Skip to content

Instantly share code, notes, and snippets.

@xTCry

xTCry/README.md

Last active August 5, 2023 04:50
Show Gist options
  • Save xTCry/69ffec9539f7d7c4d25c8dd0fbab5ff0 to your computer and use it in GitHub Desktop.
Save xTCry/69ffec9539f7d7c4d25c8dd0fbab5ff0 to your computer and use it in GitHub Desktop.
Download ZIP
[Nginx] Config for block site bots / Конфиг для блокировки вредного трафика от хостинг провайдеров
Raw
README.md

[Nginx] Конфиг для блокировки вредного трафика от хостинг-провайдеров

Nginx config for block site bad traffic (bots)

Что произошло?

Было замечено, что на сайт идет множество запросов с симуляцией поведения Android девайса с прокруткой содержимого страницы и ее повторного открытия уже с другой информацией об устройстве.

Запросы обычно происходили на одни и те же страницы (в основном только на две-три). Адрес запроса был сформирован так, что сервер переадресовывал на корректный адрес. Например, с /info/info/.

У более чем 95% подозрительных запросов были использованы IPv6 адреса. Что явно затрудняло обнаружение продозрительного трафика, т.к. нагрузки почти не было и сайт работал в штатном режиме, но была замечена накрутка посещаемости.

Проверка IP на "спам"

Пример nginx лога

2a11:b81:b0f6:2b32:f171:72f2:ea2e:aeab - - [31/May/2023:08:17:37 +0300] "GET /contacts HTTP/1.1" 403 196 "-" "Mozilla/5.0 (Linux; arm_64; Android 12; M2201K6G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.3.1615.106 Mobile Safari/537.36"
2a0d:e285:7ce3:1a12:a0ca:f0ec:d1b3:233d - - [31/May/2023:08:17:52 +0300] "GET /contacts HTTP/1.1" 403 196 "-" "Mozilla/5.0 (Linux; arm_64; Android 12; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.4.2085.700 Mobile Safari/537.36"
2a0d:e282:c0fd:3c13:964e:c14:c4da:5d43 - - [31/May/2023:08:17:53 +0300] "GET /news/detail/1230 HTTP/1.1" 403 196 "https://yandex.ru/" "Mozilla/5.0 (Linux; arm_64; Android 11; Mi 9 Lite) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5275.109 Mobile Safari/537.36"
2a0d:e284:9529:5e2f:1a03:940f:f0b0:1eb0 - - [31/May/2023:08:18:05 +0300] "GET /info HTTP/1.1" 403 196 "https://yandex.ru/" "Mozilla/5.0 (Linux; arm_64; Android 12; Pixel 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Mobile Safari/537.36"
2a09:6907:419a:c1d0:e14e:18d8:eac2:2ee0 - - [31/May/2023:08:18:06 +0300] "GET /news/detail/1230 HTTP/1.1" 403 196 "https://yandex.ru/" "Mozilla/5.0 (Linux; Android 13; SM-G998B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Mobile Safari/537.36"
2a09:6907:419a:c1d0:e14e:18d8:eac2:2ee0 - - [31/May/2023:08:18:07 +0300] "GET /favicon.ico HTTP/1.1" 403 196 "https://xxx.yyy/news/detail/1230" "Mozilla/5.0 (Linux; Android 13; SM-G998B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Mobile Safari/537.36"

Находим информацию о подозрительном IP https://ipinfo.io/account/search

Пример полученнйо информации

{"asn":"AS204916","name":"RACKTECH CO., LTD.","domain":"ipaddr.space","route":"2a0f:9880::/29","type":"hosting"}

Если в поле type видим, что это hosting, а не какой-то другой, значит этот запрос был отправлен с серера, что маловероятно подразумевает под собой запрос от человека.

По значению из поля asn ищем диапазон IP адресов для дальнейшей их блокировки — https://www.ip2location.com/as204916

Прилагаю конфиг block_bots.conf с блокировкой адресов хостинг-провайдеров, которые были замечены в логах сайта.

