Back to TILs

nginx content_by_lua_block

Table of contents

Introduction

Looking for 404 URLs I found some strange patterns. Probably someone are trying to hack or are searching for unprotected information.

awk '($9 ~ /404/)' /var/log/nginx/access.log | awk '{print $1, $7}' | sort -u

Fragment of listing from command above:

18.202.222.57 //.git/objects/8a/09b213b634828b8d961c413adc6b07db6398a4
18.202.222.57 //.git/objects/8a/4fd59c19669446a8d5a1e5d53c7bdaefd2bc6b
18.223.170.53 //.git/objects/84/fa52145c85452150aec5fe1a75b7773c16e4d5
18.223.170.53 //.git/objects/8a/09b213b634828b8d961c413adc6b07db6398a4
18.223.170.53 //.git/objects/8a/4fd59c19669446a8d5a1e5d53c7bdaefd2bc6b
18.230.157.127 //.git/objects/de/77a2d3a2eee9d86e6c251324a720e94076f72a
18.230.189.76 //.git/objects/ac/524ecec9bcd165433ce2edf49775eab994e8bf
18.230.189.76 //.git/objects/c6/822f2ab1bf34e0dd10d598b200f1088bfb94d1
18.231.136.192 //.git/objects/cd/a4864272388a04a33bb522fde35909355599cd
18.231.136.192 //.git/objects/cd/f921feadacb3158f17e4c576a7e97bc1fe8e55
183.136.225.32 /robots.txt
185.254.196.223 /.env
186.234.80.150 /wp-login.php
191.19.195.199 /favicon.ico
192.241.225.12 /actuator/health
195.191.219.130 /robots.txt
198.199.93.20 /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f
198.71.231.82 /style.php?sig=rename
198.71.231.82 /wp-admin/style.php?sig=rename
201.75.187.119 /img/intmain-logo_1024x1024.png
205.185.118.237 /boaform/admin/formLogin
207.180.204.71 /style.php?sig=rename
207.180.204.71 /wp-admin/style.php?sig=rename
209.97.156.111 /ab2g
209.97.156.111 /ab2h
212.23.222.141 /.env
216.218.206.66 /favicon.ico
216.218.206.66 /.git/config
23.251.102.90 /api/jsonws/

Block IP who access specific URL

location /some-specific-url {
  # MIME type determined by default_type:
  default_type 'text/plain';

  content_by_lua_block {
    -- Record IP into a list
    local blockip = io.open('/var/www/blockip.txt','a')
    blockip:write(ngx.var.remote_addr .. "\n")
    blockip:close()

    -- Debug message;
    ngx.say('Hello, ' .. ngx.var.remote_addr ) --;

    -- Execute some script to block;
    os.execute("date > /tmp/date") --;
  }
}

References