WordPress pingback mitigation

Alex Samad alex at samad.com.au
Sat May 20 22:14:52 UTC 2017 

Hi

can you give an example of using a map instead of the if statement ?

Thanks

On 21 May 2017 at 02:35, c0nw0nk <nginx-forum at forum.nginx.org> wrote:

> gariac Wrote:
> -------------------------------------------------------
> > I had run Naxsi with Doxi. Trouble is when it cause problems, it was
> > really hard to figure out what rule was the problem. I suppose if you
> > knew what each rule did, Naxsi would be fine.
> >
> > That said, my websites are so unsophisticated that it is far easier
> > for me just to use maps.
> >
> > Case in point. When all this adobe struts hacking started, I noticed
> > lots of 404s with the word "action" in the url request. I just added
> > "action" to the map map and 444 them.
> >
> > If you have an url containing any word used in SQL, Naxsi/Doxi goes in
> > blocking mode. I recall it was flagging on the word "update". I had a
> > updates.html and Nasxi/Doxi was having a fit.
> >
> > In the end, it was far easier just to use maps. Other than a few
> > modern constructs like "object-fit contain"‎, my sites have a 1990s
> > look. Keeping things simple reduces the attack surface.
> >
> > I think even with Naxsi, you would need to set up a map to block bad
> > referrers. I'm amazed at the nasty websites that link to me for no
> > apparent reason. Case in point, I had a referral from the al Aqsa
> > Martyrs Brigade. ‎ Terrorists! And numerous porn sites, all
> > irrelevant. So Naxsi alone isn't sufficient.
> >
> >   Original Message
> > From: c0nw0nk
> > Sent: Saturday, May 20, 2017 3:36 AM
> > To: nginx at nginx.org
> > Reply To: nginx at nginx.org
> > Subject: Re: WordPress pingback mitigation
> >
> > I take it you don't use a WAF of any kind i also think you should add
> > it to
> > a MAP at least instead of using IF.
> >
> > The WAF I use for these same rules is found here.
> >
> > https://github.com/nbs-system/naxsi
> >
> > The rules for wordpress and other content management systems are found
> > here.
> >
> > http://spike.nginx-goodies.com/rules/ ( a downloadable list they use
> > https://bitbucket.org/lazy_dogtown/doxi-rules )
> >
> >
> > Naxsi is the best soloution I have found against problems like this
> > especialy with their XSS and SQL extensions enabled.
> >
> > LibInjectionXss;
> > CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
> > LibInjectionSql;
> > CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
> >
> >
> > Blocks allot of zero day exploits and unknown exploits / penetration
> > testing
> > techniques.
> >
> > If you want to protect your sites it is definitely worth the look and
> > use.
> >
> > Posted at Nginx Forum:
> > https://forum.nginx.org/read.php?2,274339,274341#msg-274341
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> It is not actually that hard to read the rules when you understand it.
>
> The error.log file tells you.
>
> As I helped someone before read and understand their error log output to
> tell them what naxsi was telling them so they could learn understand and
> identify what rule is the culprit to their problem.
>
> Here is the prime example :
> https://github.com/nbs-system/naxsi/issues/351#issuecomment-281710763
>
> If you read that and see their error.log output from naxsi and view the log
> it shows you in the log if it was for example "ARGS" or "HEAD" or "POST"
> etc
> and the rule ID number responsible. So you can either null it out or create
> a whitelist for that method.
>
> I am not trying to shove it down your neck or anything like that just
> trying
> to help and show a decent alternative that once you understand can do so
> much more with. Like Nginx and Lua it pushes the boundaries to what can be
> accomplished. I used to be very stuck in my ways and ignorant to these
> features but once i start using them never looked back they are truly
> fantastic.
>
> As long as you fixed your problem that is all that matters :)
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,274339,274345#msg-274345
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170521/6bb1833e/attachment-0001.html>

More information about the nginx mailing list