Информация предоставлена для ознакомления. Дополнения приветствуются 😄

Raw
block_bots.conf
# (AS44812) IP SERVER LLC
#deny 2a07:ac00::/24;
deny 2a07:ac80::/29;
deny 2a09:3703::/32;
deny 2a09:3706::/32;
deny 2a09:4d40::/32;
deny 2a09:4d42::/32;
deny 2a09:4d43::/32;
deny 2a09:4d44::/32;
deny 2a09:4d47::/32;
deny 2a09:6902::/32;
deny 2a09:9441::/32;
deny 2a0a:f583::/32;
deny 2a0b:2d81::/32;
deny 2a0c:4184::/32;
deny 2a0c:7b86::/32;
deny 2a0d:e280::/32;
deny 2a0d:e281::/32;
deny 2a0d:e282::/32;
deny 2a0d:e283::/32;
deny 2a0d:e284::/32;
deny 2a0d:e285::/32;
deny 2a0d:e286::/32;
deny 2a0d:e287::/32;
deny 2a12:2204::/32;
deny 2a12:2205::/32;
deny 2a12:2206::/32;
deny 2a12:2207::/32;
# (AS59504) LLC Vpsville
deny 2a04:c100::/29;
deny 2a05:fb41::/32;
deny 2a05:fb42::/32;
deny 2a06:d900::/29;
deny 2a07:14c0::/47;
deny 2a07:14c0:3000::/36;
deny 2a07:14c0:5000::/36;
deny 2a09:400:2000::/36;
deny 2a09:400:4000::/34;
deny 2a09:400:9000::/36;
deny 2a09:400:a000::/35;
deny 2a09:400:c000::/34;
deny 2a09:401::/32;
deny 2a09:407::/35;
deny 2a09:407:2000::/36;
deny 2a09:407:4000::/34;
deny 2a09:407:8000::/36;
deny 2a09:407:a000::/35;
deny 2a09:407:c000::/36;
deny 2a09:407:f000::/36;
deny 2a09:3500::/32;
deny 2a09:3505::/35;
deny 2a09:3505:4000::/34;
deny 2a09:3505:8000::/33;
deny 2a09:3506::/32;
deny 2a09:3800::/29;
deny 2a09:bd80::/29;
deny 2a0a:2880::/29;
deny 2a0a:4780::/30;
deny 2a0a:4785::/32;
deny 2a0a:4786::/31;
deny 2a0a:e580::/29;
deny 2a0c:2100::/30;
deny 2a0c:2104::/31;
deny 2a0c:2106::/32;
deny 2a0c:5241::/32;
deny 2a0c:5247:5000::/36;
deny 2a0c:5247:7000::/36;
deny 2a0c:5247:c000::/36;
deny 2a0d:2e40::/29;
deny 2a0d:5ec0::/32;
deny 2a0d:5ec1::/34;
deny 2a0d:5ec1:4000::/35;
deny 2a0d:5ec1:7000::/36;
deny 2a0d:5ec1:8000::/33;
deny 2a0d:5ec5::/32;
deny 2a0d:5ec6::/31;
deny 2a0d:60c0::/32;
deny 2a0d:60c3::/32;
deny 2a0d:e4c3::/32;
deny 2a0f:cf80::/29;
deny 2a10:c0c0::/32;
deny 2a10:c0c2::/32;
deny 2a10:c0c4::/30;
deny 2a10:d8c0::/29;
deny 2a11:200::/34;
deny 2a11:200:4000::/36;
deny 2a11:200:8000::/33;
deny 2a11:204::/30;
deny 2a11:780::/36;
deny 2a11:780:2000::/36;
deny 2a11:780:5000::/36;
deny 2a11:780:6000::/36;
deny 2a11:780:8000::/36;
deny 2a11:780:c000::/36;
deny 2a11:783::/32;
deny 2a11:784::/30;
deny 2a11:980::/29;
deny 2a11:a80::/29;
deny 2a11:b80::/36;
deny 2a11:b80:2000::/36;
deny 2a11:b80:4000::/36;
deny 2a11:b80:e000::/35;
deny 2a11:b82::/31;
deny 2a11:b84::/30;
