Server security: add Nginx rules to prevent servers from being scanned by malicious robots

Buy your own server to build a website It involves a server security problem. Although you don't know it, the server is scanned by some robots every day. The father of this article shares a few Nginx rules to prevent the server from being scanned.

1. Disable server access through IP by default

Each server has an IP address, and some robots will directly access the IP address to detect the content on your website.

We can add the following code to the Nginx configuration information to disable access to the server through the IP address.

 #If someone visits your website via IP or unknown domain name, you want to disable the display of any valid content, you can return 500 server { listen 80 default; server_name _; return 500; } #Open one or more real domain name configurations that you want to access. The settings are as follows: server { linten 80; server_name naibabiji.com; }

2. Prevent robots from scanning compressed files of websites

Similarly, many robots will directly access some files of your domain name. For example, the following figure shows the wwwroot.zip file that someone is scanning the notes of daddy's website creation

We can add something to it, and let the link to access these compressed packages jump to a super large file, so that he can download it slowly.

 rewrite \.asp/?$  http://speedtest.tele2.net/50GB.zip  permanent; rewrite \.zip/?$  http://speedtest.tele2.net/50GB.zip  permanent; rewrite \.gz/?$  http://speedtest.tele2.net/50GB.zip  permanent; rewrite \.7z/?$  http://speedtest.tele2.net/50GB.zip  permanent; rewrite \.sql/?$  http://speedtest.tele2.net/50GB.zip  permanent; rewrite \.rar/?$  http://speedtest.tele2.net/50GB.zip  permanent; rewrite \.tar/?$  http://speedtest.tele2.net/50GB.zip  permanent;

The above code is that when you visit a file in the format of. asp/zip/gz/7z/sql/rar/tar on the website, you will automatically skip to a zip link of 50G size. Let him climb by himself.

We can also give him some larger files, such as 1000G, to burst its hard disk.

 http://speedtest.tele2.net/1000GB.zip http://speedtest.tele2.net/100GB.zip http://speedtest.tele2.net/50GB.zip

Of course, you can also install Defender Security This plug-in can help you intercept these robots. If you don't add jump rules, you can directly use some plug-ins that support redirection to help you, such as RanK Math The redirection function of.

Updated on September 20, 2021:

Today, it was found that a new robot ignored the 301 (or was it too large?) when scanning the website, and filled the server CPU of daddy's website notes several times, so it had to use another method.

The simplest and rudest way is to add the following rules to the nginx configuration directly, and directly prohibit access to the file download link on the server (use carefully the website that provides local download of resources)

 location ~ \.(zip|rar|sql|bak|gz|7z)$ { return 444; }

When a user visits the zip and rar resources on the website, the 444 error code is returned directly.

444 No Response
HTTP server extension on Nginx. The server does not return any information to the client and closes the connection (helps prevent malware)

Another method is to install a waf firewall for Nginx Pagoda panel , then it can be installed directly in the background software store.

If you use the LNMP one click package, install it according to the following method.

The LNMP one click installation package has added the option of lua support since 1.5. You can enable lua by changing the parameter after Enable_Nginx_Lua in lnmp.conf to y. If you do not install lnmp, modify lnmp.conf and save it. After installing lnmp, it supports lua. If you have already installed lnmp, you can also modify lnmp.conf as before, and then install it in the lnmp installation package directory/ Upgrade.sh nginx Upgrade nginx. Enter the current nginx version number or the updated nginx version number. Lua is supported when the upgrade is complete.

Install ngx_lua_waf
Download and install ngx_lua_waf:

 wget  https://github.com/loveshell/ngx_lua_waf/archive/master.zip  -O ngx_lua_waf.zip unzip ngx_lua_waf.zip mv ngx_lua_waf-master /usr/local/nginx/conf/waf

Set and enable ngx_lua_waf on nginx

Edit/usr/local/nginx/conf/nginx.conf in server_tokens off; Add the following code:

 lua_package_path "/usr/local/nginx/conf/waf/?. lua"; lua_shared_dict limit 10m; init_by_lua_file /usr/local/nginx/conf/waf/init.lua;

Save after modification

If you want to enable ngx_lua_waf on a virtual host, you can modify the server segment of the corresponding virtual host, and add the following code below the root website directory line in the server segment:

 access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

Save after modification

Test nginx configuration file:/usr/local/nginx/sbin/nginx - t
The overload nginx configuration takes effect:/usr/local/nginx/sbin/nginx - s reload

If no error is reported in the test and reload, it will be effective.

You can visit http://domain name/test. php? Id=../etc/passwd

More detailed can See this article 。