Countermeasures against unwanted access on Nginx

Category:
Last Updated: 2021/12/13 12:40:54

If you are an experienced engineer, you would have your own policy for server security. In my case, I usually configure that each server always returns HTTP 403 on unwanted access.

  • .svn, .git, .htaccess, .env, and other dot files or configuration files.
  • wp-config.php, xmlrpc.phpwp-adminwp-includes (They are often targeted for WordPress vulnerability).
  • files on which server monitoring alerts are often triggerred such as /api/v1/time

TIP

If you use WordPress, you should not restrict access to wp-admin, wp-include, and, if you use XMLRPC API, you need not to restrict xmlrpc.php too.

Then, Nginx configuration would be like this:

location ~* /((wp-config|xmlrpc)\.php|\.(svn|git|env|htaccess))$ {
	return 403;
}
location ~* (/api/v1/time|/wp-admin|/wp-includes) {
	return 403;
}
1
2
3
4
5
6

In my case, there are many servers without php or without the extention ".php". On these server, I would restrict all access to .php urls.

location ~* /(.*\.php|\.(svn|git|env|htaccess))$ {
	return 403;
}
location ~* (/api/v1/time|/wp-admin|/wp-includes) {
	return 403;
}
1
2
3
4
5
6

Then, make sure there's no error with nginx -t and reload the server configutation.

$ nginx -t 
$ systemctl reload nginx
1
2

Category:
Last Updated: 2021/12/13 12:40:54
Copyright © Web Ninja All Rights Reserved.