# deny 2a05:fb40::/29;
# deny 2a07:14c0::/29;
# deny 2a09:3501::/32;
# deny 2a09:3502::/32;
# deny 2a09:3503::/32;
# deny 2a09:3504::/32;
# deny 2a09:3505:2000::/36;
# deny 2a09:3505:3000::/36;
# deny 2a09:3507::/32;
# deny 2a09:3701::/32;
# (AS204916) Racktech Co. Ltd.
deny 2a05:53c0::/29;
deny 2a05:fb40::/32;
deny 2a05:fb43::/32;
deny 2a05:fb44::/30;
deny 2a07:14c0:2::/47;
deny 2a07:14c0:4::/46;
deny 2a07:14c0:8::/45;
deny 2a07:14c0:10::/44;
deny 2a07:14c0:20::/43;
deny 2a07:14c0:40::/42;
deny 2a07:14c0:80::/41;
deny 2a07:14c0:100::/40;
deny 2a07:14c0:200::/39;
deny 2a07:14c0:400::/38;
deny 2a07:14c0:800::/37;
deny 2a07:14c0:1000::/36;
deny 2a07:14c0:2000::/36;
deny 2a07:14c0:4000::/36;
deny 2a07:14c0:6000::/35;
deny 2a07:14c0:8000::/33;
deny 2a07:14c1::/32;
deny 2a07:14c2::/31;
deny 2a07:14c4::/30;
deny 2a09:400::/35;
deny 2a09:400:3000::/36;
deny 2a09:400:8000::/36;
deny 2a09:402::/31;
deny 2a09:404::/31;
deny 2a09:406::/32;
deny 2a09:407:3000::/36;
deny 2a09:407:9000::/36;
deny 2a09:407:d000::/36;
deny 2a09:407:e000::/36;
deny 2a09:d80::/29;
deny 2a09:3501::/32;
deny 2a09:3502::/31;
deny 2a09:3504::/32;
deny 2a09:3505:2000::/35;
deny 2a09:3507::/32;
deny 2a09:3701::/32;
deny 2a09:3b00::/29;
deny 2a09:3d00::/29;
deny 2a09:4e00::/29;
deny 2a09:6905::/32;
deny 2a09:6f00::/29;
deny 2a09:a4c0::/29;
deny 2a09:b680::/29;
deny 2a09:ce00::/29;
deny 2a0a:b40::/29;
deny 2a0a:3540::/29;
deny 2a0a:c3c0::/29;
deny 2a0a:f200::/29;
deny 2a0b:b0c0::/29;
deny 2a0b:bd00::/29;
deny 2a0c:2107::/32;
deny 2a0c:5240::/32;
deny 2a0c:5242::/31;
deny 2a0c:5244::/31;
deny 2a0c:5246::/32;
deny 2a0c:5247::/34;
deny 2a0c:5247:4000::/36;
deny 2a0c:5247:6000::/36;
deny 2a0c:5247:8000::/34;
deny 2a0c:5247:d000::/36;
deny 2a0c:5247:e000::/35;
deny 2a0c:ab07:5000::/36;
deny 2a0c:e8c0::/29;
deny 2a0d:5ec1:6000::/36;
deny 2a0d:5ec2::/31;
deny 2a0d:5ec4::/32;
deny 2a0d:60c1::/32;
deny 2a0d:60c2::/32;
deny 2a0d:60c4::/30;
deny 2a0d:7740::/29;
deny 2a0d:8b00::/29;
deny 2a0d:abc0::/29;
deny 2a0d:d500::/29;
deny 2a0d:e4c0::/31;
deny 2a0d:e4c2::/32;
deny 2a0d:e4c4::/30;
deny 2a0d:f340::/29;
deny 2a0e:fb43::/32;
deny 2a0f:9880::/29;
deny 2a0f:c580::/29;
deny 2a0f:cc80::/29;
deny 2a10:2ec1::/32;
deny 2a10:2ec3::/32;
deny 2a10:2ec7:5000::/36;
deny 2a10:c0c1::/32;
deny 2a10:c0c3::/32;
deny 2a10:c340::/29;
deny 2a11:200:5000::/36;
deny 2a11:200:6000::/35;
deny 2a11:201::/32;
deny 2a11:202::/31;
deny 2a11:680::/29;
deny 2a11:780:7000::/36;
deny 2a11:b80:1000::/36;
deny 2a11:b80:3000::/36;
deny 2a11:b80:5000::/36;
deny 2a11:b80:6000::/35;
deny 2a11:b80:8000::/34;
