Review
When analyzing our access log, we saw some attack patterns. We wrote some block rules to filter the most common ones. These are the ones, that fit our application. Since we use Symfony with speaking URLs, eg. no valid URL should contain a ".php" ending. This rule alone prevents most of the traffic reaching deeper into the stack. Also blocking of dot-files (common configs) is an additional safety net. Since we analyze our access log on a regular base, we can add additional rules if needed.
map $request_uri $isBlocked {
default 0;
# still allow .well-known
~^/\.well-known 0;
# wordpress attack
~*.*wp-(admin|login|content).* 1;
~*.*wordpress.* 1;
# other common attacks
~*.*(phpmyadmin|pma|myadmin)([^a-zA-Z0-9\.\-].*)?$ 1;
~*.*(typo3|joomla|drupal|contao).* 1;
~*.*(setup|install)\.php.* 1;
~*.*(cgi-|cgibin).* 1;
~*.*/(webtools|ws|storage|htbin)/.* 1;
# file endings: x.exe, x.exe.foo, x.exe/foo; but not x.exefoo
~*.*\.(exe|cmd|asp|cgi|pl|php|sql|py|cfg|yaml|yml|dat|log|lock)([^a-zA-Z0-9\.\-].*)?$ 1;
# like "php://filter/convert.iconv..." or other like "ftp://" in path
~*.://.* 1;
# parent directory "../"
~*.*\.\./.* 1;
# dot files like, .env, .git/config
~*.*/\..* 1;
# sql injections
~*.*union.*select.* 1;
~*.*('|")(.*)(drop|insert|md5|select|union).* 1;
# script tag injection
~*.*(<|%3C).*script.* 1;
# evil methods
~*.*(eval|xor|sysdate|sleep|now|chr|delay)\(.* 1;
# base64 en-/decoding
~*.*base64(_)?(en|de)code.* 1;
# php super globals
~*.*(GLOBALS|ENV|REQUEST|SESSION|SERVER)(=|\[|\%).* 1;
}
map $http_referer $isInvalidReferer {
default 1;
# empty is fine
"" 0;
"-" 0;
# should contain valid URL including protocol
~^http(s)?://.+ 0;
}
server {
# ...
# prevent communication of current nginx version
server_tokens off;
if ($isBlocked) {
return 404;
}
if ($isInvalidReferer) {
return 400;
}
# location ...
}
Besides this, attacks are reported to the providers abuse contact. If attacks don't stop we use an additional rule set for blocking IP-ranges.
0 views0