shellshock probing
Cole Tierney
cole.putnamhill at comcast.net
Thu Apr 2 13:33:20 UTC 2015
> On Apr 2, 2015, at 7:21 AM, itpp2012 <nginx-forum at nginx.us> wrote:
>
> Cole Tierney Wrote:
> -------------------------------------------------------
>> Or is there a better method to block these?
>
> Not really better but good enough :)
>
> map $http_referer $waffableref {
> default 0;
> ~*\{.*\:\; 1;
> }
> map $http_user_agent $waffableua {
> default 0;
> ~*\{.*\:\; 1;
> }
> map $waffableref$waffableua $waffable {
> default 0;
> ~1 1;
> }
>
> # Block shellshock:
> if ($waffable) { return 444; }
>
> # Drop'm from logging:
> map $waffable $loggable {
> default 1;
> ~1 0;
> }
>
> access_log /path/to/access.log combined if=$loggable;
Thanks! I like the combined variables in the 3rd map.
More information about the nginx
mailing list