Web Server Hardening Idea

Improvements
1

With the growing number of constant attacks and scans I had an idea to start blocking known malicious User Agents with Nginx. I have modified the local.conf nginx file to block the blank and known scanners. Working in security it is pretty funny how attackers are too lazy to change the user agents of their tools. It is very simple to do, hope this helps anyone and maybe can be integrated into the next build.

  1. Create/Configure UA file
    File: /etc/nginx/useragents.rules
    map $http_user_agent $badagent {
    default 0;
    ~*netcrawler 1;
    ~*libwww-perl 1;
    ~*wget 1;
    ~*curl 1;
    ~*python 1;
    ~*openvas 1;
    ~*HTTrack 1;
    ~*clshttp 1;
    ~*archiver 1;
    ~*nikto 1;
    ~*miner 1;
    ~*profound 1;
    ~*scrapyproject 1;
    ~*netcrawler 1;
    ~*nmap 1;
    ~*sqlmap 1;
    ~*slowhttptest 1;
    ~*jersey 1;
    ~*brandwatch 1;
    ~*magpie-crawler 1;
    ~*mechanize 1;
    ~*python-requests 1;
    ~*redback 1;
    ~*jorgee 1;
    ~*zgrab 1;
    }
  2. Define how each virtual host responds to the UA requests, below line is needed for every VHOST: File:/etc/nginx/conf.d/local.conf

server {
listen 80;
listen [::]:80;
# UA Blocking
if ($badagent) {
return 404;
}
# Block Blank UA
if ($http_user_agent ~* (^$)) {
return 404;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
# UA Blocking
if ($badagent) {
return 404;
}
# Block Blank UA
if ($http_user_agent ~* (^$)) {
return 404;
}

  1. Restart your webserver
    service nginx restart

  2. Test it
    MIAB Server:tail -f /var/log/nginx/access.log

    Test 1: Blank
    Test machine: curl myserver.com
    MIAB Log Response
    [04/Oct/2017:12:20:40 +0000] “GET / HTTP/1.1” 404 162 “-” “curl/7.35.0”

    Test 2: Outlook Mobile Client
    Test machine: curl -A ‘Outlook-iOS-Android/1.0’ myserver.com
    MIAB Log Response
    [04/Oct/2017:12:56:01 +0000] “POST /Microsoft-Server-ActiveSync?User=user%40mydomain.com&DeviceId=8&DeviceType=Outlook&Cmd=Sync HTTP/1.1” 200 73 “-” “Outlook-iOS-Android/1.0”

    Test 3: Test Attack Scanner OpenVAS
    Test machine: curl -A ‘Mozilla/4.75 [en] (X11, U; OpenVAS 7.0)’ myserver.com
    MIAB Log Response
    [04/Oct/2017:13:04:06 +0000] “GET / HTTP/1.1” 404 162 “-” “Mozilla/4.75 [en] (X11, U; OpenVAS 7.0)”

Hope that helps anyone that needs it.

1 Like
2

This topic was automatically closed after 61 days. New replies are no longer allowed.