Created
December 30, 2016 16:20
-
-
Save mattia-beta/9b2755a222b78d3ed7e558706668d9f0 to your computer and use it in GitHub Desktop.
NGINX Security Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Block SQL injections | |
| set $block_sql_injections 0; | |
| if ($query_string ~ "union.*select.*\(") { | |
| set $block_sql_injections 1; | |
| } | |
| if ($query_string ~ "union.*all.*select.*") { | |
| set $block_sql_injections 1; | |
| } | |
| if ($query_string ~ "concat.*\(") { | |
| set $block_sql_injections 1; | |
| } | |
| if ($block_sql_injections = 1) { | |
| return 403; | |
| } | |
| ## Block file injections | |
| set $block_file_injections 0; | |
| if ($query_string ~ "[a-zA-Z0-9_]=http://") { | |
| set $block_file_injections 1; | |
| } | |
| if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { | |
| set $block_file_injections 1; | |
| } | |
| if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { | |
| set $block_file_injections 1; | |
| } | |
| if ($block_file_injections = 1) { | |
| return 403; | |
| } | |
| ## Block common exploits | |
| set $block_common_exploits 0; | |
| if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "proc/self/environ") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($query_string ~ "base64_(en|de)code\(.*\)") { | |
| set $block_common_exploits 1; | |
| } | |
| if ($block_common_exploits = 1) { | |
| return 403; | |
| } | |
| ## Block spam | |
| set $block_spam 0; | |
| if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { | |
| set $block_spam 1; | |
| } | |
| if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { | |
| set $block_spam 1; | |
| } | |
| if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { | |
| set $block_spam 1; | |
| } | |
| if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { | |
| set $block_spam 1; | |
| } | |
| if ($block_spam = 1) { | |
| return 403; | |
| } | |
| ## Block user agents | |
| set $block_user_agents 0; | |
| # Don't disable wget if you need it to run cron jobs | |
| if ($http_user_agent ~ "Wget") { | |
| set $block_user_agents 1; | |
| } | |
| # Disable Akeeba Remote Control 2.5 and earlier | |
| if ($http_user_agent ~ "Indy Library") { | |
| set $block_user_agents 1; | |
| } | |
| # Common bandwidth hoggers and hacking tools. | |
| if ($http_user_agent ~ "libwww-perl") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "GetRight") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "GetWeb!") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "Go!Zilla") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "Download Demon") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "Go-Ahead-Got-It") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "TurnitinBot") { | |
| set $block_user_agents 1; | |
| } | |
| if ($http_user_agent ~ "GrabNet") { | |
| set $block_user_agents 1; | |
| } | |
| if ($block_user_agents = 1) { | |
| return 403; | |
| } | |
| # Block hidden files | |
| location ~ /\. { return 403; } | |
| # Protect .git files | |
| location ~ /\.git { | |
| access_log off; | |
| log_not_found off; | |
| deny all; | |
| } | |
| # Block sql dumps | |
| location ~* \.(sql)$ {deny all; } | |
| # Protect Perl/CGI/etc files | |
| location ~* \.(pl|cgi|py|sh|lua)\$ { | |
| return 444; | |
| } | |
| # Block web attacks | |
| location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) { | |
| return 444; | |
| } | |
| # Protect other sensitive files | |
| location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_{ | |
| return 444; | |
| } | |
| # Block execution of PHP files in uploads folders | |
| location ~* /(?:uploads|files)/.*\.php$ { | |
| deny all; | |
| } | |
| # Block PHP files in the includes directory | |
| location ~* /wp-includes/.*.php$ { | |
| deny all; | |
| access_log off; | |
| log_not_found off; | |
| } | |
| #Block access to xmlrpc.php | |
| location = /xmlrpc.php { | |
| deny all; | |
| access_log off; | |
| log_not_found off; | |
| } | |
| Block access to dev files | |
| location = /(package.json|gulp.js|grunt.js|bower.json) { | |
| deny all; | |
| access_log off; | |
| log_not_found off; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment