2 maps for one 1 variable?

Detlef_R · April 1, 2015, 9:06pm

Hello,

Is it possible to use more than one map directive with a single
variable? I tried but it seems the second map over writes any value set
by the 1st map even if there is no match in the 2nd map. I tried leaving
out the default value in the second map.

—
Cole

Cole_Tierney · April 1, 2015, 10:03pm

On Apr 1, 2015, at 3:23 PM, Steve H. [email protected]
wrote:

though.

Does that fit with what you’re trying to do??

Thank does work. Thanks!

Cole_Tierney · April 1, 2015, 10:27pm

Hello,

I’m seeing lots of shellshock probing in my access logs. My server’s not
vulnerable, but my logs are filling up with 404s. The requests are for
random cgi scripts. The referer and user_agents are the same and always
start with () { :; }; followed by curl or wget to a remote perl script
piped to perl locally. I’d like to return 444 for these.

I’m currently using a couple of maps to set a variable $drop. What would
be the most efficient way to test for the initial “() { :; };” at
beginning of these request headers? This is what I have so far:

map $http_referer $drop_referer {
    default 0;
    "~^\s*\(\s*\)\s*\{[^\}]*\}\s*"  1;
}
map $http_user_agent $drop {
    default $drop_referer;
    "~^\s*\(\s*\)\s*\{[^\}]*\}\s*"  1;
}

Or is there a better method to block these?

–
Cole

Cole_Tierney · April 1, 2015, 9:24pm

On Wed, 2015-04-01 at 15:05 -0400, Cole Tierney wrote:

Hello,

Is it possible to use more than one map directive with a single variable? I
tried but it seems the second map over writes any value set by the 1st map even if
there is no match in the 2nd map. I tried leaving out the default value in the
second map.

—
Cole
You can link 2 maps together by setting the default value for the second
map as the result from the first map. Unique names will be required
though.

Does that fit with what you’re trying to do??

–
Steve H. BSc(Hons) MIITP

Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa

Cole_Tierney · April 1, 2015, 11:09pm

Thanks mex, I’ll check it out.

Cole_Tierney · April 1, 2015, 10:52pm

hi cole,

if implemetable you couldd use naxsi GitHub - nbs-system/naxsi: NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
for this, there exists a rule to detect and block
shellshock-exploit-attempts:

MainRule “str:() {” “msg:Possible Remote code execution through Bash
CVE-2014-6271” “mz:BODY|HEADERS” “s:$ATTACK:8” id:42000393 ;

see → http://spike.nginx-goodies.com/rules/view/42000393

there is also an extended ruleset available
→ Bitbucket

cheers,

mex

Posted at Nginx Forum:

Cole_Tierney · April 1, 2015, 11:17pm

if you have questions on naxsi, feel free to join the naxsi-discuss - ml

https://groups.google.com/forum/#!forum/naxsi-discuss

cheers,

mex

Posted at Nginx Forum:

Cole_Tierney · April 2, 2015, 3:34pm

~{.:; 1;

Block shellshock:

if ($waffable) { return 444; }

Drop’m from logging:

map $waffable $loggable {
default 1;
~1 0;
}

access_log /path/to/access.log combined if=$loggable;

Thanks! I like the combined variables in the 3rd map.

Cole_Tierney · April 2, 2015, 4:50pm

That is the power of the ‘empty value = does nothing’ logic. :o)

B. R.

On Thu, Apr 2, 2015 at 3:33 PM, Cole Tierney
[email protected]

Cole_Tierney · April 2, 2015, 1:23pm

Cole Tierney Wrote:

Or is there a better method to block these?

Not really better but good enough

map $http_referer $waffableref {
default 0;
~{.:; 1;
}
map $http_user_agent $waffableua {
default 0;
~{.:; 1;
}
map $waffableref$waffableua $waffable {
default 0;
~1 1;
}

Block shellshock:

if ($waffable) { return 444; }

Drop’m from logging:

map $waffable $loggable {
default 1;
~1 0;
}

access_log /path/to/access.log combined if=$loggable;

Posted at Nginx Forum: