How can I block the attack like this?

Hi all,

Today my server was attacked. After checked Nginx access log, I found
logs like below:

116.114.17.182 - - [04/Sep/2012:20:27:41 +0800] “GET
/member.php??username=xxxx&rndnum=-1777927191 HTTP/1.1” 500 186 “-” “-”
“-”

116.114.17.182 - - [04/Sep/2012:20:27:41 +0800] “GET
/member.php??username=xxxx&rndnum=-1777927191 HTTP/1.1” 500 186 “-” “-”
“-”

116.114.17.182 - - [04/Sep/2012:20:27:41 +0800] “GET
/member.php??username=xxxx&rndnum=-1777927191 HTTP/1.1” 500 186 “-” “-”
“-”

It seems the attacker was using some tool to attack my server. You can
see that the user agent / browser version are blank.

Due to I can’t block the blank user agent (some web browser is using
blank user agent, for example, UC), is there any way can I use to block
this kind of attack?

Thank

Hi,
WAF(http://code.google.com/p/naxsi/) at possible solution?

Regards,

Hi,

If the user is coming from the same ip address you can block it in your
iptables or firewall.

Regards

what I see is that you want to block XSS attacks and code injection,
that
is why I recommend a WAF

Regards,

On Tue, Sep 4, 2012 at 10:49 AM, Jaap van Arragon

Thanks .
But it seems WAF can only support nginx which version is lower than
1.2.0.

At 2012-09-04 22:14:57,“[email protected][email protected]
wrote:

what I see is that you want to block XSS attacks and code injection,
that is why I recommend a WAF

Regards,

On Tue, Sep 4, 2012 at 10:49 AM, Jaap van Arragon
[email protected] wrote:

Hi,

If the user is coming from the same ip address you can block it in your
iptables or firewall.

Regards

On 9/4/12 3:45 PM, “[email protected][email protected]
wrote:

Hi,
WAF(http://code.google.com/p/naxsi/) at possible solution?

Regards,

On Tue, Sep 4, 2012 at 10:42 AM, fhal [email protected] wrote:
Hi all,

Today my server was attacked. After checked Nginx access log, I found
logs like below:

116.114.17.182 - - [04/Sep/2012:20:27:41 +0800] “GET
/member.php??username=xxxx&rndnum=-1777927191 HTTP/1.1” 500 186 “-” “-”
“-”

116.114.17.182 - - [04/Sep/2012:20:27:41 +0800] “GET
/member.php??username=xxxx&rndnum=-1777927191 HTTP/1.1” 500 186 “-” “-”
“-”

116.114.17.182 - - [04/Sep/2012:20:27:41 +0800] “GET
/member.php??username=xxxx&rndnum=-1777927191 HTTP/1.1” 500 186 “-” “-”
“-”

It seems the attacker was using some tool to attack my server. You can
see that the user agent / browser version are blank.

Due to I can’t block the blank user agent (some web browser is using
blank user agent, for example, UC), is there any way can I use to block
this kind of attack?

Thank


nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx


nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

Victor Pereira

Try the limit_conn moule:
http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html.

Or the limit_req module:
http://nginx.org/en/docs/http/ngx_http_limit_req_module.html.

2012/9/5 [email protected] [email protected]:

I see that the documentation says it works only with older versions of
nginx and according to what I see in the installation manual can be
compiled with any version of nginx