performance hit in using too many if's

Mon Sep 26 11:28:10 UTC 2016

Ok .. reiterating my original question.

Is the usage of if / map  in nginx config  more efficient than say naxsi (
or libmodsecurity )  for something like blocking SQL injection ?

For example,
https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_core.rules
rules 1000-1099 - blockes sql injection attempt

So ..do (to a limited extent )

## Block SQL injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
   ............
   .....................
    if ($block_file_injections = 1) {
        return 403;
    }

>From the point of application performance which one is better .. ?
Performance for a shared hosting server with around 500 vhosts.

On Mon, Sep 26, 2016 at 3:39 PM, <lists at lazygranch.com> wrote:

> For one thing, I have trouble making fail2ban work. ;-)  I run sshguard,
> so the major port 22 hacking is covered. And that is continous.
>
> I don't know if fail2ban can read nginx logs. I thought you need to run
> swatch, which requires actual perl skill to set up.
>
> In any event, my 444 is harmless other than someone not getting a reply. I
> find hackers try to log into WordPress. I find Google trys to log into
> WordPress. My guess is maybe Google is trying to figure out if you run
> WordPress, while the hackers would dictionary search if you were actually
> running WordPress. In my case, I am not running WordPress, but anyone
> trying to log into it is suspicious. Blocking Google is bad.
>
> So I examine the IP addresses. If from a colo, VPS, etc. , they get a
> lifetime ban of the entire IP space. No eyeballs there, or if a VPN, they
> can just drop it. If the IP goes back to some ISP or occasionally Google, I
> figure who cares.
>
> WordPress isn't my only trigger. I've learned the words like the Chinese
> use for backup, which they search for. Of course "backup" is searched as
> well. I have maybe 30 triggers in the map. I also limit my verbs to "get"
> and "head" since I only serve static pages. Ask for php, you get 444. Use
> wget, curl, nutch, etc., get a 444. The bad referrals get a 404.
>
> Since whatever I consider to be hacking is blocked in real time, no
> problem to the server. I then use the scripts to look at the IPs I deem
> shady and see who they are. The list is like four or so unique IP addresses
> a day. Most go to ISPs, often mobile. So I just live with it. If I find a
> commercial site, I block the hosting company associated with that
> commercial site.
>
> When I ran Naxsi, it would trigger on words like update. I had to change
> all URLs with the word update in them to a non reserved word. Some triggers
> I couldn't even figure out. Thus I determined using the map modules and my
> own triggers to be a better plan.
>
>   Original Message
> From: Alt
> Sent: Monday, September 26, 2016 1:43 AM
> To: nginx at nginx.org
> Reply To: nginx at nginx.org
> Subject: Re: performance hit in using too many if's
>
> Hello,
>
> I don't agree with Robert Paprocki: adding modules like naxsi or
> modsecurity
> to nginx is not a solution. They have bugs, performance hits, need patch
> when there's new versions of nginx,...
>
> gariac, you say you send 444 to hackers then use a script to display those.
> Why not use fail2ban to scan the logs and ban them for some time. But of
> course, fail2ban could also be a performance hit if you have tons of logs
> to
> scan :-(
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,269808,269848#msg-269848
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>

-- 
*Anoop P Alias*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160926/6e1b10b9/attachment.html>