deny 2a11:b80:c000::/35;
deny 2a11:b81::/32;
deny 2a11:c80::/29;
deny 2a11:d80::/29;
deny 2a11:e80::/32;
deny 2a11:e83::/32;
deny 2a11:e84::/30;
deny 2a11:af01::/32;
deny 2a11:af05::/32;
deny 2a11:af06::/31;
deny 2a12:7c01::/32;
deny 2a12:7c02::/31;
deny 2a12:7c04::/31;
# (AS29182) JSC IOT
deny 2a01:230::/32;
deny 2a06:dc40::/29;
deny 2a09:3707::/33;
deny 2a09:f900::/30;
deny 2a09:f904::/31;
deny 2a09:f906::/32;
deny 2a0a:b381::/32;
deny 2a0e:fb47::/32;
deny 2a0f:3103::/32;
deny 2a0f:8443::/32;
deny 2a13:2980::/29;
# (AS50113) NTX Technologies S.R.O.
deny 2a04:5200::/42;
deny 2a04:5200:40::/43;
deny 2a04:5200:60::/45;
deny 2a04:5200:69::/48;
deny 2a04:5200:6a::/47;
deny 2a04:5200:6c::/46;
deny 2a04:5200:70::/44;
deny 2a04:5200:80::/41;
deny 2a04:5200:100::/40;
deny 2a04:5200:200::/39;
deny 2a04:5200:400::/38;
deny 2a04:5200:800::/37;
deny 2a04:5200:1000::/36;
deny 2a04:5200:2000::/35;
deny 2a04:5200:4000::/36;
deny 2a04:5200:5000::/37;
deny 2a04:5200:5800::/40;
deny 2a04:5200:5900::/42;
deny 2a04:5200:5940::/43;
deny 2a04:5200:5960::/44;
deny 2a04:5200:5970::/46;
deny 2a04:5200:5974::/47;
deny 2a04:5200:5976::/48;
deny 2a04:5200:5978::/45;
deny 2a04:5200:5980::/41;
deny 2a04:5200:5a00::/39;
deny 2a04:5200:5c00::/38;
deny 2a04:5200:6000::/35;
deny 2a04:5200:8000::/33;
deny 2a04:5202::/31;
deny 2a04:5204::/30;
deny 2a07:57c0::/32;
deny 2a07:9b83::/32;
deny 2a0a:981::/32;
deny 2a0a:9300::/48;
deny 2a0a:9300:aaaa::/48;
# (AS35048) Biterika Group LLC
# ipv6
deny 2a06:d647::/32;
deny 2a07:ca07::/32;
deny 2a0a:5680::/29;
deny 2a0a:b387::/32;
deny 2a0b:2d87::/32;
deny 2a0e:8140::/29;
deny 2a0e:cd40::/29;
deny 2a0f:d000::/29;
# ipv4
deny 2.59.50.0/24;
deny 5.183.130.0/24;
deny 31.40.203.0/24;
deny 45.11.20.0/23;
deny 45.15.72.0/23;
deny 45.15.236.0/23;
deny 45.81.136.0/23;
deny 45.84.176.0/23;
deny 45.86.0.0/23;
deny 45.87.252.0/23;
deny 45.89.16.0/22;
deny 45.90.196.0/24;
deny 45.134.180.0/22;
deny 45.134.252.0/23;
deny 45.135.32.0/23;
deny 45.139.125.0/24;
deny 45.139.176.0/23;
deny 45.140.52.0/22;
deny 45.142.252.0/23;
deny 45.144.36.0/24;
deny 45.145.116.0/22;
deny 45.147.192.0/23;
deny 45.151.145.0/24;
deny 46.8.10.0/23;
deny 46.8.14.0/23;
deny 46.8.16.0/23;
deny 46.8.22.0/23;
deny 46.8.56.0/23;
deny 46.8.106.0/23;
deny 46.8.110.0/23;
deny 46.8.154.0/23;
deny 46.8.156.0/23;
deny 46.8.192.0/23;
deny 46.8.212.0/23;
deny 46.8.222.0/23;
deny 77.83.84.0/24;
deny 77.83.148.0/23;
deny 77.94.1.0/24;
deny 84.54.53.0/24;
deny 91.188.244.0/24;
