Do i need mod_security for nginx?

addis_a · October 21, 2013, 10:13pm

Today i found one particular IP address which was trying a lot of things
in
my server.

For a second, it was sending atleast 50 requests.
It was keep on accessing my admin login page with post and get request
That IP tried proxy GET http://…
It tried to inject something in the script with -d parameter.

i added "limit_req_zone $binary_remote_addr zone=app:10m rate=2r/s;
" in
http block and
location / {
limit_req zone=app burst=50;
}

I believe it will block too many connections per second from a ip.
How do i secure the server from other attacks?

Thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,243933,243933#msg-243933

agriz · October 21, 2013, 11:17pm

On 10/21/2013 10:12 PM, agriz wrote:

location / {
limit_req zone=app burst=50;
}

I believe it will block too many connections per second from a ip.
How do i secure the server from other attacks?

Have a look at fail2ban.

Regards,
Patrick

agriz · October 21, 2013, 11:41pm

[nginx-auth]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures, port=“http,https”]
logpath = /var/log/nginx*/error.log
bantime = 600 # 10 minutes
maxretry = 6

[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port=“http,https”]
logpath = /var/log/nginx*/access.log
bantime = 600 # 10 minutes
maxretry = 6

[nginx-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port=“http,https”]
logpath = /var/log/nginx*/access.log
bantime = 86400 # 1 day
maxretry = 1

[nginx-noscript]
enabled = true
action = iptables-multiport[name=NoScript, port=“http,https”]
filter = nginx-noscript
logpath = /var/log/nginx*/access.log
maxretry = 6
bantime = 86400 # 1 day

[nginx-proxy]
enabled = true
action = iptables-multiport[name=NoProxy, port=“http,https”]
filter = nginx-proxy
logpath = /var/log/nginx*/access.log
maxretry = 0
bantime = 86400 # 1 day

filters.d/nginx-proxy.conf
[Definition]
failregex = ^ -.GET http.
ignoreregex =

nginx-noscript.conf

[Definition]
failregex = ^ -.GET.(.php|.asp|.exe|.pl|.cgi|\scgi)
ignoreregex =

nginx-auth.conf

[Definition]

failregex = no user/password was provided for basic
authentication.client:

user . was not found in.client:
user . password mismatch.*client:

ignoreregex =

nginx-login.conf

[Definition]
failregex = ^ -.*POST /sessions HTTP/1…" 200
ignoreregex =

I m using nginx with php fpm.
I tried to look at the fail2ban apache config files and created them
with
the help of internet search.

I still am having a dount on

failregex = ^ -.GET.(.php|.asp|.exe|.pl|.cgi|\scgi)

Do i really need to have .php in this regex?
I havent restart the fail2ban service.

Or am i good to restart the fail2ban service?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,243933,243936#msg-243936