Created
February 6, 2020 12:34
-
-
Save eksiscloud/2539dc80bfa7675ce26408fa1ee4cdb8 to your computer and use it in GitHub Desktop.
Tighter Wordpress at Nginx and with Fail2ban
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## in the server block | |
| # | |
| # note: if you have posts with title matching these, turn them off or fine-tune | |
| # them to exclude those | |
| ## Block SQL injections | |
| location ~* union.*select.*\( { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* union.*all.*select.* { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* concat.*\( { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| ## Block common exploits | |
| location ~* (<|%3C).*script.*(>|%3E) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* base64_(en|de)code\(.*\) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* (%24&x) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* \.\.\/ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* ~$ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* proc/self/environ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* /\.(htaccess|htpasswd|svn) { log_not_found off; | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| ## Block file injections | |
| location ~* [a-zA-Z0-9_]=(\.\.//?)+ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| ## Block access to internal WordPress assets that isn't queried under normal | |
| ## circumstances | |
| location ~* wp-config.php { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* wp-admin/includes { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* wp-app\.log { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* (licence|readme|license)\.(html|txt) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } |
The nginx-blocked.conf fails with newer fail2ban versions, but works when specified as
failregex = ^.* Blocked request from <ADDR> .*$
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You have to make a new log at /etc/nginx/nginx.conf in the html block:
log_format blocked '$time_local: Blocked request from $remote_addr $request';
Fail2ban
/etc/fail2ban/jail.local
[nginx-blocked]
enabled = true
port = 80,443
filter = nginx-blocked
logpath = /var/log/nginx/blocked.log
bantime = 3600
maxretry = 3
backend = auto
findtime = 86400
banaction = iptables-multiport
protocol = tcp
chain = INPUT
/etc/fail2ban/filter.d/nginx-blocked.conf
[Definition]
failregex = ^.* Blocked request from .*$
ignoreregex =