Home Experience & Tips Sharing Standard Post

Standard Post

Server Security: Add Nginx Rules to Prevent Server from Being Scanned by Malicious Bots

Building a website on your own server involves server security issues. Although you may not know it, your server is scanned by bots every day. This article from Naiba shares several Nginx rules to prevent server scanning. 1. Disable default access to the server via IP. Each server has an IP address, and some bots directly access the IP...

Updated on September 21, 2020 About 6 minutes read
服务器安全:添加Nginx规则防止服务器被恶意机器人扫描

Building a Website by Purchasing Your Own ServerThis involves server security issues. Although you may not be aware, your server is being scanned by bots every day. In this article, Naiba shares several Nginx rules that can prevent your server from being scanned.

1. Prohibit Direct Server Access via IP by Default

Each server has an IP address, and some bots directly access the IP address to probe the content on your website.

We can add the following code in the Nginx configuration to disable access to the server via IP address.

#别人如果通过ip或者未知域名访问你的网站的时候,你希望禁止显示任何有效内容,可以给他返回500
server {
       listen 80 default;
       server_name _;
       return 500;

}
#开放一个或多个真实的希望被访问的域名配置,设置如下:
server {
       linten 80;
       server_name naibabiji.com;
}

2. Prevent Bots from Scanning Website Compressed Files

Similarly, many bots directly access certain files on your domain. For example, the image below shows someone scanning the wwwroot.zip file on Naibabiji.

 

扫描日志We can add some 'spice' to it by redirecting links that access these compressed files to a very large file, making them download slowly.

    rewrite \.asp/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.zip/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.gz/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.7z/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.sql/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.rar/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.tar/?$ http://speedtest.tele2.net/50GB.zip permanent;

The above code redirects access to files with extensions like .asp, .zip, .gz, .7z, .sql, .rar, .tar to a 50GB zip link. Let them crawl it themselves.

We can also give them a larger file, such as 1000GB, to fill up their hard drive.

http://speedtest.tele2.net/1000GB.zip
http://speedtest.tele2.net/100GB.zip
http://speedtest.tele2.net/50GB.zip

Of course, you can also installDefender Securitythis plugin to help you block these bots. If you don't know how to add redirect rules, you can directly use some plugins that support redirection, such asRanK Math's redirection feature.

Updated on September 20:

Today, I found that new bots ignore the above 301 redirect (or maybe the traffic is too high?), causing the CPU of Naibabiji's server to be maxed out several times. So I had to use another method.

The simplest and most direct method is to add the following rule directly in the Nginx configuration to block access to file download links on the server (use with caution for websites that provide local resource downloads).

location ~ \.(zip|rar|sql|bak|gz|7z)$ {
return 444;
}

When a user accesses resources like zip, rar, etc., on the website, directly return a 444 error code.

444 No Response
HTTP server extension on Nginx. The server returns no information to the client and closes the connection (helps block malicious software)

There is another method, which is to install a WAF firewall for Nginx. If you are usingBaota Panel, then you can directly install it from the backend software store.

If you are using the LNMP one-click package, follow the method below to install.

Starting from version 1.5, the LNMP one-click installation package adds Lua support option. You can enable Lua by modifying the parameter after Enable_Nginx_Lua in lnmp.conf to y. If LNMP is not installed, modify lnmp.conf and save it. After installation, LNMP will support Lua. If LNMP is already installed, modify lnmp.conf as above, then run ./upgrade.sh nginx in the LNMP installation package directory to upgrade Nginx. Enter the current Nginx version number or a newer one. After the upgrade, Lua support will be enabled.

Install ngx_lua_waf
Download and install ngx_lua_waf:

wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip -O ngx_lua_waf.zip
unzip ngx_lua_waf.zip
mv ngx_lua_waf-master /usr/local/nginx/conf/waf

Configure and enable ngx_lua_waf on Nginx

Edit /usr/local/nginx/conf/nginx.conf and add the following code below server_tokens off;:

lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;

Save after modification

To enable ngx_lua_waf for a specific virtual host, modify the server block of that virtual host and add the following code below the root website directory line:

access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

Save after modification

Test Nginx configuration: /usr/local/nginx/sbin/nginx -t
Reload Nginx configuration to apply: /usr/local/nginx/sbin/nginx -s reload

If both test and reload report no errors, it is effective.

You can test by visiting http://domain/test.php?id=../etc/passwd

For more details, you canRefer to this article

4.5/5 - (2 votes)
Previous Reasons and Solutions for Non-Sequential WooCommerce Order Numbers Continue reading content around the same timeline. Next How to Analyze Competitor Website SEO Information for Foreign Trade Website Building? View the next related tutorial or experience.

AI Website Building Assistant

🤖
Hello! I am the Naibabiji AI Assistant. How can I help you?
Quick Consultation: