Aborting malicious requests

lists at lazygranch.com lists at lazygranch.com
Mon Mar 19 17:43:28 UTC 2018


On Mon, 19 Mar 2018 12:31:20 +0000
"Friscia, Michael" <michael.friscia at yale.edu> wrote:

> Just a thought before I start crafting one. I am creating a
> location{} block with the intention of populating it with a ton of
> requests I want to terminate immediately with a 444 response. Before
> I start, I thought I’d ask to see if anyone has a really good one I
> can use as a base.
> 
> For example, we don’t serve PHP so I’m starting with
> Location ~* .php {
> Return 444;
> }
> 
> Then I can just include this into all my server blocks so I can
> manage the aborts all in one place. This alone reduces errors in the
> logs significantly. But now I will have to start adding in all the
> wordpress stuff, then onto php myadmin, etc. I will end up with
> something like
> 
> Location ~* (.php|wp-admin|my-admin) {
> Return 444;
> }
> 
> I can imagine the chunk inside the parenthesis is going to be pretty
> huge which is why I thought I’d reach out to see if anyone has one
> already.
> 
> Thanks,
> -mike
> 

What follows is how I block requests that shouldn't be made with normal
operation. I use a similar scheme for user agents and referrals. You
should block referrals from spam/porn sites since they can trigger some
browser blocking plugings. (AKA give you a bad reputation.) The
procedure is similar to the returning 444 procedure I am about to
outline, but you should 403 them or something other than 444. Remember
444 is a no reply method which is technically not kosher on the
internet (though it makes sense in this application).

Here is the procedure:

In nginx.conf in the http section, add this line:
include /etc/nginx/mapbaduri;


In the nginx.conf server section, add this line:
if ($bad_uri)      { return 444; }


This is the contents of the file mapbaduri that you need to create. It
creates $bad_uri, used in the conditional statement in nginx.conf. If
you actually use any of these resources, then obviously don't put them
in the list. You can also accidentally match patterns in intended
requests, so use caution. Most I created by actual request, though a
few I found suggested on the interwebs.

map $request_uri $bad_uri {
    default                                0;
    /cms                                    1;
    /mscms                                  1;
    ~*\.asp                                  1;
    ~*\.cfg                                  1;
    ~*\.cgi                                  1;
    ~*\.json                                 1;
    ~*\.php                                  1;
    ~*\.ssh                                  1;
    ~*\.xml                                  1;
    ~*\.git                                1;
    ~*\.svn                                1;
    ~*\.hg                                 1;
    ~*docs                                 1;
    ~*id_dsa                               1;
    ~*issmall                              1;
    ~*moodletreinar                       1;
    ~*new_gb                               1;
    ~*tiny_mce                            1;
    ~*vendor                              1;
    ~*web                                  1;
    ~*_backup                             1;
    ~*_core                               1;
    ~*_sub                                1;
    ~*authority                            1;
    ~*/jmx                                  1;
    ~*/struts                               1;
    ~*/action                               1;
    ~*/lib                                 1;
    ~*/career                              1;
    ~*/market                              1;
    ~*elfinder1                           1;
    ~*/assets                              1;
    ~*place1                              1;
    ~*/backup                              1;
    ~*zecmd                               1;
    ~*/mysql                               1;
    ~*/sql                                 1;
    ~*/shop                                1;
    ~*/plus                                1;
    ~*/forum                                1;
    /engine                              1;
    ~*license.txt                          1;
    ~*/includes                             1;
    ~*/sites                                1;
    ~*/plugins                              1;
    ~*/jeecms                               1;
    ~*gluten                               1;
    ~*/admin                                1;
    ~*/invoker                              1;
    ~*/blog                                1;
    ~*xmlrpc                               1;
    ~*/wordpress                            1;
    ~*/hndUnblock.cgi                       1;
    ~*/test/                                1;
    ~*/cgi                                 1;
    ~*/plus                                1;
    ~/wp/                                  1;
    ~/wp-admin/                            1;
    ~*/proxy                                1;
    ~*/wp-login.php                        1;
    ~*/js                                  1;
    ~*/usr                                  1;
    ~*/user                                 1;
    ~*/var                                 1;
    ~*/bin/                                 1;
    ~*/template                            1;
    ~*/components                          1;
    ~*/editor                              1; 
    ~*/common                              1;
    ~*/include                              1;
    ~*/manage                               1;
    ~*/script                              1;
    ~*/system                              1;
    ~*/upload                               1;
    ~*/utility                             1;
    ~*/bei                                 1;
    ~*/ebak                                1;
    ~*piwik                               1;
    ~*muieblackcat                         1;
    ~*pma                                 1;
    ~*apache                              1;
    ~*cpanel                              1;
    ~*/phpmyadmin                          1;
    ~*clientapi\.ipip\.net                  1;
    ~*freeapi\.ipip\.net                    1;
    ~*/api.ipip.net                        1;
    ~*/joomla                              1;
    ~^/www                                 1;
    ~*/flashfxp                             1;
    ~*w00tw00t                             1;
    ~*/downloader                           1;
    ~*/category                             1;
    ~*netcat                                1;
} 




> 



More information about the nginx mailing list