Afeter deploying my server on AWS EC2, I often get some strange suspicious requests which look malicious. Somebody is looking for wordpress, phpmyadmin, AWS metadata and other stuff which I never had. I've manage to block most of these requests with return 444, but some of them still go throught, making NGINX answer 400 or 404 to them. But I don't wanna answer I want just reject them. What should I do in my config for that?
Below is my config and part of access.log with unexpected requests
#first site - accept only Host === first-domain.com
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name first-domain.com;
location / {
proxy_pass "backend.first-domain.com";
}
resolver 8.8.8.8;
}
#redirect all http to https if Host one of [first-domain.com, second-domain.com]
server {
listen 80;
listen [::]:80;
server_name first-domain.com second-domain.com;
return 301 https://$host$request_uri;
}
#second site - accept only Host === second-domain.com
#and location is /resource or matches to some_regexp
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name second-domain.com;
location = /resource {
if ($arg_somearg = '') {
return 400;
}
proxy_pass "backend.second-domain.com";
}
location ~ ^some_regexp$ {
proxy_pass "backend.second-domain.com";
}
location / {
return 444;
}
resolver 8.8.8.8;
}
#reject all other connection attempts
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server;
listen [::]:443 default_server;
server_name "";
return 444;
}
From access.log:
44.224.22.196 - - [18/Feb/2020:01:15:33 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:34 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:34 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:34 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:34 +0000] "CONNECT 3.122.236.218:80 HTTP/1.0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:35 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03%\xAE\xD1\xED\xB8\xEC\x9Dn\xF6\x90H:F\xFE\xA65\xF3\xBB\x1E\xBEb\x94\xD3b`\x88|;\x89\x8Ed]\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:35 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03\x99\x87$\xB0]M \xE4\x00\xF3e\xDB\x03\x1F\xBA\xC5\x16\xD5\x15\xAF\xF1\xBD\xD6\xD0\xA4\xB8b\xF8\xA3y\xBEB\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:35 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x030\xEBp\x09\xE5\x17\xCB\xA36AV\xBE\x02\xF5(M2\xC13d1\xD6L\x90~\xF9*\xE8\xFE\xC3\x094\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:36 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03L\xF86\x8F\xEE\xB2u\x99\xD2\xC68b\xD8\xD7\x8C\xE5=\x0Bt\x95\x8D\x0C\xDD\x00\xFFn\xEC\x88(\xBE\x061\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 182 "-" "-"
44.224.22.196 - - [18/Feb/2020:01:15:36 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03" 400 182 "-" "-"
41.216.186.89 - - [18/Feb/2020:01:28:23 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 182 "-" "-"
61.219.11.153 - - [18/Feb/2020:02:44:56 +0000] "GET / HTTP/1.1" 400 182 "-" "-"
157.55.39.6 - - [18/Feb/2020:03:52:53 +0000] "GET /robots.txt HTTP/1.1" 404 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.48 - - [18/Feb/2020:03:52:57 +0000] "GET / HTTP/1.1" 404 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
41.216.186.89 - - [18/Feb/2020:05:05:47 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 182 "-" "-"
157.55.39.6 - - [18/Feb/2020:05:19:13 +0000] "GET /robots.txt HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.55.39.6 - - [18/Feb/2020:05:19:14 +0000] "GET /robots.txt HTTP/1.1" 404 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.13.48 - - [18/Feb/2020:05:19:18 +0000] "GET / HTTP/1.1" 301 194 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
Best Answer
The reason you see these is obviously because you have
location /passing everything to your backend by default.You don't say how are you blocking the undesirable requests, so I'll assume you created a manual blacklist of blocked URLs in your Nginx config. By default you accept all requests, then you block a specific (very small) subset of all possible urls. This is probably not a manageable long-term solution.
When feasible, using your web server config as a url whitelist is both simple and effective. Only accept requests to known good urls and reject the rest. For example, if you are serving an api endpoint, you can only accept requests to
/api/v1/or or whatever your endpoints are. Create a location block that passes those requests to the backend, then block all other requestsFor a standard website, you may or may not be able to come up with a sane way to maintain such a whitelist in your Nginx config as your website grows or changes. In those cases there are excellent WAF solutions available like ModSecurity and fail2ban. ModSecurity and fail2ban have very different strengths, so they compliment one another quite well. Fail2ban is lot simpler to configure. You may be content to just have fail2ban block IPs with excessive 4xx responses.
https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
https://modsecurity.org/
https://wiki.archlinux.org/index.php/Fail2ban