Significantly enhance block-exploits.conf with comprehensive security protections
Co-authored-by: fuomag9 <1580624+fuomag9@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
@@ -1,6 +1,7 @@
|
||||
## Block SQL injections
|
||||
set $block_sql_injections 0;
|
||||
|
||||
# Traditional SQL injection patterns
|
||||
if ($query_string ~ "union.*select.*\(") {
|
||||
set $block_sql_injections 1;
|
||||
}
|
||||
@@ -13,6 +14,36 @@ if ($query_string ~ "concat.*\(") {
|
||||
set $block_sql_injections 1;
|
||||
}
|
||||
|
||||
# Enhanced SQL injection patterns
|
||||
if ($query_string ~ "(select|insert|update|delete|drop|create|alter|exec|execute).*[\s\(]") {
|
||||
set $block_sql_injections 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "(or|and).*[\s]*[0-9]+[\s]*[=<>]+[\s]*[0-9]+") {
|
||||
set $block_sql_injections 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "[\s]*['\"`][\s]*(or|and)[\s]*['\"`][\s]*[=<>]") {
|
||||
set $block_sql_injections 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "information_schema|mysql\.user|pg_user|pg_shadow") {
|
||||
set $block_sql_injections 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "(sleep|benchmark|waitfor)\s*\(") {
|
||||
set $block_sql_injections 1;
|
||||
}
|
||||
|
||||
# NoSQL injection patterns (MongoDB, CouchDB, etc.)
|
||||
if ($query_string ~ "(\$ne|\$gt|\$gte|\$lt|\$lte|\$regex|\$where)") {
|
||||
set $block_sql_injections 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "javascript:|constructor|prototype|__proto__") {
|
||||
set $block_sql_injections 1;
|
||||
}
|
||||
|
||||
if ($block_sql_injections = 1) {
|
||||
return 403;
|
||||
}
|
||||
@@ -20,10 +51,12 @@ if ($block_sql_injections = 1) {
|
||||
## Block file injections
|
||||
set $block_file_injections 0;
|
||||
|
||||
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
|
||||
# Remote file inclusion
|
||||
if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps)://") {
|
||||
set $block_file_injections 1;
|
||||
}
|
||||
|
||||
# Directory traversal - enhanced patterns
|
||||
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
|
||||
set $block_file_injections 1;
|
||||
}
|
||||
@@ -32,6 +65,30 @@ if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
|
||||
set $block_file_injections 1;
|
||||
}
|
||||
|
||||
# Additional traversal patterns
|
||||
if ($query_string ~ "(\.\./)|(\.\.\\\\)|(\.\.%2f)|(\.\.%5c)") {
|
||||
set $block_file_injections 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "(\.\.%252f)|(\.\.%255c)|(%2e%2e%2f)|(%2e%2e%5c)") {
|
||||
set $block_file_injections 1;
|
||||
}
|
||||
|
||||
# Windows system files
|
||||
if ($query_string ~ "(boot\.ini)|(win\.ini)|(system\.ini)|(\.\.\\\\windows)") {
|
||||
set $block_file_injections 1;
|
||||
}
|
||||
|
||||
# Unix system files
|
||||
if ($query_string ~ "(\/etc\/passwd)|(\/etc\/shadow)|(\/etc\/hosts)") {
|
||||
set $block_file_injections 1;
|
||||
}
|
||||
|
||||
# Null bytes and encoding attacks
|
||||
if ($query_string ~ "(%00|%0a|%0d|%09|%20$)") {
|
||||
set $block_file_injections 1;
|
||||
}
|
||||
|
||||
if ($block_file_injections = 1) {
|
||||
return 403;
|
||||
}
|
||||
@@ -39,10 +96,29 @@ if ($block_file_injections = 1) {
|
||||
## Block common exploits
|
||||
set $block_common_exploits 0;
|
||||
|
||||
# XSS protection - enhanced patterns
|
||||
if ($query_string ~ "(<|%3C).*(script|iframe|object|embed|applet|meta|link|form|input|img).*(\s|%20).*(>|%3E)") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "(javascript|vbscript|onload|onerror|onclick|onmouseover|onfocus|onblur|onchange|onsubmit):") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
# Enhanced XSS vectors
|
||||
if ($query_string ~ "(document\.|window\.|eval\(|setTimeout\(|setInterval\(|function\s*\()") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "(expression\s*\(|url\s*\(|@import|behaviour:)") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
# PHP globals and superglobals
|
||||
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
@@ -51,6 +127,11 @@ if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "(_GET|_POST|_COOKIE|_SESSION|_FILES|_SERVER|_ENV)(=|\[|\%[0-9A-Z]{0,2})") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