deny 92.119.193.0/24;
deny 94.158.190.0/24;
deny 95.182.124.0/22;
deny 109.248.12.0/22;
deny 109.248.48.0/23;
deny 109.248.54.0/23;
deny 109.248.128.0/23;
deny 109.248.138.0/23;
deny 109.248.142.0/23;
deny 109.248.166.0/23;
deny 109.248.204.0/23;
deny 176.53.186.0/24;
deny 185.181.244.0/22;
deny 188.130.128.0/23;
deny 188.130.136.0/23;
deny 188.130.142.0/23;
deny 188.130.184.0/22;
deny 188.130.188.0/23;
deny 188.130.210.0/23;
deny 188.130.218.0/23;
deny 188.130.220.0/23;
deny 192.144.31.0/24;
deny 193.53.168.0/24;
deny 193.58.168.0/23;
deny 194.32.229.0/24;
deny 194.32.237.0/24;
deny 194.34.248.0/24;
deny 194.35.113.0/24;
deny 194.156.92.0/24;
deny 194.156.96.0/23;
deny 194.156.123.0/24;
deny 212.115.49.0/24;
deny 213.226.101.0/24;
# (AS45027) LLC Internet Tehnologii
deny 2a05:540::/32;
deny 2a05:541::/40;
deny 2a05:541:101::/48;
deny 2a05:541:10a::/47;
deny 2a05:541:10c::/46;
deny 2a05:541:119::/48;
deny 2a05:541:11a::/47;
deny 2a05:541:11c::/46;
deny 2a05:541:123::/48;
deny 2a05:541:125::/48;
deny 2a05:541:126::/47;
deny 2a05:541:12a::/47;
deny 2a05:541:12c::/46;
deny 2a05:541:130::/44;
deny 2a05:541:140::/42;
deny 2a05:541:180::/41;
deny 2a05:541:200::/39;
deny 2a05:541:400::/38;
deny 2a05:541:800::/37;
deny 2a05:541:1000::/36;
deny 2a05:541:2000::/35;
deny 2a05:541:4000::/34;
deny 2a05:541:8000::/33;
deny 2a05:542::/31;
deny 2a05:544::/30;
deny 2a06:c000::/29;
deny 2a0b:1580::/29;
deny 2a0d:1ac7::/32;
deny 2a0e:7040::/29;
deny 2a0f:380::/29;
# (AS60389) Manir LLC
deny 2a09:6907::/32;
deny 2a0e:eec2::/32;
deny 2a0f:6fc7::/32;
# (AS213220) Delta Ltd
deny 2a0d:6c2::/48;
deny 2a0e:c147::/32;
deny 2a0f:6fc6::/32;
deny 2a0f:8444::/32;
deny 2a0f:c082::/32;
deny 2a13:3d80::/48;
deny 2a13:3d80:8000::/33;
deny 2a13:3d82::/31;
deny 2a13:3d84::/30;
# (AS49492) Mehed Studio LLC
deny 2a09:3707:8000::/33;
deny 2a12:a347:1::/48;
# (AS34665) Petersburg Internet Network Ltd.
deny 2a05:541:115::/48;
deny 2a0b:d000::/29;
deny 2a0e:e5c0::/29;
deny 2a0f:3180::/29;
deny 2a0f:8580::/29;
# (AS211027) Perfect Cloud Technologies LLC
deny 194.26.210.0/24;
deny 2a0f:6fc1::/32;
deny 2a11:780:1000::/36;
deny 2a11:780:3000::/36;
deny 2a11:780:9000::/36;
deny 2a11:780:a000::/35;
deny 2a11:780:d000::/36;
deny 2a11:780:e000::/35;
deny 2a11:781::/32;
deny 2a11:782::/32;
deny 2a11:e81::/32;
deny 2a11:e82::/32;
deny 2a11:af00::/32;
deny 2a11:af02::/31;
deny 2a11:af04::/32;
deny 2a11:af06:2000::/35;
deny 2a12:7c00::/32;
deny 2a12:7c06::/31;
# (AS56630) Melbikomas UAB
deny 2a03:f80:7::/48;
