a automated script that checks the nginx access log for attempted attacks
It is easy to use the $ tal command to see the accesslog however i regulary see attacks coming from a single ip address like this:
85.219.67.14 403 GET /catalog/product/view/id/415/s/stone/category/105/{{config%20path=web/unsecure/baseurl?store=barracudamotoes_gb&fromstore=barracudamotoes_es HTTP/1.1 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
It should be fairly easy to use a combination of nginx and fail2ban to ban a certain ip when a pattern is detected ?
Mike de Landgraaf
shared this idea
Hi,
Although we don’t do exactly what was suggested here (we don’t block an IP, but we do have automated scripts blocking attacks), we believe we can call this one ‘completed’. If you think we should still work on something, please open up a new Idea in the UserVoice.
Best,
Hypernode Team
-
Hi Mike, additionally we now also actively deploy nginx configs to block attacks if we notice a node going down due to requests that look like previously encountered suspicious patterns if we can do so without clashing with an already defined nginx config. If we do you'll receive an email that we deployed a new rule and tell you where to find the file so you can edit it if you want to disable it or tweak the config. More information in this changelog: https://support.hypernode.com/changelog/release-4176-enhanced-brute-force-detection-neopi-libfcgi/
-
Did you know that we currently filter many known exploits on hypernode to prevent remote code execution?
We do use fail2ban to block bruteforce attempts against ssh and ftp.We fear that adding more fail2ban rules for nginx may be error prone and may
not offer much more security. There is a lot of unsolicited activity on the internet,
attempting to block most of it could be hard and poses a risk for false positives.