How to rate-limit jorgee malware scanner?
Etienne Robillard
tkadm30 at yandex.com
Mon Jul 24 14:06:24 UTC 2017
Hi all,
Unfortunately, its impossible to use limit_req within the http location
using a "if" statement like so:
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
if ($http_user_agent ~* (Jorgee)) {
limit_req zone=one burst=5;
return 403;
}
}
As a workaround I use limit_req within a location to prevent my uwsgi
app for being abused.
Cheers,
E
Le 2017-07-24 à 08:12, Zhang Chao a écrit :
>
> Hi!
>
> Nginx carries with the limit_req_module
> <http://nginx.org/en/docs/http/ngx_http_limit_req_module.html>. I
> think it is a good helper.
>
>
>
> On 24 July 2017 at 20:10:05, Gary Sellani (lists at lazygranch.com
> <mailto:lists at lazygranch.com>) wrote:
>
>> I just detect the use agent and return 444, but every attempt to get
>> a file will show up in your access.log.
>>
>> https://www.buildersociety.com/threads/block-unwanted-bots-on-apache-nginx-constantly-updated.1898/
>>
>> I get two or three jorgee "sessions" a day. They tend not to use the
>> domain name but reference your server by IP, so there might be some
>> better blocking scheme.
>>
>> Original Message
>> From: tkadm30 at yandex.com <mailto:tkadm30 at yandex.com>
>> Sent: July 24, 2017 3:14 AM
>> To: nginx at nginx.org <mailto:nginx at nginx.org>
>> Reply-to: nginx at nginx.org <mailto:nginx at nginx.org>
>> Subject: How to rate-limit jorgee malware scanner?
>>
>> Hi,
>>
>> The Jorgee malware scanner is creating a lot of activity on my site. I
>> would like to rate-limit its connections to nginx based on the
>> User-Agent, since blocking all IP addresses with iptables seems
>> impossible. Is their a quick way of doing this ?
>>
>> Thank you in advance ,
>>
>> E
>>
>> --
>> Etienne Robillard
>> tkadm30 at yandex.com <mailto:tkadm30 at yandex.com>
>> http://www.isotopesoftware.ca/
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org <mailto:nginx at nginx.org>
>> http://mailman.nginx.org/mailman/listinfo/nginx
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org <mailto:nginx at nginx.org>
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
--
Etienne Robillard
tkadm30 at yandex.com
http://www.isotopesoftware.ca/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170724/6b034b73/attachment-0001.html>
More information about the nginx
mailing list