How to Secure Nginx Against Malicious Bots

Nginx Security

Protective measures for a server are very important and there are several ways to protect your websites and apps from malicious bots. We’ll be looking at different bots and how they operate, and how you can use Plesk’s security measures to secure Nginx against malicious bots.

Malicious Bot Types

Nginx vs malicious bots

There are Bots that scan API keys on Git (Scanbots) and bots that download web pages. But even worse, you’ll find hackers using bots as a group of hijacked computers to take down websites (botnets). Or even send out innumerable spam emails (Spambots). Let’s take a deeper look at the latter two.  

Bots For Spamming Emails     

Spambots are special programs that crawl the internet for email addresses posted in forums, discussions boards, comments and websites. Spam generally means unwanted and unwarranted emails. They usually look for ‘mailto’ expressions (HTML used to display email IDs online), with a format such as the one below.

<ahref=“mailto:[email protected][email protected], [email protected],[email protected]&subject=Web%20News“>Email Us

Apart from mailto, others have resorted to using words, just to make it difficult for Spambots to crawl email addresses. For instance, instead of  ‘‘[email protected]’’, others prefer to use this format rather: support[at]abz[dot].com on the web. However, spam programs identify these different formats and affect users. Costing time, money and productivity.

Bots For Hijacking Computers

Malicious botnets are a network of infected computers with malicious software controlled as a group by hackers to perform distributed denial of service attacks (DDOS). Botnet makes a way for malware to enter networks and control them.

Let’s look at how attackers use botnet hijack computers by studying a click-fraud botnet which made a profit for its creators through Google search program.

Paco Redirector is a botnet trojan which affected search engines, such as Google and Bing. Here’s how.

  1. First, it infects users’ computers when they download and install fake versions of popular software
  2. Afterward, Paco changes browser’s local registry keys to include two entries to ensure malware starts at boot time.
  3. Finally, the malware implements a proxy configuration file that captures traffic and routes it through attackers command and controlled server.

How to Secure Nginx Server against malicious Bots

Due to the fact that most websites run on an Nginx server, we need to know how to secure Nginx against malicious bots. We can protect the resources running on Nginx servers by using Plesk extensions and Fail2ban.

1. Using SpamExperts Email Security Extension

Using SpamExperts Email Security Extension

SpamExperts specifically protects a hosting environment from threats like spam and viruses. It comes with an incoming filter, which separates valid emails from unsolicited ones. And also an outgoing filter, which prevents your IP address from being blacklisted since spam can be sent from your compromised account within your web infrastructure.

2. Using DDOS Deflate Interface Extension

Using DDOS Deflate Interface Extension

Hackers often use malicious bots to automatically brute-force authentication. So, you can use DDOS Deflate Interface to mitigate DDOS attacks by blocking IP addresses which exceed the configured threshold.

3. Using Fail2ban to Block Internet Bots

Fail2ban is a prevention software that protects servers like Nginx from bot attacks. You can install Fail2ban software by using the following command:

apt-get install fail2ban

Ubuntu users can make use of this command to install Fail2ban whilst Fedora and CentOS users can use the command below:

yum install fail2ban

Afterwards use the following command to create a second copy of Fail2ban local configuration file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/local.conf    

Below is a screenshot of the Fail2ban jail configuration file:                   

Fail2ban jail configuration file screenshot - How to Secure Nginx Against Malicious Bots - Plesk

Search for the maxretry parameter and set it to 5. Maxretry is the parameter used to set the limit for the number of retry by a host. If the host exceeds this limit, the host is banned.

Maxretry parameter

Apart from the maxretry parameter in the configuration file, there are other parameters such as Ingoreip which is used to set the list of IP addresses which will not be banned.
Then execute the following commands to run Fail2ban package on the server:

 sudo systemctl enable fail2ban    

 sudo systemctl start fail2ban

Now let ‘s go ahead to configure Fail2ban to monitor nginx server logs.

Because these hackers use bots to perform brute-force, we can create a specific jail for login attempt by adding the following content to the jail.conf file under [nginx-http-auth]

enable = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures,port="http,https"]
logpath = /var/log/nginx*/*error*.log
bantime = 600
maxretry = 6[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx*/*access*.log
bantime = 600
maxretry = 6

Finally you can create filter for the [nginx-http-auth] by navigating to the following path:

cd /etc/fail2ban/filter.d

The screenshot below shows all files inside the filter.d directory

Files inside the filter.d directory

Open the file nginx-http-auth.conf and add the following content below failregex specification.

