Nginx not blocking user agents

denynginxuseragent

I have this in my .conf file for my website in attempt to block 2 user agents from constantly probing my server.

## Block http user agent - morpheus fucking scanner ##
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
   return 403;
}

Ive also tried the following, with no luck:

if ($http_user_agent ~* ("morfeus fucking scanner|ZmEu"))
if ($http_user_agent ~* (morfeus fucking scanner|ZmEu))
if ($http_user_agent ~* ("morfeus fucking scanner"|"ZmEu"))
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu")
if ($http_user_agent ~* morfeus fucking scanner|ZmEu)

It worked well when I only had 1 user agent, but in attempt to add a second, these user agents are able to probe the server still.

111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /pma/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"

According to these two posts#12: How Do I Deny Certain User-Agents?, HowTo: Nginx Block User Agent, I think Im setup correctly, but it doesn't seem to be working.

EDIT

Here is the nginx version and whole conf file

nginx version: nginx/1.2.7

server {
listen       80;
server_name  localhost;

#charset koi8-r;

access_log  /var/log/nginx/XXXXXX/access.log  main;
error_log /var/log/nginx/XXXXXX/error.log;

root /srv/www/XXXXXX;

location / {
    index  index.html index.htm index.php;

    #5/22/2012 - Turn on Server Side Includes
    ssi on;

    ## Block http user agent - morpheus fucking scanner ##
    if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
       return 403;
    }

    ## Only allow GET and HEAD request methods. By default Nginx blocks
    ## all requests type other then GET and HEAD for static content.
    if ($request_method !~ ^(GET|HEAD)$ ) {
      return 405;
    }
}

location ~ \.php {
    try_files $uri =404;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass 127.0.0.1:9000;
    #fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /srv/www/XXXXXX/$fastcgi_script_name;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

# Redirect server error pages to the static page
error_page 403 404 /error403.html;
location = /error403.html {
    root /usr/share/nginx/html;
}

Best Answer

nginx only applies one location block at each level of the config. All the files which are 404ing are .php files which hit the \.php location block, and therefore do not use the / location block which contains your user agent block. To fix this move your user agent block outside the location block to the root level so that it gets applied to all requests.

if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
    return 403;
}

location / {
    ...
}

location \.php {
    ...
}

Edit: You can test this with something like curl which lets you set arbitrary headers:

% curl -I localhost/sf645/blah
HTTP/1.1 404 Not Found
% curl -I -H 'User-agent: ZmEu' localhost/sf645/blah
HTTP/1.1 403 Forbidden
% curl -I -H 'User-agent: morfeus fucking scanner' localhost/sf645/blah
HTTP/1.1 403 Forbidden

Related Solutions

Nginx – Trouble with nginx and serving from multiple directories under the same domain

The root directive is the problem here. Quote from the doc:

note: Keep in mind that the root will still append the directory to the request so that a request for "/i/top.gif" will not look in "/spool/w3/top.gif" like might happen in an Apache-like alias configuration where the location match itself is dropped. Use the alias directive to achieve the Apache-like functionality.

Basically, only use root for real roots: if the content is to be at / use root. If it's going to end on a subfolder, use alias:

location  /map/ {
  alias  /home/user/public_html/map/;
}

Also check what user nginx is running as and make sure that this user can access /home/user/public_html/map

Nginx – Blocking ‘good’ bots in nginx with multiple conditions for certain off-limits URL’s where humans can go

I think the best solution for this problem is going to involve multiple things. None of them involve blocking bots.

Prevent WordPress from generating the invalid URLs in the first place.

Figure out what caused those URLs to be generated and fix the problem.
Determine if the URLs can be rewritten sanely. If so, have WordPress send a 301 redirect.

For some of these URLs you may be able to send a 301 to redirect to the canonical URL. For others, though, it won't be so easy since the URL makes no sense whatsoever.

While recent versions of WordPress send 301 redirects for some pages, plugins like Permalink Redirect can help with covering the things that WordPress doesn't. (This plugin may need an update or some customization; test carefully first.)
For senseless URLs, serve a 410.

The 410 Gone HTTP response tells the requester that the URL doesn't exist and is never coming back, so stop asking for it. Search engines can use this data to remove invalid URLs from their indexes.

A sample configuration that should do it is (test this first!):
```
location ~ #/page/\d+/page/# {
    return 410;
}
```

Best Answer

Related Solutions

Nginx – Trouble with nginx and serving from multiple directories under the same domain

Nginx – Blocking ‘good’ bots in nginx with multiple conditions for certain off-limits URL’s where humans can go

Related Topic