I've got my web server set up and live on the IP address, but not quite live on the domain name yet. I get pretty consistent traffic from people trying to use my server as a proxy, trying to scan for vulnerabilities (hit after hit to wp-admin stuff, various .php files, etc.), and some innocuous mapping projects.
I'm running nginx with a mostly static web page as the frontend. The very few scripts I do have to run are hosted on a local (otherwise inaccessible) lighttpd instance, and are written largely in python. There are no php endpoints, although I could work around it if there were. This means that any attempt to hit a page ending in .php are clearly unwanted.
I wrote a quick shell script that I'm hosting on the lighttpd side. Here's that script:
The pf table banip is set to block in quick. I have sudoers set up to allow www to execute /sbin/pfctl with no password.
Here's the relevant section of my nginx config:
I've had this setup for 24 hours, and I already have 7 IP addresses in the table. Again, this is only hosted on the IP address itself, which is unpublished anywhere else.
Anyway, I thought this was a pretty funny solution to this "problem" - not that it's really a problem, since I have everything set up pretty secure otherwise, and I obviously don't have any php-based vulnerabilities (since there is no php), but I like to discourage this kind of behavior, especially when they're using (a small amount of) my traffic. Any thoughts?
I'm running nginx with a mostly static web page as the frontend. The very few scripts I do have to run are hosted on a local (otherwise inaccessible) lighttpd instance, and are written largely in python. There are no php endpoints, although I could work around it if there were. This means that any attempt to hit a page ending in .php are clearly unwanted.
I wrote a quick shell script that I'm hosting on the lighttpd side. Here's that script:
Code:
#!/bin/sh
echo Content-Type: text/plain
echo
echo $HTTP_X_REAL_IP
/usr/local/bin/sudo /sbin/pfctl -t banip -T add ${HTTP_X_REAL_IP}/32 2>&1
/usr/local/bin/sudo /sbin/pfctl -k ${HTTP_X_REAL_IP}/32 2>&1
echo "complete"
The pf table banip is set to block in quick. I have sudoers set up to allow www to execute /sbin/pfctl with no password.
Here's the relevant section of my nginx config:
Code:
server {
listen 80 default_server;
server_name _;
root /var/www/prod;
server_tokens off;
rewrite ^(.*)php(.*)$ /help.sh last;
location /help.sh {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8000/banip/doit.sh;
}
(...)
I've had this setup for 24 hours, and I already have 7 IP addresses in the table. Again, this is only hosted on the IP address itself, which is unpublished anywhere else.
Anyway, I thought this was a pretty funny solution to this "problem" - not that it's really a problem, since I have everything set up pretty secure otherwise, and I obviously don't have any php-based vulnerabilities (since there is no php), but I like to discourage this kind of behavior, especially when they're using (a small amount of) my traffic. Any thoughts?