WordPress pingback mitigation

lists at lazygranch.com lists at lazygranch.com
Sun May 21 07:40:38 UTC 2017


Here is the map. I truncated my bad agent list, but will get you
started. I used the user agent changer in Chromium to make sure it
worked. ---------------------------------------------------------
map $http_user_agent $badagent {
    default                            0;
    ~*WordPress                        1;
    ~*kscan                            1;
    ~*ache                             1;
}
--------------------------------------------
if ($badagent) {
        return 444;
    }
---------------------------------------------

Of course there is always the problem of "scope", that is where to put
this. I have the map after the http {. I assume you have gzip enabled,
so my map starts after the "gzip on;"

The "if" statement is in the server block. I'm assuming you have the
line that stops hotlinking. I put it after that line.

Generically the hotlink blocker line looks like:
      if ($host !~ ^(mydomain.org|www.mydomain.org)$ ) {
         return 444;
      }




On Sun, 21 May 2017 08:14:52 +1000
Alex Samad <alex at samad.com.au> wrote:

> Hi
> 
> can you give an example of using a map instead of the if statement ?
> 
> Thanks
> 
> On 21 May 2017 at 02:35, c0nw0nk <nginx-forum at forum.nginx.org> wrote:
> 
> > gariac Wrote:
> > -------------------------------------------------------  
> > > I had run Naxsi with Doxi. Trouble is when it cause problems, it
> > > was really hard to figure out what rule was the problem. I
> > > suppose if you knew what each rule did, Naxsi would be fine.
> > >
> > > That said, my websites are so unsophisticated that it is far
> > > easier for me just to use maps.
> > >
> > > Case in point. When all this adobe struts hacking started, I
> > > noticed lots of 404s with the word "action" in the url request. I
> > > just added "action" to the map map and 444 them.
> > >
> > > If you have an url containing any word used in SQL, Naxsi/Doxi
> > > goes in blocking mode. I recall it was flagging on the word
> > > "update". I had a updates.html and Nasxi/Doxi was having a fit.
> > >
> > > In the end, it was far easier just to use maps. Other than a few
> > > modern constructs like "object-fit contain"‎, my sites have a
> > > 1990s look. Keeping things simple reduces the attack surface.
> > >
> > > I think even with Naxsi, you would need to set up a map to block
> > > bad referrers. I'm amazed at the nasty websites that link to me
> > > for no apparent reason. Case in point, I had a referral from the
> > > al Aqsa Martyrs Brigade. ‎ Terrorists! And numerous porn sites,
> > > all irrelevant. So Naxsi alone isn't sufficient.
> > >
> > >   Original Message
> > > From: c0nw0nk
> > > Sent: Saturday, May 20, 2017 3:36 AM
> > > To: nginx at nginx.org
> > > Reply To: nginx at nginx.org
> > > Subject: Re: WordPress pingback mitigation
> > >
> > > I take it you don't use a WAF of any kind i also think you should
> > > add it to
> > > a MAP at least instead of using IF.
> > >
> > > The WAF I use for these same rules is found here.
> > >
> > > https://github.com/nbs-system/naxsi
> > >
> > > The rules for wordpress and other content management systems are
> > > found here.
> > >
> > > http://spike.nginx-goodies.com/rules/ ( a downloadable list they
> > > use https://bitbucket.org/lazy_dogtown/doxi-rules )
> > >
> > >
> > > Naxsi is the best soloution I have found against problems like
> > > this especialy with their XSS and SQL extensions enabled.
> > >
> > > LibInjectionXss;
> > > CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
> > > LibInjectionSql;
> > > CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
> > >
> > >
> > > Blocks allot of zero day exploits and unknown exploits /
> > > penetration testing
> > > techniques.
> > >
> > > If you want to protect your sites it is definitely worth the look
> > > and use.
> > >
> > > Posted at Nginx Forum:
> > > https://forum.nginx.org/read.php?2,274339,274341#msg-274341
> > >
> > > _______________________________________________
> > > nginx mailing list
> > > nginx at nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx
> > > _______________________________________________
> > > nginx mailing list
> > > nginx at nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx  
> >
> >
> > It is not actually that hard to read the rules when you understand
> > it.
> >
> > The error.log file tells you.
> >
> > As I helped someone before read and understand their error log
> > output to tell them what naxsi was telling them so they could learn
> > understand and identify what rule is the culprit to their problem.
> >
> > Here is the prime example :
> > https://github.com/nbs-system/naxsi/issues/351#issuecomment-281710763
> >
> > If you read that and see their error.log output from naxsi and view
> > the log it shows you in the log if it was for example "ARGS" or
> > "HEAD" or "POST" etc
> > and the rule ID number responsible. So you can either null it out
> > or create a whitelist for that method.
> >
> > I am not trying to shove it down your neck or anything like that
> > just trying
> > to help and show a decent alternative that once you understand can
> > do so much more with. Like Nginx and Lua it pushes the boundaries
> > to what can be accomplished. I used to be very stuck in my ways and
> > ignorant to these features but once i start using them never looked
> > back they are truly fantastic.
> >
> > As long as you fixed your problem that is all that matters :)
> >
> > Posted at Nginx Forum: https://forum.nginx.org/read.
> > php?2,274339,274345#msg-274345
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >  



More information about the nginx mailing list