Created
February 6, 2020 12:34
-
-
Save eksiscloud/2539dc80bfa7675ce26408fa1ee4cdb8 to your computer and use it in GitHub Desktop.
Tighter Wordpress at Nginx and with Fail2ban
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## in the server block | |
| # | |
| # note: if you have posts with title matching these, turn them off or fine-tune | |
| # them to exclude those | |
| ## Block SQL injections | |
| location ~* union.*select.*\( { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* union.*all.*select.* { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* concat.*\( { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| ## Block common exploits | |
| location ~* (<|%3C).*script.*(>|%3E) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* base64_(en|de)code\(.*\) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* (%24&x) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* \.\.\/ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* ~$ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* proc/self/environ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* /\.(htaccess|htpasswd|svn) { log_not_found off; | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| ## Block file injections | |
| location ~* [a-zA-Z0-9_]=(\.\.//?)+ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| ## Block access to internal WordPress assets that isn't queried under normal | |
| ## circumstances | |
| location ~* wp-config.php { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* wp-admin/includes { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* wp-app\.log { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } | |
| location ~* (licence|readme|license)\.(html|txt) { | |
| access_log /var/log/nginx/blocked.log blocked; | |
| deny all; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The nginx-blocked.conf fails with newer fail2ban versions, but works when specified as
failregex = ^.* Blocked request from <ADDR> .*$