nginx not blocking user agents

nginx deny useragent

12,025

Solution 1

nginx only applies one location block at each level of the config. All the files which are 404ing are .php files which hit the \.php location block, and therefore do not use the / location block which contains your user agent block. To fix this move your user agent block outside the location block to the root level so that it gets applied to all requests.

if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
    return 403;
}

location / {
    ...
}

location \.php {
    ...
}

Edit: You can test this with something like curl which lets you set arbitrary headers:

% curl -I localhost/sf645/blah
HTTP/1.1 404 Not Found
% curl -I -H 'User-agent: ZmEu' localhost/sf645/blah
HTTP/1.1 403 Forbidden
% curl -I -H 'User-agent: morfeus fucking scanner' localhost/sf645/blah
HTTP/1.1 403 Forbidden

Solution 2

try this

if ($http_user_agent ~* (morfeus|ZmEu) ) {
   return 403;
}

12,025

ProfessionalAmateur

Updated on September 18, 2022

Comments

ProfessionalAmateur almost 2 years

I have this in my .conf file for my website in attempt to block 2 user agents from constantly probing my server.

## Block http user agent - morpheus fucking scanner ##
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
   return 403;
}

Ive also tried the following, with no luck:

if ($http_user_agent ~* ("morfeus fucking scanner|ZmEu"))
if ($http_user_agent ~* (morfeus fucking scanner|ZmEu))
if ($http_user_agent ~* ("morfeus fucking scanner"|"ZmEu"))
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu")
if ($http_user_agent ~* morfeus fucking scanner|ZmEu)

It worked well when I only had 1 user agent, but in attempt to add a second, these user agents are able to probe the server still.

111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /pma/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"

According to these two posts#12: How Do I Deny Certain User-Agents?, HowTo: Nginx Block User Agent, I think Im setup correctly, but it doesn't seem to be working.

EDIT

Here is the nginx version and whole conf file

nginx version: nginx/1.2.7

server {
listen       80;
server_name  localhost;

#charset koi8-r;

access_log  /var/log/nginx/XXXXXX/access.log  main;
error_log /var/log/nginx/XXXXXX/error.log;

root /srv/www/XXXXXX;

location / {
    index  index.html index.htm index.php;

    #5/22/2012 - Turn on Server Side Includes
    ssi on;

    ## Block http user agent - morpheus fucking scanner ##
    if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
       return 403;
    }

    ## Only allow GET and HEAD request methods. By default Nginx blocks
    ## all requests type other then GET and HEAD for static content.
    if ($request_method !~ ^(GET|HEAD)$ ) {
      return 405;
    }
}

location ~ \.php {
    try_files $uri =404;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass 127.0.0.1:9000;
    #fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /srv/www/XXXXXX/$fastcgi_script_name;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

# Redirect server error pages to the static page
error_page 403 404 /error403.html;
location = /error403.html {
    root /usr/share/nginx/html;
}

ProfessionalAmateur over 11 years

@mgorven - That was posted by me as well. The solution there allowed me to start up nginx but it doesnt block the agents anymore.
ProfessionalAmateur over 11 years

@mgorven - This is a different problem. The previous question wouldnt allow me to start nginx. This second issue isn't functioning (nginx starts, but the configuration isnt blocking user agents) as I expected it to. I feel it deserves its own unique question to not muddy the water.
mgorven over 11 years

The answer I posted in the previous question works as intended for me with nginx 1.1.19. Please post your entire config because those requests are probably hitting different location blocks.
ProfessionalAmateur over 11 years

Updated the OP, version and conf file. Its a pretty simple stupid site. Nothing too crazy.

ProfessionalAmateur over 11 years

But I want to block both the morfeus and ZmEu agents, how can I block both?
ProfessionalAmateur over 11 years

I want to block 2 different agents, morfeus and ZmEu
platforms over 11 years

Just use two blocks.
ProfessionalAmateur over 11 years

my conf file will get HUGE the more agents I block, there has to be a way to keep this clean and on one line... that would be my last resort.
platforms over 11 years

Your regex will get huge if you keep adding alternatives. Nginx doesn't mind, and you can roll them all up into one-liners to make it read better.
ProfessionalAmateur over 11 years

Great, I moved it and restarted services. Now just a waiting game to see when the box gets probed again. Shouldnt take more than a day or two. Good info on blocks only working within their own level, I didnt know that. Thanks.
mgorven over 11 years

@ProfessionalAmateur You can test this yourself (see my edit).
Mike over 11 years

i edited it to include the change