nginx 1.7: banning, even if Learning Mode on.

Started by mrpsycho, February 06, 2019, 08:17:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 06, 2019, 08:17:53 PM
latest opnsense with latest nginx module.

i turned  Learning Mode for every location ON, and still see errors: Unsucessful status code You got banned permanently from this server.

how to turn this blocking rule? or to setup for bypass all traffic?
February 06, 2019, 08:43:33 PM #1
also, i see 192.168.2.225 in banned list....
then im trying to look for log:

root@OPNsense:~ # cat /var/log/nginx/* | grep 2.225
root@OPNsense:~ #


and there is nothing!

how i can prevent it from being banned?
February 07, 2019, 05:47:15 PM #2
after several tests i found problem - this is "User Agent"

and this is actually sucks, that it blocks on nginx by incorrect user agent.

because this is first what spammers change.... but it blocks relevant traffic from scripts and other dev stuff.
February 07, 2019, 06:05:16 PM #3
Quote from: mrpsycho on February 07, 2019, 05:47:15 PM
and this is actually sucks, that it blocks on nginx by incorrect user agent.
https://tools.ietf.org/html/rfc2616#section-14.43
The user agent may contain some information to identify your application (in reality it almost always does).

Quote from: mrpsycho on February 07, 2019, 05:47:15 PM
because this is first what spammers change.... but it blocks relevant traffic from scripts and other dev stuff.
No, believe me, most of the scanners in my log don't. They don't even understand the HTTPS redirect.In my opinion, every developer working with HTTP should know how to set a proper user agent. If not, the feature can still be disabled by a checkbox.
For learning mode: This controls the WAF (naxsi), not the bot defence.

February 07, 2019, 06:46:55 PM #4
Thank you, @fabian.

it make sense... but where to find this checkbox?

on server config i cant see it...


and yes, in mobile development customer asks to set special User Agent... like: okhttp/2.1.2.2
February 07, 2019, 09:32:43 PM #5
you need to toggle the advanced settings to make it visible
February 07, 2019, 10:03:49 PM #6
great! thanks a lot!
April 02, 2019, 07:25:29 AM #7 Last Edit: April 02, 2019, 07:33:29 AM by opnsenseusr
I see that the included protection for bots blocks the following User-Agents:

Code Select
Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|ltx71|zgrab|Ronin/2.0|Hakai/2.0

Is it possible to edit the list of default bad bots from GUI or would I have to edit from CLI every time the nginx config is changed? I have an application that uses the User-Agent "OKhttp" and would like to just allow this user-agent rather than disabling the entire protection from GUI
April 02, 2019, 05:51:35 PM #8
no, it is hardcoded in the config. You can use the plugin interface to create  a similar config and disable the internal check.


https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L241

The UUID is the id you get in the config.xml and in the api for the HTTP server.
April 03, 2019, 04:33:29 AM #9
Quote from: fabian on April 02, 2019, 05:51:35 PM
no, it is hardcoded in the config. You can use the plugin interface to create  a similar config and disable the internal check.


https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L241

The UUID is the id you get in the config.xml and in the api for the HTTP server.

Thank you. This worked perfectly. Took me a minute to realize i had to create the UUID_pre/ folder.

Regards
April 03, 2019, 06:40:49 PM #10
no problem - it is not well documented since this is an internal plugin hook for plugins, that want to use the nginx plugin for their purposes. There is also a UUID_post which is after all internal rules and there is a special directory for custom vhosts (also for streams).
Print
Go Up Pages1
User actions