Nginx – Block IPs that try to exploit common webapp vulnerabilities

fail2banip-blockingnginxSecurity

Is there an application that goes through the nginx logs and blocks IPs that made requests for common webapp vulnerabilities?

I have an nginx web server that serves only static content. I routinely get requests for GET /db/websql/main.php or GET /db/phpMyAdmin2/main.php. Those are clear signs of somebody scanning for vulnerabilities. Is there an application that can go through the nginx logs, recognize these attempts to exploit common vulnerabilities and block the offending IPs? My idea is that, even if I am not vulnerable to those exploits, the same IPs could engage in other kinds of attacks on the same box or other boxes on my network: SMTP, SSH, other web servers with web applications. Blocking them while caught with their hands in the cookie jar seems a good approach to me.

Fail2ban does something similar for SSH and for HTTP authentication attempts. Maybe it could be used with a configuration that includes a list of well-known addresses used for vulnerabilities. Is there such a configuration available?

Best Answer

From the gotroot.com forums:

You can use nginx with our rules by putting a reverse proxy apache with mod_security in front of nginx. Thats actually very lightweight and something we will be adding post 3.0 as an option for sites running alternative web servers like nginx, etc. As Scott said, nginx does not have any WAF module or capability, so theres no way you can do anything like modsecurity inside nginx.

People have requested the nginx team add a WAF, and I know lightspeed is working on full modsec support, but so far I havent seen anything for nginx. So if you use nginx, and you want a WAF to protect it, you will need to put a WAF in front of it.

And as I said, this works great so I highly recommend you do that. We've got a bunch of customers running all sorts of non-apache webservers with apache reverse proxies and mod_security in front of them. And as I mentioned, we will be adding this into ASL post 3.0 release as an option for non-Apache web servers.

(Gotroot.com is well-known for their mod_security rules list they provide.)

Another thing you can try is naxsi which is a Web Application Firewall module for Nginx, although it's still in alpha version. More

Related Topic