You don't need fail2ban to limit html verbs.  I only allow "get" and "head" on mine. 

Inside the Nginx server block:

if ($request_method !~ ^(GET|HEAD) $)  {
return 444;

GET and HEAD is all you need for a read only site. 

I have a map set up for bad user agents. There is a search engine called Majestic that will download your website on a daily basis. It does not obey robots.txt.


https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/blob/master/_generator_lists/bad-user-agents.list

Since Nginx will be using regular expressions, some of these are redundant. If you look for majestic then you don't need to look for 
majestic12. 

You really should study maps since that is the most efficient means to implement these pattern searches. 

Sent: August 24, 2020 10:53 PM
Subject: Re: Is this an attack or a normal request?

Thank you very much. Everyone!

I will try to implement all the insithgts given.

With desperate times come desperate measures, and I implemented a fail2ban that block any IP that doesn't have any GET or POST in the request.

It is not efficient, I know. My firewall list is growing abruptly but, at least, it buys me some time to improve the all counter-measure that you guys meantionated.

BR,
Donda

On Mon, Aug 24, 2020 at 9:18 PM Peter Booth <[email protected]> wrote:
I agree with the advice already given

It can also be useful to track the User-Agent header of web requests - both to understand who is trying to do what to your website,
and then to start blocking on the basis of user agent.
There may be some bots and spiders that are helpful or even necessary for your business.

Peter



> On Aug 24, 2020, at 2:54 PM, lists <[email protected]> wrote:
>
> I can't find it, but someone wrote a script to decode that style of hacking. For the hacks I was decoding, they were RDP hack attempts. The hackers just "spray" their attacks. Often they are not meaningful to your server.
>
> I have Nginx maps set up to match requests that are not relevant to my server. For instance I don't run WordPress, so anything WordPress related gets a 444 response. On a weekly basis I pull all the IP addresses that generated a 400 or 444 and run them through a IP lookup website. If they come back to a hosting company, VPS, or basically anything not an ISP, I block the associated IP space via my firewall. The only reason I can do this weekly is I have blocked so much IP space already that I don't get many hackers.
>
> At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just hackers. Also block all of OVH. You can block any of the hosting companies since there are no eyeballs there. This blocks many VPNs as well but nobody says you have to accept traffic from VPNs.
>
> Firewalls are very CPU efficient though they do use a lot of memory. In the long run blocking all those hackers improves system efficiency since nginx does have to parse all that nonsense.
>
> I have scripts to pull the hacker IP out of the log file but a have a nonstandard log format. If you can create a file of IPs, this site will return the domains:
>
> https://www.bulkseotools.com/bulk-ip-to-location.php
>
> If you see a domain that is obviously not an ISP, you can find their entire IP space using bgp.he.net
>
> This sounds more complicate than it is. I have it down to about 20 minutes a week.
>
> You can also block countries in the firewall. Some people block all of China. I don't but that does cut down on hackers.
>
>
>
>   Original Message 
>
>
> From: [email protected]
> Sent: August 24, 2020 11:06 AM
> To: [email protected]
> Reply-to: [email protected]
> Subject: Re: Is this an attack or a normal request?
>
>
>> Is this kind of DDOS attack or a legitimate request(which my server returns
>> 400 for them)?
>
> That's typically how various unicode characters are hex encoded. If
> you aren't expecting that kind of input, then yes it is likely an
> attack (probably trying to exploit an unknown specific piece of
> software). Welcome to the internet where everything connected is
> bombarded 24/7 from everything else with random attacks.
>
> That's why it's important to keep your server (and wordpress) up to date.
> _______________________________________________
> nginx mailing list
> [email protected]
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> [email protected]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx


--
Att.
Anderson Donda

Mar calmo não cria bom marinheiro, muito menos bom capitão."
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to