Nginx block 444
Hello Kevin,
I configure my Nginx web-server to block requests by some user-agents or specific requests and return 444 code. For example I return 444 when someone visits /wp-content/plugins/seoplugins which is a path hackers upload malware.
I would like to block the IPs when I return 444. I will use it with https://bitbucket.org/sshguard/sshguard/issues/130/clf-probes-blocks-googlebot#comment-58523504 to avoid blocking googlebot and other search engines by mistake.
The access log is like this:
xxx.xxx.xxx.xx - - [28/Dec/2022:20:45:56 +0200] "GET /LICENSE.txt HTTP/2.0" 444 0 "-" "curl/7.74.0" (0.000)
I read attack_scanner.l and it looks like it should already block 444 code and identify it as CLFWEBPROBES_BOTSEARCH_SUFF
Any idea why it doesn't work?
Comments (6)
-
-
- changed status to open
This seems reasonable. I've attached a patch for the suggested change, along with a test case. If you don't mind, check that this now matches the sorts of attacks that you would like to block (using
sshg-parser -a
).Do you think the default attack score of 10 is appropriate, or should we lower this since this isn't really as bad as an "attack" like logging in with guessed credentials?
-
-
Thank you Kevin.
An attack score of 5 is fine as these bots try multiple URLs and it will not take long to block them.
I will test the patch and let you know.
-
Finally better to keep it with score 10.
The patch works fine. I already patch FreeBSD port and use it on all my servers.
-
- changed status to resolved
Committed to master in da77721, thanks.
- Log in to comment
I read the attack_scanner.l again and I believe that 444 code works only for HTTP_BOTSEARCH regex.
Is it possible to add 444 to “work” for every request. 444 is a special error code used by Nginx only if you choose to return this code, so I don’t believe this change will affect other people.