I have this in my .conf
file for my website in attempt to block 2 user agents from constantly probing my server.
## Block http user agent - morpheus fucking scanner ##
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
return 403;
}
Ive also tried the following, with no luck:
if ($http_user_agent ~* ("morfeus fucking scanner|ZmEu"))
if ($http_user_agent ~* (morfeus fucking scanner|ZmEu))
if ($http_user_agent ~* ("morfeus fucking scanner"|"ZmEu"))
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu")
if ($http_user_agent ~* morfeus fucking scanner|ZmEu)
It worked well when I only had 1 user agent, but in attempt to add a second, these user agents are able to probe the server still.
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /pma/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
111.90.172.235 - - [17/Feb/2013:23:05:22 -0700] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 118 "-" "ZmEu" "-"
According to these two posts#12: How Do I Deny Certain User-Agents?, HowTo: Nginx Block User Agent, I think Im setup correctly, but it doesn't seem to be working.
EDIT
Here is the nginx version and whole conf file
nginx version: nginx/1.2.7
server {
listen 80;
server_name localhost;
#charset koi8-r;
access_log /var/log/nginx/XXXXXX/access.log main;
error_log /var/log/nginx/XXXXXX/error.log;
root /srv/www/XXXXXX;
location / {
index index.html index.htm index.php;
#5/22/2012 - Turn on Server Side Includes
ssi on;
## Block http user agent - morpheus fucking scanner ##
if ($http_user_agent ~* "morfeus fucking scanner|ZmEu") {
return 403;
}
## Only allow GET and HEAD request methods. By default Nginx blocks
## all requests type other then GET and HEAD for static content.
if ($request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
}
location ~ \.php {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/www/XXXXXX/$fastcgi_script_name;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# Redirect server error pages to the static page
error_page 403 404 /error403.html;
location = /error403.html {
root /usr/share/nginx/html;
}
nginx only applies one location block at each level of the config. All the files which are 404ing are
.php
files which hit the\.php
location block, and therefore do not use the/
location block which contains your user agent block. To fix this move your user agent block outside the location block to the root level so that it gets applied to all requests.Edit: You can test this with something like
curl
which lets you set arbitrary headers:try this
Try just using the pattern
(morfeus)
. That pipe character is likely screwing up the regular expression pattern matching.