deny 2a03:f80:70::/48;
deny 2a03:f80:359::/48;
deny 2a03:f80:370::/47;
deny 2a03:f80:3991::/48;
deny 2a06:f900::/36;
deny 2a06:f900:4000::/36;
deny 2a06:f901::/36;
deny 2a06:f902::/36;
deny 2a06:f903::/36;
deny 2a06:f904::/36;
deny 2a06:f905::/36;
deny 2a06:f906::/36;
deny 2a06:f907::/36;
deny 2a06:f907:4000::/36;
deny 2a0d:8400::/32;
deny 5.182.228.0/22;
deny 5.188.172.0/23;
deny 5.188.180.0/22;
deny 31.40.216.0/22;
deny 45.135.120.0/22;
deny 45.141.8.0/22;
deny 45.150.232.0/22;
deny 77.72.16.0/21;
deny 88.210.38.0/23;
deny 88.218.240.0/22;
deny 89.34.238.0/24;
deny 91.192.80.0/24;
deny 91.192.83.0/24;
deny 91.201.64.0/22;
deny 92.119.88.0/22;
deny 93.189.56.0/23;
deny 93.189.58.0/24;
deny 93.189.60.0/22;
deny 94.241.128.0/22;
deny 94.241.184.0/22;
deny 178.253.8.0/22;
deny 178.253.48.0/22;
deny 185.6.12.0/22;
deny 185.40.5.0/24;
deny 185.117.117.0/24;
deny 185.131.64.0/22;
deny 185.135.84.0/22;
deny 185.140.12.0/22;
deny 185.140.208.0/23;
deny 185.224.248.0/22;
deny 185.232.168.0/24;
deny 185.246.152.0/22;
deny 192.36.41.0/24;
deny 192.36.61.0/24;
deny 192.71.26.0/24;
deny 192.121.171.0/24;
deny 194.53.55.0/24;
deny 194.59.46.0/24;
deny 194.59.59.0/24;
deny 194.59.142.0/24;
deny 194.59.155.0/24;
deny 194.68.225.0/24;
deny 194.71.107.0/24;
deny 195.238.124.0/22;
deny 212.23.200.0/24;
deny 213.183.32.0/23;
deny 213.183.36.0/22;
deny 213.183.40.0/21;
deny 213.183.48.0/20;
deny 213.226.68.0/22;
deny 217.30.8.0/22;
# (AS204490) Kontel LLC
deny 46.8.18.0/23;
deny 46.8.208.0/22;
deny 46.8.220.0/23;
deny 46.8.255.0/24;
deny 94.232.47.0/24;
deny 95.182.79.0/24;
deny 109.248.10.0/23;
deny 109.248.200.0/22;
deny 185.127.24.0/22;
deny 185.154.20.0/22;
deny 185.186.140.0/22;
deny 185.244.40.0/22;
deny 185.247.140.0/24;
deny 185.247.142.0/23;
deny 188.130.132.0/22;
deny 188.130.138.0/23;
deny 2a0d:c580::/29;
# (AS205125) Network Management Ltd
deny 45.95.201.0/24;
deny 2a03:e2c0::/32;
deny 2a0d:8340::/32;
# (AS204490) Kontel LLC
deny 46.8.18.0/23;
deny 46.8.208.0/22;
deny 46.8.220.0/23;
deny 46.8.255.0/24;
deny 94.232.47.0/24;
deny 95.182.79.0/24;
deny 109.248.10.0/23;
deny 109.248.200.0/22;
deny 185.127.24.0/22;
deny 185.154.20.0/22;
deny 185.186.140.0/22;
deny 185.244.40.0/22;
deny 185.247.140.0/24;
deny 185.247.142.0/23;
deny 188.130.132.0/22;
deny 188.130.138.0/23;
deny 2a0d:c580::/29;
# allow all;
Raw
default.conf
server {
# ...
include block_bots.conf;
allow all;
# ...
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment