1

I have a Ruby on Rails app behind Nginx. Every once in a while I see requests like GET /phpmyadmin or GET /wp-login.php. Since I don't have those tools installed, it's obvious that those are from someone trying to get into my site.

Does it make sense to add a couple rules to my Nginx config to automatically return 403 to those requests and not bother the primary app with having to return 404?

Thank you.

art-solopov
  • 113
  • 4
  • Can you provide us with info like, is it a requests from a crawler/bot or just some random visitors are requesting this pages that does not exist ? – mrSotirow Jul 31 '21 at 19:22
  • I've been debating if I should create a rule to add IPs that request things like these to fail2ban. Trying to hack my site? We don't need your traffic. Is this unreasonable? – user10489 Jul 31 '21 at 19:36
  • @mrSotirow Judging by the user agents, they're people. But then again, it's not a good indication. – art-solopov Jul 31 '21 at 19:43
  • 1
    @user10489 IIRC there are situations (NAT?) where you can have multiple people behind one IP address. – art-solopov Jul 31 '21 at 19:45
  • @art-solopov Its possible that someone is trying to find a login page or something similar to bruteforce. – mrSotirow Jul 31 '21 at 20:59
  • Does this answer your question? [Strange requests to web server](https://security.stackexchange.com/questions/40291/strange-requests-to-web-server) – mentallurg Aug 01 '21 at 17:34
  • @mentallurg: I don't see this as a duplicate, because this is a more specific question on how this kind of request are best handled in a reverse proxy setup. – Esa Jokinen Aug 01 '21 at 18:24

1 Answers1

3

Denying obvious malicious requests having actual payloads like SQL injections or XSS attempts would be building a web application firewall (WAF), which is a useful defence-in-depth strategy against unknown or unpatched vulnerabilities. Denying requests that would already result in 404 errors does not add any security from that perspective, but it might still be a good idea to do it on the reverse proxy as it reduces the load on the backend server(s).

It does not otherwise matter whether you reply with 404 or 403 but using a different status code you give free hints on what you have denied manually. Consider moving the task to the reverse proxy but continuing using the status code 404.

Also, take a look at the proxy_cache_valid directive; if appropriate, you could e.g. cache all 404 responses for an hour with proxy_cache_valid 404 1h;.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55