Aborting malicious requests

Friscia, Michael michael.friscia at yale.edu
Tue Mar 20 13:03:09 UTC 2018


This is great, thank you again, this is a huge jumpstart!

___________________________________________
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.edu <http://web.yale.edu/>
 

On 3/19/18, 1:43 PM, "nginx on behalf of lists at lazygranch.com" <nginx-bounces at nginx.org on behalf of lists at lazygranch.com> wrote:

    On Mon, 19 Mar 2018 12:31:20 +0000
    "Friscia, Michael" <michael.friscia at yale.edu> wrote:
    
    > Just a thought before I start crafting one. I am creating a
    > location{} block with the intention of populating it with a ton of
    > requests I want to terminate immediately with a 444 response. Before
    > I start, I thought I’d ask to see if anyone has a really good one I
    > can use as a base.
    > 
    > For example, we don’t serve PHP so I’m starting with
    > Location ~* .php {
    > Return 444;
    > }
    > 
    > Then I can just include this into all my server blocks so I can
    > manage the aborts all in one place. This alone reduces errors in the
    > logs significantly. But now I will have to start adding in all the
    > wordpress stuff, then onto php myadmin, etc. I will end up with
    > something like
    > 
    > Location ~* (.php|wp-admin|my-admin) {
    > Return 444;
    > }
    > 
    > I can imagine the chunk inside the parenthesis is going to be pretty
    > huge which is why I thought I’d reach out to see if anyone has one
    > already.
    > 
    > Thanks,
    > -mike
    > 
    
    What follows is how I block requests that shouldn't be made with normal
    operation. I use a similar scheme for user agents and referrals. You
    should block referrals from spam/porn sites since they can trigger some
    browser blocking plugings. (AKA give you a bad reputation.) The
    procedure is similar to the returning 444 procedure I am about to
    outline, but you should 403 them or something other than 444. Remember
    444 is a no reply method which is technically not kosher on the
    internet (though it makes sense in this application).
    
    Here is the procedure:
    
    In nginx.conf in the http section, add this line:
    include /etc/nginx/mapbaduri;
    
    
    In the nginx.conf server section, add this line:
    if ($bad_uri)      { return 444; }
    
    
    This is the contents of the file mapbaduri that you need to create. It
    creates $bad_uri, used in the conditional statement in nginx.conf. If
    you actually use any of these resources, then obviously don't put them
    in the list. You can also accidentally match patterns in intended
    requests, so use caution. Most I created by actual request, though a
    few I found suggested on the interwebs.
    
    map $request_uri $bad_uri {
        default                                0;
        /cms                                    1;
        /mscms                                  1;
        ~*\.asp                                  1;
        ~*\.cfg                                  1;
        ~*\.cgi                                  1;
        ~*\.json                                 1;
        ~*\.php                                  1;
        ~*\.ssh                                  1;
        ~*\.xml                                  1;
        ~*\.git                                1;
        ~*\.svn                                1;
        ~*\.hg                                 1;
        ~*docs                                 1;
        ~*id_dsa                               1;
        ~*issmall                              1;
        ~*moodletreinar                       1;
        ~*new_gb                               1;
        ~*tiny_mce                            1;
        ~*vendor                              1;
        ~*web                                  1;
        ~*_backup                             1;
        ~*_core                               1;
        ~*_sub                                1;
        ~*authority                            1;
        ~*/jmx                                  1;
        ~*/struts                               1;
        ~*/action                               1;
        ~*/lib                                 1;
        ~*/career                              1;
        ~*/market                              1;
        ~*elfinder1                           1;
        ~*/assets                              1;
        ~*place1                              1;
        ~*/backup                              1;
        ~*zecmd                               1;
        ~*/mysql                               1;
        ~*/sql                                 1;
        ~*/shop                                1;
        ~*/plus                                1;
        ~*/forum                                1;
        /engine                              1;
        ~*license.txt                          1;
        ~*/includes                             1;
        ~*/sites                                1;
        ~*/plugins                              1;
        ~*/jeecms                               1;
        ~*gluten                               1;
        ~*/admin                                1;
        ~*/invoker                              1;
        ~*/blog                                1;
        ~*xmlrpc                               1;
        ~*/wordpress                            1;
        ~*/hndUnblock.cgi                       1;
        ~*/test/                                1;
        ~*/cgi                                 1;
        ~*/plus                                1;
        ~/wp/                                  1;
        ~/wp-admin/                            1;
        ~*/proxy                                1;
        ~*/wp-login.php                        1;
        ~*/js                                  1;
        ~*/usr                                  1;
        ~*/user                                 1;
        ~*/var                                 1;
        ~*/bin/                                 1;
        ~*/template                            1;
        ~*/components                          1;
        ~*/editor                              1; 
        ~*/common                              1;
        ~*/include                              1;
        ~*/manage                               1;
        ~*/script                              1;
        ~*/system                              1;
        ~*/upload                               1;
        ~*/utility                             1;
        ~*/bei                                 1;
        ~*/ebak                                1;
        ~*piwik                               1;
        ~*muieblackcat                         1;
        ~*pma                                 1;
        ~*apache                              1;
        ~*cpanel                              1;
        ~*/phpmyadmin                          1;
        ~*clientapi\.ipip\.net                  1;
        ~*freeapi\.ipip\.net                    1;
        ~*/api.ipip.net                        1;
        ~*/joomla                              1;
        ~^/www                                 1;
        ~*/flashfxp                             1;
        ~*w00tw00t                             1;
        ~*/downloader                           1;
        ~*/category                             1;
        ~*netcat                                1;
    } 
    
    
    
    
    > 
    
    _______________________________________________
    nginx mailing list
    nginx at nginx.org
    https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=DwIGaQ&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=4TqQyHIefzaJqZRZNpiUcP4n2RCgumPOM3ux8inv7DA&s=fjYC5sRWHNfUYXxcb-3dAjLJEMJjKX-thsZei2dQwo8&e=



More information about the nginx mailing list