^ \[error\] \d+#\d+: \*\d+ no user/password was provided for | authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

Save and close the nginx-auth.conf.  You can now activate your nginx jail by using the following command:

 sudo service fail2ban restart

These solutions may not be the only ways to stop bots from attacking your Nginx server.  However, you can rely on these methods to avoid the negative effects of malicious bots. Get in touch with one of our Plesk experts if you need further assistance regarding a bot attack.

How useful and straightforward was this guide? Any issues? Let us know in the comments below.

arrow icon - Plesk

Can SPF, DKIM and DMARC free you from junk emails?

plesk blog post on eliminating email spam

The rise of junk mail has naturally mirrored the rise of the web. It’s true that anti-spam methods have grown in sophistication, filtering out more unwanted messages than ever before. But still – one or two uninvited guests manage to slip through the net.

Spam email is as old as the web, and its growth has kept pace with the web’s explosion in popularity. So, enter three (fairly) new tools that are taking the fight against spam up a notch: DKIM, DMARC and SPF. Here’s a glimpse of these tools and a quick rundown of what they can do.

DMARC, DKIM and SPF – What are they?

SPF (Sender Policy Framework) is a system that ensures emails are genuine by comparing them against a TXT list of approved senders. Senders are published in the DNS record. These DNS entries can be trusted because owners and administrators are the only individuals allowed to make them.

DKIM (DomainKeys Identified Mail) detects forged email and allows each item to be authenticated. When sending an email, it’s easy to claim that it’s coming from a particular domain, but DKIM actually validates such claims.

DKIM works by adding a digital signature to an email message so that the two become associated. The sender of an email publishes a key in the DNS and this can be compared to the signature. If they match, then it’s clear that there has been no tampering with the email.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an additional mechanism that works in tandem with SPF and DKIM. With this, the domain admin can publish a policy, saying whether it uses SPF, DKIM or both. It lets the receiving server know how it should handle failures.

It’s clear that the DNS is key for these systems to function properly. Let’s see how they work.

Plesk Secure E-mail Server Solution

How Does SPF Work?

  • First, the receiving mail server fetches the sender address of every message it gets.
  • Then, it performs a TXT DNS query, checking the SPF entry’s claimed domain.
  • After, the data in the SPF entry can be used to authenticate the sender’s server.
  • Finally, the sender’s server receives a rejection notice if this authentication fails.

How does DKIM work?

  • The final server in the domain infrastructure compares the domain that is in the “From” header. This ensures that it has an entry in its signing table. If not, the process stops.
  • Second, a “DKIM-Signature” header is added to the mail message, using the private part of the key in the message content.
  • Now, the content of the message is locked and nobody can modify it. Any attempt to do so results in a mismatch with the DKIM header.
  • So when the message gets to the receiving server, it creates a TXT DNS query that lets it get hold of the key from the DKIM-Signature field.
  • Finally, the result of the DKIM header check reveals if a message is real or fake.

How does DMARC work?

  • When a message arrives, the mail server looks for a DMARC policy relating to the domain that DKIM and/or SPF use.
  • If one or both checks are successful and still comply with the DMARC policy, then it will be deemed successful. If not, it fails.
  • In the event that the check fails, the published DMARC policy will guide further action.

Best practices and their limits

Unfortunate but true: even if you observe best practices and your mail system uses all of these tools correctly, phishers, scammers and spammers will still get through your defenses now and then.

Not all servers are using all of these three tools, but even if they are, it still helps to note the limits of what SPF, DKIM and DMARC can do:

  • Using DKIM on its own doesn’t ensure that the server sending the message to a specific domain is entitled to do so.
  • SPF can’t do anything with messages that have been forged in a shared hosting situation. This is because all of that mail will appear to be coming from the same IP address.
  • DMARC is still in its infancy stage and has not enough users have adopted it to make a significant difference.
  • Used on its own, DMARC can and will break your mail flow. To avoid this, you will need to set up both DKIM and SPF before you change the DMARC policy to anything other than “none”.

It’s essential for you to work through the SPF, DKIM or DMARC setup process correctly. If you don’t, all your users’ important messages will be marked fraudulent.

Bottom line: Should I be using these tools or not?

Short answer: Yes. Even though they are not as widely popular as they should be right now, they certainly will be – and soon too. One of the best ways to encourage others to adopt these best practices and use these tools is to adopt it yourself. Or maybe act shocked when you talk to people who don’t!

Plesk E-mail Server Solution

Plesk Onyx gives you the power to protect your email infrastructure from spam/spoofing issues. And you can do this by setting up DKIM, SPF and DMARC via a web interface. You can find out more about how to turn on DKIM functionality, set up and configure SPF records and initiate DMARC on your server here.