Nginx: How to make it painful for scanners?

[amilis]

I have nginx and proxy-nginx servers and there is scanners all day.
How can we make it so painful as possible for scanners that abuse our server?

I tried to make a redirect to 127.0.0.1, but it’s not working.
Redirect somewhere else?

Do something else?
Can we make the scanners scan itself or something else that is funny (it shouldn’t take our or some else resource)?
Make stupid loooooong connection for them (again it shouldn’t take our resource – important for this one!)

How do you do?

The more crazy stuff = more points

 

[Jim L.]

I'd set up ipfw with a table named SLOW_DOWN and use dummynet(4) to throttle your bandwidth to any IP or range listed in that table. Then you can periodically scan your Nginx logs to find who the troublemakers are, and add their IPs to that table. They'll still be able to scan you, but if you throttle them to 1 byte/sec, they may get bored and go elsewhere. I've never tried it myself, but at 1 B/s, a 1500-byte MTU will take 25 minutes to send. That might cause some network stacks to timeout, I would speculate.

OTOH, once you have an ipfw table that lists all the recent offenders, you can just drop their traffic entirely, if you prefer.

This is pretty much what apps like fail2ban do.

 

[rbranco]

The Nephentes tarpit was in the news early this year:

Nepenthes - ZADZMO.org

Making web crawlers eat shit since 2023

zadzmo.org

 

[Phishfry]

painful as possible for scanners that abuse our server?

I dunno about painful but pf and blacklistd are what you need to look at. Just blackhole them. Don't waste your time.

blacklistd(8)

man.freebsd.org