Announcement

Collapse
No announcement yet.

Security (nginx) How do I stop probing of my EspoCRM site using an inline php script?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security (nginx) How do I stop probing of my EspoCRM site using an inline php script?

    I was examining my nginx access log today and found this entry

    { "time": "2024-10-20T12:04:56+00:00",
    "status": "200",
    "address": "139.224.111.126",
    "method": "GET",
    "protocol": "https",
    "ssl_protocol": "TLSv1.3",
    "timestamp": 1729425896.223,
    "user": "",
    "resp_time": 0.003,
    "upstream_addr": "unix:/var/run/php/php8.1-fpm.sock",
    "host": "18.254.100.69:443", "
    ref": "",
    "agent": "Custom-AsyncHttpClient",
    "uri": "/index.php?lang=../../../../../../../../tmp/index1"
    }

    Clearly a probing attempt with some knowledge that my EspoCRM site uses PHP.

    I tried using the following in my nginx.conf where TLSv1.3 is the only ssl_protocol:

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "no-referrer-when-downgrade";
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';";

    and

    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none';";

    to stem this attack but they disable getting even to a login screen for a valid user.

    How can these probes be stopped, besides blacklisting sites as they try to probe? Can it be done with nginx config.

    My nginx site config implements to proscribed location blocks as per nginx documentation.



Working...
X