Nginx banning

I've forgotten much of what I learned about subnetting a few years ago. I have been ggling about it, please confirm.

We need to ban 63.57.. and 66.44.12.*

and we don't know how to check if it's working or not…

***63.57..* = 63.57.1.0/16 ?

66.44.12.* = 66.44.12.0/24 ?****

linode 512

ubuntu 10.04.1 LTS

nginx 0.7.65

php-fpm

/etc/nginx.conf

user www-data;
worker_processes  4;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
    # multi_accept on;
}

http {
include /etc/nginx/mime.types;
access_log /var/log/nginx/access.log;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    tcp_nodelay        on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    deny 63.57.1.0/16;
    deny 66.44.12.0/24;
}

2 Replies

@Naomi:

I've forgotten much of what I learned about subnetting a few years ago. I have been ggling about it, please confirm.

We need to ban 63.57.. and 66.44.12.*

and we don't know how to check if it's working or not…

***63.57..* = 63.57.1.0/16 ?

66.44.12.* = 66.44.12.0/24 ?****

linode 512

ubuntu 10.04.1 LTS

nginx 0.7.65

php-fpm

/etc/nginx.conf

user www-data;
worker_processes  4;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
    # multi_accept on;
}

http {
include /etc/nginx/mime.types;
access_log /var/log/nginx/access.log;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    tcp_nodelay        on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    deny 63.57.1.0/16;
    deny 66.44.12.0/24;
}

It's customary to leave all the bits masked out as 0, that is 63.57.0.0/16 in the example above. (In practice I wouldn't expect nginx to care, though.)

Other than that what you did looks ok.

However, you may want to:

1) Read up on the cidr basics and/or use some cidr calculator

2) Temporarily ban something that you can easily verify to see that the configuration works as expected

3) Check the logs

@hawk7000 Thanks, it works

cat nginx.log | grep "\" 403 " > 403s.txt

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct