-system/naxsi

The rules for wordpress and other content management systems are found
here.

http://spike.nginx-goodies.com/rules/ ( a downloadable list they use
https://bitbucket.org/lazy_dogtown/doxi-rules )


Naxsi is the best soloution I have found against problems like this
especialy with their XSS and SQL extensions enabled.

LibInjectionXss;
CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
LibInjectionSql;
CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;


Blocks allot of zero day exploits and unknown exploits / penetration testing
techniques.

If you want to protect your sites it is definitely worth the look and use.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274339,274341#msg-274341

_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list