I have a PHP application in which there are 2 types of bad participants:
- Those who scan vulnerabilities (either SQL injection, XSS, or try to request non-existent URLs such as / phpmyadmin or / webmail or some of these)
- Comment by spammers.
Stack - Ubuntu 12.04 + nginx + PHP (FPM)
What I would like to do is set up a process that can ban these bad actors by dropping their IP address when it detects an abuse pattern. How should I do it?
Some sample templates:
- More than 2 comments in 1 minute (found either nginx or PHP)
- Over 10 comments in 10 minutes, each with URLs. (nginx or PHP detected)
- Requests made in phpmyadmin (must be detected by nginx)
- Strange parameters passed to the search / comment system. for example \ 'or OR 1 = 1' - (I would like to get a list of such common SQL injection patterns)
So, the question is how to define these patterns in nginx / PHP and how to set up a process that can prohibit the IP addresses of these participants?
PS. Honestly, I'm not sure what is the best way to flag this question, so please re-mark accordingly.
source
share