# System information disclosure
|
||||
if ($query_string ~ "proc/self/environ") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
@@ -59,10 +140,35 @@ if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
# Encoding attacks
|
||||
if ($query_string ~ "base64_(en|de)code\(.*\)") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
# Command injection patterns
|
||||
if ($query_string ~ "(`|%60|\$\(|%24%28|\|\||%7C%7C|&&|%26%26|;|%3B)") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "(cat|ls|pwd|id|whoami|uname|nc|netcat|wget|curl|ping)\s") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
# LDAP injection
|
||||
if ($query_string ~ "(\*\)|\(\||\&\(|\|\()") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
# XML/XXE attacks
|
||||
if ($query_string ~ "(!DOCTYPE|!ENTITY|SYSTEM|PUBLIC|xmlns)") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
# Server-side template injection
|
||||
if ($query_string ~ "(\{\{|\}\}|\{%|%\}|\$\{|\}$)") {
|
||||
set $block_common_exploits 1;
|
||||
}
|
||||
|
||||
if ($block_common_exploits = 1) {
|
||||
return 403;
|
||||
}
|
||||
@@ -70,6 +176,7 @@ if ($block_common_exploits = 1) {
|
||||
## Block spam
|
||||
set $block_spam 0;
|
||||
|
||||
# Original spam keywords
|
||||
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
|
||||
set $block_spam 1;
|
||||
}
|
||||
@@ -86,19 +193,50 @@ if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamb
|
||||
set $block_spam 1;
|
||||
}
|
||||
|
||||
# Enhanced spam keywords
|
||||
if ($query_string ~ "\b(casino|poker|gambling|betting|lottery|jackpot|slot)\b") {
|
||||
set $block_spam 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "\b(loan|credit|mortgage|insurance|investment|forex|crypto)\b") {
|
||||
set $block_spam 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "\b(escort|adult|xxx|porn|sex|dating|hookup|webcam)\b") {
|
||||
set $block_spam 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "\b(replica|fake|counterfeit|knockoff|imitation)\b") {
|
||||
set $block_spam 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "\b(weight.?loss|diet.?pill|muscle|steroid|supplement)\b") {
|
||||
set $block_spam 1;
|
||||
}
|
||||
|
||||
# Common spam patterns
|
||||
if ($query_string ~ "(\[url=|\[link=|\[email=|email.*@.*\..*\])") {
|
||||
set $block_spam 1;
|
||||
}
|
||||
|
||||
if ($query_string ~ "(click.here|visit.site|buy.now|free.trial|limited.offer)") {
|
||||
set $block_spam 1;
|
||||
}
|
||||
|
||||
if ($block_spam = 1) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
## Block user agents
|
||||
## Block malicious user agents
|
||||
set $block_user_agents 0;
|
||||
|
||||
# Original user agents
|
||||
# Disable Akeeba Remote Control 2.5 and earlier
|
||||
if ($http_user_agent ~ "Indy Library") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
# Common bandwidth hoggers and hacking tools.
|
||||
# Common bandwidth hoggers and hacking tools
|
||||
if ($http_user_agent ~ "libwww-perl") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
@@ -131,6 +269,183 @@ if ($http_user_agent ~ "GrabNet") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
# Enhanced malicious bots and tools
|
||||
if ($http_user_agent ~ "(sqlmap|nmap|masscan|zmap|nikto|dirb|dirbuster|gobuster)") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
if ($http_user_agent ~ "(havij|pangolin|sqlninja|bbqsql|NoSQLMap|commix)") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
if ($http_user_agent ~ "(nessus|openvas|nexpose|metasploit|burpsuite|owasp.zap)") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
if ($http_user_agent ~ "(w3af|skipfish|arachni|wpscan|joomscan|cms.scanner)") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
if ($http_user_agent ~ "(hydra|brutus|medusa|ncrack|john.ripper|hashcat)") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
# Scrapers and harvesters
|
||||
if ($http_user_agent ~ "(harvest|extract|scrape|spider|crawl|bot).*email") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
if ($http_user_agent ~ "(winhttp|urllib|python-requests|curl).*script") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
# Suspicious patterns
|
||||
