3

I have this in my .conf file for my website in attempt to block 2 user agents from constantly probing my server.

## Block http user agent - morpheus fucking scanner ##
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
   return 403;
}

Ive also tried the following, with no luck:

if ($http_user_agent ~* ("morfeus fucking scanner|ZmEu"))
if ($http_user_agent ~* (morfeus fucking scanner|ZmEu))
if ($http_user_agent ~* ("morfeus fucking scanner"|"ZmEu"))
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu")
if ($http_user_agent ~* morfeus fucking scanner|ZmEu)

It worked well when I only had 1 user agent, but in attempt to add a second, these user agents are able to probe the server still.

111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /pma/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"

According to these two posts#12: How Do I Deny Certain User-Agents?, HowTo: Nginx Block User Agent, I think Im setup correctly, but it doesn't seem to be working.

EDIT

Here is the nginx version and whole conf file

nginx version: nginx/1.2.7

server {
listen       80;
server_name  localhost;

#charset koi8-r;

access_log  /var/log/nginx/XXXXXX/access.log  main;
error_log /var/log/nginx/XXXXXX/error.log;

root /srv/www/XXXXXX;

location / {
    index  index.html index.htm index.php;

    #5/22/2012 - Turn on Server Side Includes
    ssi on;

    ## Block http user agent - morpheus fucking scanner ##
    if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
       return 403;
    }

    ## Only allow GET and HEAD request methods. By default Nginx blocks
    ## all requests type other then GET and HEAD for static content.
    if ($request_method !~ ^(GET|HEAD)$ ) {
      return 405;
    }
}

location ~ \.php {
    try_files $uri =404;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass 127.0.0.1:9000;
    #fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /srv/www/XXXXXX/$fastcgi_script_name;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

# Redirect server error pages to the static page
error_page 403 404 /error403.html;
location = /error403.html {
    root /usr/share/nginx/html;
}
ProfessionalAmateur
  • 917
  • 5
  • 17
  • 26
  • possible duplicate of [nginx deny user agent causes error when not encapsulated in quotes](http://serverfault.com/questions/478645/nginx-deny-user-agent-causes-error-when-not-encapsulated-in-quotes) – mgorven Feb 19 '13 at 23:37
  • @mgorven - That was posted by me as well. The solution there allowed me to start up `nginx` but it doesnt block the agents anymore. – ProfessionalAmateur Feb 19 '13 at 23:47
  • Then you should edit your previous question to indicate this, since you still haven't achieved your goal. – mgorven Feb 19 '13 at 23:50
  • @mgorven - This is a different problem. The previous question wouldnt allow me to start nginx. This second issue isn't functioning (nginx starts, but the configuration isnt blocking user agents) as I expected it to. I feel it deserves its own unique question to not muddy the water. – ProfessionalAmateur Feb 19 '13 at 23:53
  • The [answer I posted in the previous question](http://serverfault.com/a/478654/115189) works as intended for me with nginx 1.1.19. Please post your entire config because those requests are probably hitting different location blocks. – mgorven Feb 19 '13 at 23:56
  • Updated the OP, version and conf file. Its a pretty simple stupid site. Nothing too crazy. – ProfessionalAmateur Feb 20 '13 at 00:01

3 Answers3

4

nginx only applies one location block at each level of the config. All the files which are 404ing are .php files which hit the \.php location block, and therefore do not use the / location block which contains your user agent block. To fix this move your user agent block outside the location block to the root level so that it gets applied to all requests.

if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
    return 403;
}

location / {
    ...
}

location \.php {
    ...
}

Edit: You can test this with something like curl which lets you set arbitrary headers:

% curl -I localhost/sf645/blah
HTTP/1.1 404 Not Found
% curl -I -H 'User-agent: ZmEu' localhost/sf645/blah
HTTP/1.1 403 Forbidden
% curl -I -H 'User-agent: morfeus fucking scanner' localhost/sf645/blah
HTTP/1.1 403 Forbidden
mgorven
  • 30,036
  • 7
  • 76
  • 121
  • Great, I moved it and restarted services. Now just a waiting game to see when the box gets probed again. Shouldnt take more than a day or two. Good info on blocks only working within their own level, I didnt know that. Thanks. – ProfessionalAmateur Feb 20 '13 at 00:08
  • @ProfessionalAmateur You can test this yourself (see my edit). – mgorven Feb 20 '13 at 00:09
1

try this

if ($http_user_agent ~* (morfeus|ZmEu) ) {
   return 403;
}
Mike
  • 21,910
  • 7
  • 55
  • 79
0

Try just using the pattern (morfeus). That pipe character is likely screwing up the regular expression pattern matching.

platforms
  • 1,118
  • 10
  • 23