Blocking bots and unwanted users at the nginx web server level

    For me, and I think for you, web server logs are often clogged with requests of the form: Basically, these are bots, there are also users who scan the server for any folders and look for vulnerabilities. So I wanted to block these IP addresses immediately after trying to scan the server using nginx. The geo njinx module comes to the rescue . First, we write in the location section a new log_format of the form “IP address 1;”, which the geo module will understand: in the http section we write: This will allow us to read the file / www / logs / deny and take a list of IP addresses for blocking. Now in the location section we describe the “bad” situations when the IP address needs to be blocked, for example:

    62.193.233.148 - - [28/May/2009:18:20:27 +0600] "GET /roundcube/ HTTP/1.0" 404 208 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
    62.193.233.148 - - [28/May/2009:18:20:28 +0600] "GET /webmail/ HTTP/1.0" 404 206 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
    212.150.123.234 - - [29/May/2009:20:51:12 +0600] "GET /admin/main.php HTTP/1.0" 404 212 "-" "-"
    212.150.123.234 - - [29/May/2009:20:51:12 +0600] "GET /phpmyadmin/main.php HTTP/1.0" 404 217 "-" "-"
    212.150.123.234 - - [29/May/2009:20:51:12 +0600] "GET /phpMyAdmin/main.php HTTP/1.0" 404 217 "-" "-"
    212.150.123.234 - - [29/May/2009:20:51:13 +0600] "GET /db/main.php HTTP/1.0" 404 209 "-" "-"
    212.150.123.234 - - [29/May/2009:20:51:13 +0600] "GET /PMA/main.php HTTP/1.0" 404 210 "-" "-"
    212.150.123.234 - - [29/May/2009:20:51:14 +0600] "GET /admin/main.php HTTP/1.0" 404 212 "-" "-"
    212.150.123.234 - - [29/May/2009:20:51:14 +0600] "GET /mysql/main.php HTTP/1.0" 404 212 "-" "-"
    212.150.123.234 - - [29/May/2009:20:51:15 +0600] "GET /myadmin/main.php HTTP/1.0" 404 214 "-" "-"
    212.150.123.234 - - [29/May/2009:20:51:15 +0600] "GET /phpadmin/main.php HTTP/1.0" 404 215 "-" "-"
    212.150.123.234 - - [29/May/2009:20:51:16 +0600] "GET /webadmin/main.php HTTP/1.0" 404 215 "-" "-"










    log_format deny '$remote_addr 1;';




    geo $deny {
    default 0;
    include /www/logs/deny;
    }







    set $ua $http_user_agent;

    if ($ua ~* wget) {
    access_log /www/logs/deny deny;
    return 403;
    }

    if ($ua ~* curl) {
    access_log /www/logs/deny deny;
    return 403;
    }

    if ($request ~* "webadmin") {
    access_log /www/logs/deny deny;
    return 403;
    }

    if ($request ~* "\/admin\/main.php") {
    access_log /www/logs/deny deny;
    return 403;
    }


    As a result, bad requests and user agents get to the file / www / logs / deny in the form “IP address 1;”, and when re-reading the configuration, the IP address will be blocked.

    It remains only to throw a command to the jinx in the crowns every 1-5-10 minutes (when necessary) to re-read the config, and the list of blocked IP addresses will be denied access to the server.

    According to Sysoev, it looks like this:
    kill –HUP `cat /var/log/nginx/nginx.pid`

    Fill the list of rules with "bad" queries, and the devil is not your brother!

    Also popular now: