
Building a Website by Purchasing Your Own ServerThis involves server security issues. Although you may not be aware, your server is being scanned by bots every day. In this article, Naiba shares several Nginx rules that can prevent your server from being scanned.
1. Prohibit Direct Server Access via IP by Default
Each server has an IP address, and some bots directly access the IP address to probe the content on your website.
We can add the following code in the Nginx configuration to disable access to the server via IP address.
#别人如果通过ip或者未知域名访问你的网站的时候,你希望禁止显示任何有效内容,可以给他返回500
server {
listen 80 default;
server_name _;
return 500;
}
#开放一个或多个真实的希望被访问的域名配置,设置如下:
server {
linten 80;
server_name naibabiji.com;
}
2. Prevent Bots from Scanning Website Compressed Files
Similarly, many bots directly access certain files on your domain. For example, the image below shows someone scanning the wwwroot.zip file on Naibabiji.
We can add some 'spice' to it by redirecting links that access these compressed files to a very large file, making them download slowly.
rewrite \.asp/?$ http://speedtest.tele2.net/50GB.zip permanent;
rewrite \.zip/?$ http://speedtest.tele2.net/50GB.zip permanent;
rewrite \.gz/?$ http://speedtest.tele2.net/50GB.zip permanent;
rewrite \.7z/?$ http://speedtest.tele2.net/50GB.zip permanent;
rewrite \.sql/?$ http://speedtest.tele2.net/50GB.zip permanent;
rewrite \.rar/?$ http://speedtest.tele2.net/50GB.zip permanent;
rewrite \.tar/?$ http://speedtest.tele2.net/50GB.zip permanent;The above code redirects access to files with extensions like .asp, .zip, .gz, .7z, .sql, .rar, .tar to a 50GB zip link. Let them crawl it themselves.
We can also give them a larger file, such as 1000GB, to fill up their hard drive.
http://speedtest.tele2.net/1000GB.zip http://speedtest.tele2.net/100GB.zip http://speedtest.tele2.net/50GB.zip
Of course, you can also installDefender Securitythis plugin to help you block these bots. If you don't know how to add redirect rules, you can directly use some plugins that support redirection, such asRanK Math's redirection feature.
Updated on September 20:
Today, I found that new bots ignore the above 301 redirect (or maybe the traffic is too high?), causing the CPU of Naibabiji's server to be maxed out several times. So I had to use another method.
The simplest and most direct method is to add the following rule directly in the Nginx configuration to block access to file download links on the server (use with caution for websites that provide local resource downloads).
location ~ \.(zip|rar|sql|bak|gz|7z)$ {
return 444;
}When a user accesses resources like zip, rar, etc., on the website, directly return a 444 error code.
444 No Response
HTTP server extension on Nginx. The server returns no information to the client and closes the connection (helps block malicious software)
There is another method, which is to install a WAF firewall for Nginx. If you are usingBaota Panel, then you can directly install it from the backend software store.
If you are using the LNMP one-click package, follow the method below to install.
Starting from version 1.5, the LNMP one-click installation package adds Lua support option. You can enable Lua by modifying the parameter after Enable_Nginx_Lua in lnmp.conf to y. If LNMP is not installed, modify lnmp.conf and save it. After installation, LNMP will support Lua. If LNMP is already installed, modify lnmp.conf as above, then run ./upgrade.sh nginx in the LNMP installation package directory to upgrade Nginx. Enter the current Nginx version number or a newer one. After the upgrade, Lua support will be enabled.
Install ngx_lua_waf
Download and install ngx_lua_waf:
wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip -O ngx_lua_waf.zip unzip ngx_lua_waf.zip mv ngx_lua_waf-master /usr/local/nginx/conf/waf
Configure and enable ngx_lua_waf on Nginx
Edit /usr/local/nginx/conf/nginx.conf and add the following code below server_tokens off;:
lua_package_path "/usr/local/nginx/conf/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
Save after modification
To enable ngx_lua_waf for a specific virtual host, modify the server block of that virtual host and add the following code below the root website directory line:
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
Save after modification
Test Nginx configuration: /usr/local/nginx/sbin/nginx -t
Reload Nginx configuration to apply: /usr/local/nginx/sbin/nginx -s reload
If both test and reload report no errors, it is effective.
You can test by visiting http://domain/test.php?id=../etc/passwd
For more details, you canRefer to this article。