nginx vulnerability scanner

September 29, 2016 6.4k views
Nginx Apache WordPress
info9e3aefeb489
By:
info9e3aefeb489

I recently changed servers from Apache to Nginx…
How do I write this information (.htaccess) a simple redirect against web scanner on file nginx.conf:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^w3af.sourceforge.net [NC,OR]
RewriteCond %{HTTP_USER_AGENT} dirbuster [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nikto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} wpscan [NC,OR]
RewriteCond %{HTTP_USER_AGENT} SF [OR]
RewriteCond %{HTTP_USER_AGENT} sqlmap [NC,OR]
RewriteCond %{HTTP_USER_AGENT} fimap [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nessus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} whatweb [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Openvas [NC,OR]
RewriteCond %{HTTP_USER_AGENT} jbrofuzz [NC,OR]
RewriteCond %{HTTP_USER_AGENT} libwhisker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webshag [NC,OR]
RewriteCond %{HTTP:Acunetix-Product} ^WVS
RewriteRule ^.* http://127.0.0.1/ [R=301,L]
</IfModule>

Thank you!

edited by kamaln7
Sign In to Comment
2 Answers
kamaln7 MOD September 29, 2016

Hi!

The htaccess rules that you’ve posted block traffic whose user-agent matches a specific list. The user agent in nginx is stored in the $http_user_agent variable, so you will want to compare that against a Regular Expression pattern and block the requests if it does match.

One more thing to note is that the htaccess rules use the [NC] flag, which makes Apache match the patterns in a case-insensitive manner. The nginx equivalent is appending an * to the ~, as you can see below.

if ($http_user_agent ~* (^w3af.sourceforge.net|dirbuster|nikto|wpscan|SF|sqlmap|fimap|nessus|whatweb|Openvas|jbrofuzz|libwhisker|webshag)) {
    return 444;
}

return 444 simply drops the connection. You might want to do that instead of sending back a redirect to 127.0.0.1. Though, you can replace it with 403 in order to send a 403 Forbidden error.

Finally, to check if the Acunetix-Product header exists, add the following if block:

if ($http_acunetix_product) {
    return 444;
}
Report
info9e3aefeb489 September 30, 2016

Thanks works!
You’ve solved many problems ;-) Grazie dall'Italia

Report
Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Related