Server Security: Add Nginx Rules to Prevent Server Scanning by Malicious Bots

Building a Website by Purchasing Your Own Serverinvolves server security concerns. Even if you are unaware, your server is scanned daily by various bots. This article shares several Nginx rules from Naibabiji to help prevent server scanning.1. Prohibit Accessing the Server via IP by DefaultEvery server has an IP address, and some bots will probe the content of your website by directly accessing the IP address. We can add the following code in the Nginx configuration to prohibit access to the server via the IP address.

#别人如果通过ip或者未知域名访问你的网站的时候，你希望禁止显示任何有效内容，可以给他返回500
server {
       listen 80 default;
       server_name _;
       return 500;

}
#开放一个或多个真实的希望被访问的域名配置，设置如下：
server {
       linten 80;
       server_name naibabiji.com;
}

2. Prohibit Bots from Scanning Website Compressed FilesSimilarly, many bots will directly access certain files under your domain name. For example, the image below shows someone scanning the wwwroot.zip file on Naibabiji.We can add some 'spice' to it, making links that access these compressed packages redirect to an extremely large file, letting them download slowly.

    rewrite \.asp/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.zip/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.gz/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.7z/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.sql/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.rar/?$ http://speedtest.tele2.net/50GB.zip permanent;
    rewrite \.tar/?$ http://speedtest.tele2.net/50GB.zip permanent;

The code above means that when accessing files with .asp/zip/gz/7z/sql/rar/tar formats on the website, it automatically redirects to a 50GB zip link. Let them crawl it themselves. We can also give them an even larger file, like 1000GB, to fill up their hard drive.

http://speedtest.tele2.net/1000GB.zip
http://speedtest.tele2.net/100GB.zip
http://speedtest.tele2.net/50GB.zip

Of course, you can also installDefender Securitythis plugin to help you block these bots. If you don't know how to add redirect rules, you can directly use some plugins that support redirection, such asRanK Math's redirection feature.Updated on September 20:Today, it was discovered that new bots scanning the website are ignoring the above 301 redirects (or is the volume too large?), causing Naibabiji's server CPU to be maxed out several times, so another method had to be used. The simplest and most brutal method is to directly add the following rule in the nginx configuration, directly prohibiting access to file download links on the server (use with caution for websites that provide local resource downloads).

location ~ \.(zip|rar|sql|bak|gz|7z)$ {
return 444;
}

When a user accesses resources like zip, rar on the website, directly return a 444 error code.

444 No Response An HTTP server extension on Nginx. The server does not return any information to the client and closes the connection (helps to block malware).

Another method is to install a WAF firewall for Nginx. If you are usingBaota Panel, then you can install it directly from the backend software store. If you are using the LNMP one-click installation package, install it according to the method below. Starting from version 1.5, the LNMP one-click installation package added an option for lua support. You can enable lua by changing the parameter after Enable_Nginx_Lua in lnmp.conf to 'y'. If LNMP is not installed, save after modifying lnmp.conf, and LNMP will support lua after installation. If LNMP is already installed, also modify lnmp.conf as described, then run ./upgrade.sh nginx in the lnmp installation package directory, enter the current nginx version number or a newer nginx version number. After the upgrade is complete, it will support lua. Install ngx_lua_waf Download and install ngx_lua_waf:

wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip -O ngx_lua_waf.zip
unzip ngx_lua_waf.zip
mv ngx_lua_waf-master /usr/local/nginx/conf/waf

Set up and enable ngx_lua_waf on nginx. Edit /usr/local/nginx/conf/nginx.conf and add the following code below server_tokens off;:

lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;

Save after modifications. If you want to enable ngx_lua_waf for a specific virtual host, modify the corresponding virtual host's server block. Add the following code below the root website directory line in that server block:

access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

Save after modifications. Test the nginx configuration file: /usr/local/nginx/sbin/nginx -t Reload the nginx configuration to take effect: /usr/local/nginx/sbin/nginx -s reload. If both the test and reload show no errors, it is already effective. You can test by accessing http://domain/test.php?id=../etc/passwd. For more details, you canrefer to this article。