Skip to content

Commit

Permalink
ADD deny.d/deny.conf Closes: #278 [ci skip]
Browse files Browse the repository at this point in the history 
Introduces some basic and customizable security rules for nginx servers and sites. This is an optional set of rules to use in addition to the blocker as this blocks a lot of request methods / query string attacks. Highly suggested to be included on all your vhosts in the server{} block. REF: #185
  • Loading branch information
@mitchellkrogza
mitchellkrogza committed Jul 4, 2019
1 parent 21d4eca commit 7097566
Showing 1 changed file with 274 additions and 0 deletions.
274 changes: 274 additions & 0 deletions deny.d/deny.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,274 @@
##############################################################################
# _ __ _ #
# / |/ /__ _(_)__ __ __ #
# / / _ `/ / _ \\ \ / #
# /_/|_/\_, /_/_//_/_\_\ #
# __/___/ __ ___ __ ___ __ __ #
# / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ #
# / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ #
# /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ #
# #
##############################################################################

# ------------------------------------------------------------------------------
# MIT License
# ------------------------------------------------------------------------------
# Copyright (c) 2017 Mitchell Krog - [email protected]
# https://github.com/mitchellkrogza
# ------------------------------------------------------------------------------
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# ------------------------------------------------------------------------------
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# ------------------------------------------------------------------------------
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# ------------------------------------------------------------------------------

# -----------------------------------------
# Additional Security Rules for Nginx Sites
# -----------------------------------------


# deny.conf
# Global restrictions configuration file.
# Designed to be included in any server {} block.
# This is an optional and fully customizable add-on to the Nginx Ultimate Bad Bot Blocker
# Any rules you DON'T want active simply comment them out

# To use this set of rules, add the include below into each server block.
# add this at the very top of your server blocks before any other location rules
# include /etc/nginx/deny.d/deny.conf;

# By default I always issue a 444 response to all rules
# you can change this to anything you like
# Example: return 403;
# Example: deny all;

## -------------
# GENERAL RULES
## -------------

##
# Deny all attempts to access hidden files such as
# .htaccess, .htpasswd, .DS_Store (Mac).
##

location ~ /\. {
return 444;
}

##
# Deny access to any files with a .php extension in any uploads / files directory
# add more folder names to protect as you like
##

location ~* /(?:uploads|files)/.*\.php$ {
return 444;
}

##
# Protect Perl/CGI/etc files
# Very few sites run perl or cgi scripts anymore, block them !!
# and block people even looking for them
##

location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}

##
# Protect .git files and repositories
# If you use git versioning control on any of your sites, this rule is a must
##

location ~ /\.git {
return 444;
}

##
# Block common hacks
##

location ~* .(display_errors|set_time_limit|allow_url_include.*disable_functions.*open_basedir|set_magic_quotes_runtime|webconfig.txt.php|file_put_contentssever_root|wlwmanifest) {
return 444;
}

location ~* .(globals|encode|localhost|loopback|xmlrpc|revslider|roundcube|webdav|smtp|http\:|soap|w00tw00t) {
return 444;
}

##
# Protect other sensitive files
##

location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
return 444;
}

##
# Block access to any disallowed server methods
##

if ($request_method = PROPFIND) {
return 444;
}

##
# Block server request methods that "may" unnecessary for serving your content
# Only activate this rule if you know what you are doing and what the consequences are.
##

#if ($request_method !~ ^(GET|POST|HEAD)$ ) {
#return 444;
#}

##
# Help guard against SQL injection
##

location ~* .(\;|'|\"|%22).*(request|insert|union|declare|drop)$ {
return 444;
}

##
# Block attempts to access PHPMyAdmin.
# If you use phpmyadmin, DO NOT activate this rule !!!
# Disabled by default
##

#location ~* .(administrator|[pP]hp[mM]y[aA]dmin) {
#return 444;
#}


## ------------------------
# WORDPRESS SPECIFIC RULES
## ------------------------

##
# Block access to anything non image/video/music/document related from your uploads folder.
##
location ~* ^/wp-content/uploads/.*.(asp|cgi|htm|html|js|jsp|php|pl|py|sh|shtml|swf)$ {
return 444;
}

##
# Restrict access to wp-login.php
# MUST create the zone wp-login
# Add this zone below to nginx.conf or to vhost BEFORE server {} block
# limit_req_zone $binary_remote_addr zone=wp-login:10m rate=1r/s;
# uncomment this rule below to make it active
# also make SURE you have the correct path to your php7 fpm
##

#location = /wp-login.php {
#limit_req zone=wp-login burst=2 nodelay;
#include /etc/nginx/fastcgi_params;
#fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#fastcgi_param SCRIPT_FILENAME $request_filename;
#fastcgi_pass_header Set-Cookie;
#fastcgi_pass_header Cookie;
#fastcgi_split_path_info ^(.+?.php)(/.+)$;
#}

##
# Protect any config files in your web root
##

location ~* /(wp-config.php|nginx.conf|wp-config-sample.php) {
return 444;
}

##
# Disallows Access to all text and readme files in Wordpress root
##

location ~* ^/(readme|license|schema|password|passwords).*.(txt|html)$ {
return 444;
}

##
# Disallows Access to any .conf or .sql files which you may have stored in your root
##

location ~* ^/*.(conf|sql)$ {
return 444;
}

##
# Disallows Access to plugin or theme readme files
# Also helps block Wordpress Theme Detectors
##

location ~* /wp-content/.*.txt$ {
return 444;
}

## ---------------------------------------------
# Let's Encrypt SSL ACME Challenge Requirements
## ---------------------------------------------

##
# ACME Challenge Rule
##
location /.well-known/acme-challenge {
allow all;
default_type "text/plain";
root /tmp/letsencrypt;
autoindex on;
}

## ---------------------
# Image Anti-Hotlinking
## ---------------------

##
# Allows only specified servers from linking to images
# Adjust to your own needs
##
location ~* \.(gif|jpg|jpeg|png)$ {
valid_referers none blocked ~.google. ~.bing. ~.yahoo. ~.facebook. ~.fbcdn. ~.ask. server_names ~($host);
if ($invalid_referer) {
return 444;
}
}

## ---------
# END RULES
## ---------

# ------------------------------------------------------------------------------
# MIT License
# ------------------------------------------------------------------------------
# Copyright (c) 2017 Mitchell Krog - [email protected]
# https://github.com/mitchellkrogza
# ------------------------------------------------------------------------------
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# ------------------------------------------------------------------------------
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# ------------------------------------------------------------------------------
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# ------------------------------------------------------------------------------

0 comments on commit 7097566

Please sign in to comment.