nginx not blocking user agents
Solution 1
nginx only applies one location block at each level of the config. All the files which are 404ing are .php
files which hit the \.php
location block, and therefore do not use the /
location block which contains your user agent block. To fix this move your user agent block outside the location block to the root level so that it gets applied to all requests.
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
return 403;
}
location / {
...
}
location \.php {
...
}
Edit: You can test this with something like curl
which lets you set arbitrary headers:
% curl -I localhost/sf645/blah
HTTP/1.1 404 Not Found
% curl -I -H 'User-agent: ZmEu' localhost/sf645/blah
HTTP/1.1 403 Forbidden
% curl -I -H 'User-agent: morfeus fucking scanner' localhost/sf645/blah
HTTP/1.1 403 Forbidden
Solution 2
try this
if ($http_user_agent ~* (morfeus|ZmEu) ) {
return 403;
}
Related videos on Youtube
ProfessionalAmateur
Updated on September 18, 2022Comments
-
ProfessionalAmateur almost 2 years
I have this in my
.conf
file for my website in attempt to block 2 user agents from constantly probing my server.## Block http user agent - morpheus fucking scanner ## if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") { return 403; }
Ive also tried the following, with no luck:
if ($http_user_agent ~* ("morfeus fucking scanner|ZmEu")) if ($http_user_agent ~* (morfeus fucking scanner|ZmEu)) if ($http_user_agent ~* ("morfeus fucking scanner"|"ZmEu")) if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") if ($http_user_agent ~* morfeus fucking scanner|ZmEu)
It worked well when I only had 1 user agent, but in attempt to add a second, these user agents are able to probe the server still.
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-" 111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-" 111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /pma/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-" 111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 118 "-" "ZmEu" "-" 111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-" 111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
According to these two posts#12: How Do I Deny Certain User-Agents?, HowTo: Nginx Block User Agent, I think Im setup correctly, but it doesn't seem to be working.
EDIT
Here is the nginx version and whole conf file
nginx version: nginx/1.2.7 server { listen 80; server_name localhost; #charset koi8-r; access_log /var/log/nginx/XXXXXX/access.log main; error_log /var/log/nginx/XXXXXX/error.log; root /srv/www/XXXXXX; location / { index index.html index.htm index.php; #5/22/2012 - Turn on Server Side Includes ssi on; ## Block http user agent - morpheus fucking scanner ## if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") { return 403; } ## Only allow GET and HEAD request methods. By default Nginx blocks ## all requests type other then GET and HEAD for static content. if ($request_method !~ ^(GET|HEAD)$ ) { return 405; } } location ~ \.php { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9000; #fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /srv/www/XXXXXX/$fastcgi_script_name; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # Redirect server error pages to the static page error_page 403 404 /error403.html; location = /error403.html { root /usr/share/nginx/html; }
-
ProfessionalAmateur over 11 years@mgorven - That was posted by me as well. The solution there allowed me to start up
nginx
but it doesnt block the agents anymore. -
ProfessionalAmateur over 11 years@mgorven - This is a different problem. The previous question wouldnt allow me to start nginx. This second issue isn't functioning (nginx starts, but the configuration isnt blocking user agents) as I expected it to. I feel it deserves its own unique question to not muddy the water.
-
mgorven over 11 yearsThe answer I posted in the previous question works as intended for me with nginx 1.1.19. Please post your entire config because those requests are probably hitting different location blocks.
-
ProfessionalAmateur over 11 yearsUpdated the OP, version and conf file. Its a pretty simple stupid site. Nothing too crazy.
-
-
ProfessionalAmateur over 11 yearsBut I want to block both the
morfeus
andZmEu
agents, how can I block both? -
ProfessionalAmateur over 11 yearsI want to block 2 different agents, morfeus and ZmEu
-
platforms over 11 yearsJust use two blocks.
-
ProfessionalAmateur over 11 yearsmy conf file will get HUGE the more agents I block, there has to be a way to keep this clean and on one line... that would be my last resort.
-
platforms over 11 yearsYour regex will get huge if you keep adding alternatives. Nginx doesn't mind, and you can roll them all up into one-liners to make it read better.
-
ProfessionalAmateur over 11 yearsGreat, I moved it and restarted services. Now just a waiting game to see when the box gets probed again. Shouldnt take more than a day or two. Good info on blocks only working within their own level, I didnt know that. Thanks.
-
mgorven over 11 years@ProfessionalAmateur You can test this yourself (see my edit).
-
Mike over 11 yearsi edited it to include the change