Navigation

    La Cabane Libre

    • Register
    • Login
    • Search
    • Catégories
    • Recent
    • Mots-clés
    • Ciné Libre

    Sécuriser nginx contre les Exploits, les Injections SQL, les Injections de fichiers, le Spam...

    La Cuisine
    astuce nginx
    1
    1
    1298
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • The Worm's
      The Worm's Manchot Adélie last edited by The Worm's

      Voici une cht’yte astuce pour vous protéger contre les Exploits, les Injections SQL, les Injections de fichiers, les Spams, pour nginx.

      Il vous suffit tout simplement de rajouter ce code dans votre vhost :

      nano /etc/nginx/sites-available/cabane-libre.org
      

      Copier/Coller le code suivant entre la balise server {}

      server {
      [...]
      
          ## Block SQL injections
          set $block_sql_injections 0;
          if ($query_string ~ "union.*select.*\(") {
              set $block_sql_injections 1;
          }
          if ($query_string ~ "union.*all.*select.*") {
              set $block_sql_injections 1;
          }
          if ($query_string ~ "concat.*\(") {
              set $block_sql_injections 1;
          }
          if ($block_sql_injections = 1) {
              return 403;
          }
      
          ## Block file injections
          set $block_file_injections 0;
          if ($query_string ~ "[a-zA-Z0-9_]=http://") {
              set $block_file_injections 1;
          }
          if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
              set $block_file_injections 1;
          }
          if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
              set $block_file_injections 1;
          }
          if ($block_file_injections = 1) {
              return 403;
          }
      
          ## Block common exploits
          set $block_common_exploits 0;
          if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
              set $block_common_exploits 1;
          }
          if ($query_string ~ "GLOBALS(=|[|\%[0-9A-Z]{0,2})") {
              set $block_common_exploits 1;
          }
          if ($query_string ~ "_REQUEST(=|[|\%[0-9A-Z]{0,2})") {
              set $block_common_exploits 1;
          }
          if ($query_string ~ "proc/self/environ") {
              set $block_common_exploits 1;
          }
          if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
              set $block_common_exploits 1;
          }
          if ($query_string ~ "base64_(en|de)code\(.*\)") {
              set $block_common_exploits 1;
          }
          if ($block_common_exploits = 1) {
              return 403;
          }
      
          ## Block spam
          set $block_spam 0;
          if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
              set $block_spam 1;
          }
          if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
              set $block_spam 1;
          }
          if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
              set $block_spam 1;
          }
          if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
              set $block_spam 1;
          }
          if ($block_spam = 1) {
              return 403;
          }
      
          ## Block user agents
          set $block_user_agents 0;
      
          # Don't disable wget if you need it to run cron jobs!
          #if ($http_user_agent ~ "Wget") {
          #    set $block_user_agents 1;
          #}
      
          # Disable Akeeba Remote Control 2.5 and earlier
          if ($http_user_agent ~ "Indy Library") {
              set $block_user_agents 1;
          }
      
          # Common bandwidth hoggers and hacking tools.
          if ($http_user_agent ~ "libwww-perl") {
              set $block_user_agents 1;
          }
          if ($http_user_agent ~ "GetRight") {
              set $block_user_agents 1;
          }
          if ($http_user_agent ~ "GetWeb!") {
              set $block_user_agents 1;
          }
          if ($http_user_agent ~ "Go!Zilla") {
              set $block_user_agents 1;
          }
          if ($http_user_agent ~ "Download Demon") {
              set $block_user_agents 1;
          }
          if ($http_user_agent ~ "Go-Ahead-Got-It") {
              set $block_user_agents 1;
          }
          if ($http_user_agent ~ "TurnitinBot") {
              set $block_user_agents 1;
          }
          if ($http_user_agent ~ "GrabNet") {
              set $block_user_agents 1;
          }
      
          if ($block_user_agents = 1) {
              return 403;
          }
      [...]
      }
      

      Relancer nginx

      service nginx reload
      
      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Sauf mention contraire, le site est placé sous double licence Creative Commons BY-SA et GNU Free Documentation License propulsé par NodeBB