Nginx banning
We need to ban 63.57.. and 66.44.12.*
and we don't know how to check if it's working or not…
***63.57..* = 63.57.1.0/16 ?
66.44.12.* = 66.44.12.0/24 ?****
linode 512
ubuntu 10.04.1 LTS
nginx 0.7.65
php-fpm
/etc/nginx.conf
user www-data;
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
# multi_accept on;
}
http {
include /etc/nginx/mime.types;
access_log /var/log/nginx/access.log;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
tcp_nodelay on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
deny 63.57.1.0/16;
deny 66.44.12.0/24;
}
2 Replies
@Naomi:
I've forgotten much of what I learned about subnetting a few years ago. I have been ggling about it, please confirm.
We need to ban 63.57.. and 66.44.12.*
and we don't know how to check if it's working or not…
***63.57..* = 63.57.1.0/16 ?
66.44.12.* = 66.44.12.0/24 ?****
linode 512
ubuntu 10.04.1 LTS
nginx 0.7.65
php-fpm
/etc/nginx.conf
user www-data; worker_processes 4; error_log /var/log/nginx/error.log; pid /var/run/nginx.pid; events { worker_connections 1024; # multi_accept on; } http { include /etc/nginx/mime.types; access_log /var/log/nginx/access.log; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; tcp_nodelay on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; deny 63.57.1.0/16; deny 66.44.12.0/24; }
It's customary to leave all the bits masked out as 0, that is 63.57.0.0/16 in the example above. (In practice I wouldn't expect nginx to care, though.)
Other than that what you did looks ok.
However, you may want to:
1) Read up on the cidr basics and/or use some cidr calculator
2) Temporarily ban something that you can easily verify to see that the configuration works as expected
3) Check the logs
cat nginx.log | grep "\" 403 " > 403s.txt