Skip to main content

Using nginx http_referer_module to protect the admin site from brute force



While reading the nginx web server documentation, I came across an interesting module called http referer module . It allows you to block access to the site, or its sections, if the request does not have the correct referer header.

This module can be used to protect the admin of any site from brute force. For example, the site works on WordPress, but blocking access by ip will be inappropriate if the site has registered users. They also need to authenticate, and collecting their ip is a meaningless exercise. :)



The principle of operation is simple: on the site we display a link to the login page wp-login.php, and in the nginx configuration file we set the verification of requests to wp-login.php and / wp-admin / for the presence of the address of our site in the referrer header.

First of all, create a dedicated location for the desired pages. For example:


 server {... location ~ * (wp-login \ .php | wp-admin (. *)) $ {try_files $ uri = 404;  fastcgi_pass unix: /run/php-www.sock;  location ~ \ .php $ {include fastcgi_params;  fastcgi_param SCRIPT_FILENAME $ document_root $ fastcgi_script_name;  fastcgi_ignore_client_abort off;  fastcgi_param PHP_VALUE "sendmail_path = / usr / sbin / sendmail -t -i -fmail@example.com";  fastcgi_param PHP_ADMIN_VALUE "open_basedir = / var / www / example.com /: / var / save_path /: / var / tmp_dir /";  }} ...} 

As you can see, here are also specified the parameters for processing php scripts (otherwise the scripts specified in the location will not work).

The module configuration can be registered immediately after the location ~* (wp-login\.php|wp-admin(.*))$ { .

First line:


  valid_referers server_names 

It indicates that the site referer should be considered the correct referer field.

And also we register the test condition. If the referer field is incorrect, the server will display a 403 error (access denied).

  if ($ invalid_referer) {
     return 403;
 }

As a result, the configuration will look like this:

  server {
 ...
 location ~ * (wp-login \ .php | wp-admin (. *)) $ {
 valid_referers server_names
 if ($ invalid_referer) {
     return 403;
 }
 (fastcgi parameters)
 }
 ...
 }

Finally, on the site, add a link to the login page (wp-login.php or something else there). If a visitor clicks on this link, he receives an authorization form. But if the bot knocks directly to this file, it will receive an access error.

Yes, it is worth noting that the header referer can be faked. But for me personally, bots with a correctly filled referer field came across very rarely and were banned by ip. :) So this method may be quite appropriate.



How do you rate the article?
Звёзд: 1Звёзд: 2Звёзд: 3Звёзд: 4Звёзд: 5 ( 1 rating, average: 1.00 out of 5)
Loading...

Add a comment

Your email will not be published.