if ($http_user_agent ~ "^-$|^$|^\.$") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
if ($http_user_agent ~ "(<|>|\||&|'|\"|;|\$|\(|\)|`|\{|\})") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
# Common attack frameworks
|
||||
if ($http_user_agent ~ "(exploit|payload|shellcode|backdoor|webshell)") {
|
||||
set $block_user_agents 1;
|
||||
}
|
||||
|
||||
if ($block_user_agents = 1) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
## Block suspicious request methods
|
||||
set $block_methods 0;
|
||||
|
||||
if ($request_method ~ "^(TRACE|TRACK|DEBUG|OPTIONS|CONNECT)$") {
|
||||
set $block_methods 1;
|
||||
}
|
||||
|
||||
if ($request_method ~ "^(PUT|DELETE)$") {
|
||||
set $block_methods 1;
|
||||
}
|
||||
|
||||
if ($block_methods = 1) {
|
||||
return 405;
|
||||
}
|
||||
|
||||
## Block suspicious headers
|
||||
set $block_headers 0;
|
||||
|
||||
if ($http_x_forwarded_for ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|SCRIPT|IFRAME|OBJECT|EMBED)") {
|
||||
set $block_headers 1;
|
||||
}
|
||||
|
||||
if ($http_referer ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
|
||||
set $block_headers 1;
|
||||
}
|
||||
|
||||
if ($http_cookie ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
|
||||
set $block_headers 1;
|
||||
}
|
||||
|
||||
# Block requests with suspicious Host headers
|
||||
if ($host ~ "[\x00-\x20\x7f-\xff]") {
|
||||
set $block_headers 1;
|
||||
}
|
||||
|
||||
if ($block_headers = 1) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
## Block excessive request size (basic DoS protection)
|
||||
set $block_size 0;
|
||||
|
||||
if ($content_length ~ "^[0-9]{8,}$") {
|
||||
set $block_size 1;
|
||||
}
|
||||
|
||||
if ($block_size = 1) {
|
||||
return 413;
|
||||
}
|
||||
|
||||
## Block requests with too many parameters (potential DoS)
|
||||
set $block_params 0;
|
||||
|
||||
if ($args ~ "^([^&]*&){50,}") {
|
||||
set $block_params 1;
|
||||
}
|
||||
|
||||
if ($block_params = 1) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
## Block protocol attacks
|
||||
set $block_protocol 0;
|
||||
|
||||
# HTTP Request Smuggling patterns
|
||||
if ($http_transfer_encoding ~ "chunked.*chunked") {
|
||||
set $block_protocol 1;
|
||||
}
|
||||
|
||||
if ($http_content_length ~ "^[0-9]+.*[0-9]+$") {
|
||||
set $block_protocol 1;
|
||||
}
|
||||
|
||||
# Block requests with null bytes in URI
|
||||
if ($request_uri ~ "[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]") {
|
||||
set $block_protocol 1;
|
||||
}
|
||||
|
||||
# Block requests with control characters
|
||||
if ($request_uri ~ "%00|%0a|%0d|%27|%3c|%3e|%00") {
|
||||
set $block_protocol 1;
|
||||
}
|
||||
|
||||
if ($block_protocol = 1) {
|
||||
return 400;
|
||||
}
|
||||
|
||||
## Block common vulnerability scanners
|
||||
set $block_scanners 0;
|
||||
|
||||
if ($request_uri ~ "(wp-admin|wp-login|wp-content|wp-includes|xmlrpc\.php)") {
|
||||
set $block_scanners 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~ "(phpmyadmin|pma|mysql|admin|administrator|manager)") {
|
||||
set $block_scanners 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~ "(\.php|\.asp|\.aspx|\.jsp|\.cgi)$") {
|
||||
set $block_scanners 1;
|
||||
}
|
||||
|
||||
if ($request_uri ~ "(config|backup|log|tmp|temp|cache)") {
|
||||
set $block_scanners 1;
|
||||
}
|
||||
|
||||
# Common paths used by vulnerability scanners
|
||||
if ($request_uri ~ "(robots\.txt|sitemap\.xml|\.well-known|\.git|\.svn|\.env)") {
|
||||
set $block_scanners 1;
|
||||
}
|
||||
|
||||
if ($block_scanners = 1) {
|
||||
return 404;
|
||||
}
|
||||
|
||||
## Rate limiting marker (basic implementation)
|
||||
set $block_rate_limit 0;
|
||||
|
||||
# This requires additional nginx modules for proper rate limiting
|
||||
# but we set the variable for potential future use
|
||||
if ($remote_addr ~ "^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)") {
|
||||
set $block_rate_limit 0;
|
||||
}
|
||||
|
||||
# Block requests from suspicious countries (placeholder for GeoIP)
|
||||
# if ($geoip_country_code ~ "^(CN|RU|KP|IR)$") {
|
||||
# set $block_rate_limit 1;
|
||||
# }
|
||||
|
||||
if ($block_rate_limit = 1) {
|
||||
return 429;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user