Countermeasures against unwanted access on Nginx
Category:
Last Updated: 2021/12/13 12:40:54
If you are an experienced engineer, you would have your own policy for server security. In my case, I usually configure that each server always returns HTTP 403 on unwanted access.
.svn
,.git
,.htaccess
,.env
, and other dot files or configuration files.wp-config.php
,xmlrpc.php
、wp-admin
、wp-includes
(They are often targeted for WordPress vulnerability).- files on which server monitoring alerts are often triggerred such as
/api/v1/time
TIP
If you use WordPress, you should not restrict access to wp-admin
, wp-include
, and, if you use XMLRPC API, you need not to restrict xmlrpc.php
too.
Then, Nginx configuration would be like this:
location ~* /((wp-config|xmlrpc)\.php|\.(svn|git|env|htaccess))$ {
return 403;
}
location ~* (/api/v1/time|/wp-admin|/wp-includes) {
return 403;
}
1
2
3
4
5
6
2
3
4
5
6
In my case, there are many servers without php or without the extention ".php". On these server, I would restrict all access to .php urls.
location ~* /(.*\.php|\.(svn|git|env|htaccess))$ {
return 403;
}
location ~* (/api/v1/time|/wp-admin|/wp-includes) {
return 403;
}
1
2
3
4
5
6
2
3
4
5
6
Then, make sure there's no error with nginx -t
and reload the server configutation.
$ nginx -t
$ systemctl reload nginx
1
2
2
Category:
Last Updated: 2021/12/13 12:40:54