Tweet
I was examining my nginx access log today and found this entry
{ "time": "2024-10-20T12:04:56+00:00",
"status": "200",
"address": "139.224.111.126",
"method": "GET",
"protocol": "https",
"ssl_protocol": "TLSv1.3",
"timestamp": 1729425896.223,
"user": "",
"resp_time": 0.003,
"upstream_addr": "unix:/var/run/php/php8.1-fpm.sock",
"host": "18.254.100.69:443", "
ref": "",
"agent": "Custom-AsyncHttpClient",
"uri": "/index.php?lang=../../../../../../../../tmp/index1"
}
Clearly a probing attempt with some knowledge that my EspoCRM site uses PHP.
I tried using the following in my nginx.conf where TLSv1.3 is the only ssl_protocol:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';";
and
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none';";
to stem this attack but they disable getting even to a login screen for a valid user.
How can these probes be stopped, besides blacklisting sites as they try to probe? Can it be done with nginx config.
My nginx site config implements to proscribed location blocks as per nginx documentation.
{ "time": "2024-10-20T12:04:56+00:00",
"status": "200",
"address": "139.224.111.126",
"method": "GET",
"protocol": "https",
"ssl_protocol": "TLSv1.3",
"timestamp": 1729425896.223,
"user": "",
"resp_time": 0.003,
"upstream_addr": "unix:/var/run/php/php8.1-fpm.sock",
"host": "18.254.100.69:443", "
ref": "",
"agent": "Custom-AsyncHttpClient",
"uri": "/index.php?lang=../../../../../../../../tmp/index1"
}
Clearly a probing attempt with some knowledge that my EspoCRM site uses PHP.
I tried using the following in my nginx.conf where TLSv1.3 is the only ssl_protocol:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';";
and
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none';";
to stem this attack but they disable getting even to a login screen for a valid user.
How can these probes be stopped, besides blacklisting sites as they try to probe? Can it be done with nginx config.
My nginx site config implements to proscribed location blocks as per nginx documentation.