Contents...
In this article I will explain how to secure Nginx Web Server blocking SQL Injections, Exploits, File Injections, Spam and User Agents. These days attacking on the websites is normal issue for web server administrator. Attacker uses lots of methods to exploit your web server such as SQL Injections,File Injections, and Exploits etc.. In SQL Injection attacker execute malicious SQL Statements it is also called malicious payload. Relational Database Management System (RDBMs) , we can also say database server which manage and control web applications SQL Injection vulnerability affect any websites which is SQL-Base database.Same as in File Injections vulnerability attacker include a file. Attacker use to exploits “ Dynamic File Inclusions” mechanisms in the target application. It is occurs due to the user supplied input without validation.
In this article I am going to explain how we can block Exploits, File Injections, SQL Injections, Spam and User Agents etc.. in nginx.
If your using nginx Virtual-host append below mentioned configuration into your virtual-host configurations file. Keep eyes on your logs for unwanted request attempts and try to block to modify configurations.
Note :- Configure and append below line into each nginx virtual-host inside a server {} container configuration.
SQL INJECTIONS BLOCKING
## Block SQL injections set $block_sql_injections 0; if ($query_string ~ "union.*select.*\(") { set $block_sql_injections 1; } if ($query_string ~ "union.*all.*select.*") { set $block_sql_injections 1; } if ($query_string ~ "concat.*\(") { set $block_sql_injections 1; } if ($block_sql_injections = 1) { return 403; }
FILE INJECTIONS BLOCKING
## Block file injections set $block_file_injections 0; if ($query_string ~ "[a-zA-Z0-9_]=http://") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { set $block_file_injections 1; } if ($block_file_injections = 1) { return 403; }
COMMON EXPLOITS BLOCKING
## Block common exploits set $block_common_exploits 0; if ($query_string ~ "(|%3E)") { set $block_common_exploits 1; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { set $block_common_exploits 1; } if ($query_string ~ "base64_(en|de)code\(.*\)") { set $block_common_exploits 1; } if ($block_common_exploits = 1) { return 403; }
SPAM BLOCKING
## Block spam set $block_spam 0; if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { set $block_spam 1; } if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { set $block_spam 1; } if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { set $block_spam 1; } if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { set $block_spam 1; } if ($block_spam = 1) { return 403; }
USER AGENTS BLOCKING
## Block user agents set $block_user_agents 0; # Don't disable wget if you need it to run cron jobs! #if ($http_user_agent ~ "Wget") { # set $block_user_agents 1; #} # Disable Akeeba Remote Control 2.5 and earlier if ($http_user_agent ~ "Indy Library") { set $block_user_agents 1; } # Common bandwidth hoggers and hacking tools. if ($http_user_agent ~ "libwww-perl") { set $block_user_agents 1; } if ($http_user_agent ~ "GetRight") { set $block_user_agents 1; } if ($http_user_agent ~ "GetWeb!") { set $block_user_agents 1; } if ($http_user_agent ~ "Go!Zilla") { set $block_user_agents 1; } if ($http_user_agent ~ "Download Demon") { set $block_user_agents 1; } if ($http_user_agent ~ "Go-Ahead-Got-It") { set $block_user_agents 1; } if ($http_user_agent ~ "TurnitinBot") { set $block_user_agents 1; } if ($http_user_agent ~ "GrabNet") { set $block_user_agents 1; } if ($block_user_agents = 1) { return 403; }
Find the below my complete nginx virtual-host configuration file.
# example.com:80
server {
# Server port and name
listen 80;
server_name www.example.com;
#}
# log files
access_log /var/log/nginx/vhost/example.com_access.log upstream;
error_log /var/log/nginx/vhost/example.com_error.log;
## Block SQL injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $block_sql_injections 1;
}
if ($query_string ~ "concat.*\(") {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 403;
}
## Block file injections
set $block_file_injections 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $block_file_injections 1;
}
if ($block_file_injections = 1) {
return 403;
}
## Block common exploits
set $block_common_exploits 0;
if ($query_string ~ "(|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $block_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 403;
}
## Block spam
set $block_spam 0;
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
set $block_spam 1;
}
if ($block_spam = 1) {
return 403;
}
## Block user agents
set $block_user_agents 0;
# Don't disable wget if you need it to run cron jobs!
#if ($http_user_agent ~ "Wget") {
# set $block_user_agents 1;
#}
# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
set $block_user_agents 1;
}
# Common bandwidth hoggers and hacking tools.
if ($http_user_agent ~ "libwww-perl") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetRight") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetWeb!") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go!Zilla") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Download Demon") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "TurnitinBot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GrabNet") {
set $block_user_agents 1;
}
if ($block_user_agents = 1) {
return 403;
}
## PROXY - Web
location / {
proxy_pass http://12.41.245.29:80/;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
}
I hope this article will be helpful to secure your nginx web server blocking Exploits, File Injections, SQL Injections, Spam and User Agents etc. If you have any queries and problem please comment in comment section.
Thanks:)
If you find this tutorial helpful please share with your friends to keep it alive. For more helpful topic browse my website www.looklinux.com. To become an author at LookLinux Submit Article. Stay connected to Facebook.
Thanks for this Sagar,
Please note that you may have made a little error:
if ($query_string ~ “(|%3E)”) {
=> Triggers 403 when visiting the site.
=> I replaced it with the following which works:
if ($query_string ~ “(|%3E)”) {
Thanks Erus for noticing this error.
Erus,
Yes, there is a problem with this, but it looks like your solution is identical to the problem regex. I’m not sure of the intent and so I just commented it out.
Perhaps Santosh can edit it or just drop it from the post.
Hi sagar!
You have shared valuable content which is very useful for beginners. I am new in this field, and you have explained everything entirely for beginners.
Great Work!
This is great, can you consider maintaining on github and adding to it / taking suggestions?
Hi, do I just need to install nginx on our Windows server and edit the nginx.conf to this? I am tasked to prevent SQL injections and other attacks on our Windows server and I’m unsure of what the pre-requisites of using nginx are. Kindly guide me. Thanks!
With nearly zero indentations it’s too much trouble reading the code.
Thanks for visiting..I will try to make code readable.
Hi, Sagar !
That was something new for me as well, its a good way to stop them at nginx itself.
Thank you for sharing.
Hi Usman,
Thanks for reading my article.I will share more interesting nignx article in my next post, till then stay tuned to looklinux.com for more such valuable articles.
Alright Sagar 🙂