How to Secure Nginx Against Malicious Bots

Nginx Security

Protective measures for a server are very important and there are several ways to protect your websites and apps from malicious bots. We’ll be looking at different bots and how they operate, and how you can use Plesk’s security measures to secure Nginx against malicious bots.

Malicious Bot Types

Nginx vs malicious bots

There are Bots that scan API keys on Git (Scanbots) and bots that download web pages. But even worse, you’ll find hackers using bots as a group of hijacked computers to take down websites (botnets). Or even send out innumerable spam emails (Spambots). Let’s take a deeper look at the latter two.  

Bots For Spamming Emails     

Spambots are special programs that crawl the internet for email addresses posted in forums, discussions boards, comments and websites. Spam generally means unwanted and unwarranted emails. They usually look for ‘mailto’ expressions (HTML used to display email IDs online), with a format such as the one below.

<ahref=“mailto:[email protected][email protected]k.com, [email protected],[email protected]&subject=Web%20News“>Email Us

Apart from mailto, others have resorted to using words, just to make it difficult for Spambots to crawl email addresses. For instance, instead of  ‘‘[email protected]’’, others prefer to use this format rather: support[at]abz[dot].com on the web. However, spam programs identify these different formats and affect users. Costing time, money and productivity.

Bots For Hijacking Computers

Malicious botnets are a network of infected computers with malicious software controlled as a group by hackers to perform distributed denial of service attacks (DDOS). Botnet makes a way for malware to enter networks and control them.

Let’s look at how attackers use botnet hijack computers by studying a click-fraud botnet which made a profit for its creators through Google search program.

Paco Redirector is a botnet trojan which affected search engines, such as Google and Bing. Here’s how.

  1. First, it infects users’ computers when they download and install fake versions of popular software
  2. Afterward, Paco changes browser’s local registry keys to include two entries to ensure malware starts at boot time.
  3. Finally, the malware implements a proxy configuration file that captures traffic and routes it through attackers command and controlled server.

How to Secure Nginx Server against malicious Bots

Due to the fact that most websites run on an Nginx server, we need to know how to secure Nginx against malicious bots. We can protect the resources running on Nginx servers by using Plesk extensions and Fail2ban.

1. Using SpamExperts Email Security Extension

Using SpamExperts Email Security Extension

SpamExperts specifically protects a hosting environment from threats like spam and viruses. It comes with an incoming filter, which separates valid emails from unsolicited ones. And also an outgoing filter, which prevents your IP address from being blacklisted since spam can be sent from your compromised account within your web infrastructure.

2. Using DDOS Deflate Interface Extension

Using DDOS Deflate Interface Extension

Hackers often use malicious bots to automatically brute-force authentication. So, you can use DDOS Deflate Interface to mitigate DDOS attacks by blocking IP addresses which exceed the configured threshold.

3. Using Fail2ban to Block Internet Bots

Fail2ban is a prevention software that protects servers like Nginx from bot attacks. You can install Fail2ban software by using the following command:

apt-get install fail2ban

Ubuntu users can make use of this command to install Fail2ban whilst Fedora and CentOS users can use the command below:

yum install fail2ban

Afterwards use the following command to create a second copy of Fail2ban local configuration file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/local.conf    

Below is a screenshot of the Fail2ban jail configuration file:                   

Fail2ban jail configuration file screenshot - How to Secure Nginx Against Malicious Bots - Plesk

Search for the maxretry parameter and set it to 5. Maxretry is the parameter used to set the limit for the number of retry by a host. If the host exceeds this limit, the host is banned.

Maxretry parameter

Apart from the maxretry parameter in the configuration file, there are other parameters such as Ingoreip which is used to set the list of IP addresses which will not be banned.
Then execute the following commands to run Fail2ban package on the server:

 sudo systemctl enable fail2ban    

 sudo systemctl start fail2ban

Now let ‘s go ahead to configure Fail2ban to monitor nginx server logs.

Because these hackers use bots to perform brute-force, we can create a specific jail for login attempt by adding the following content to the jail.conf file under [nginx-http-auth]

enable = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures,port="http,https"]
logpath = /var/log/nginx*/*error*.log
bantime = 600
maxretry = 6[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx*/*access*.log
bantime = 600
maxretry = 6

Finally you can create filter for the [nginx-http-auth] by navigating to the following path:

cd /etc/fail2ban/filter.d

The screenshot below shows all files inside the filter.d directory

Files inside the filter.d directory

Open the file nginx-http-auth.conf and add the following content below failregex specification.

^ \[error\] \d+#\d+: \*\d+ no user/password was provided for | authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

Save and close the nginx-auth.conf.  You can now activate your nginx jail by using the following command:

 sudo service fail2ban restart

These solutions may not be the only ways to stop bots from attacking your Nginx server.  However, you can rely on these methods to avoid the negative effects of malicious bots. Get in touch with one of our Plesk experts if you need further assistance regarding a bot attack.

How useful and straightforward was this guide? Any issues? Let us know in the comments below.

arrow icon - Plesk

All You Need to Know about the New WordPress Toolkit 3.5 [ VIDEO ]

Plesk WordPress Toolkit 3.5

Your needs come first so rest assured that we’re constantly evolving Plesk to bring you more value. Hence, the release of WordPress Toolkit 3.5, introducing an assortment of new security measures, a reimagined installation experience and more. Read on for a detailed overview of the updates you wanted, a WordPress Toolkit tour, plus WordPress Toolkit 3.6 spoilers.

Quick Tour of the updated WordPress Toolkit

Our pal Joe Casabona was one of the first to take the new WordPress Toolkit 3.5 for a spin. Here’s him demonstrating how easy it is to install and secure your WordPress, update multiple sites, clone and create a staging environment. All in just over 7 minutes!

New WordPress Toolkit Security Measures

New Plesk WordPress Toolkit 3.5 Screenshot 1-new-security-measures

First, you’ll likely see this notification pop up or find your previously secure instances suddenly marked as insecure. But don’t be alarmed – this just means you need to review and update the security status of your WordPress instances. Why? Because WordPress Toolkit 3.5 introduces 8 new security measures.

New Plesk WordPress Toolkit 3.5 Screenshot 2 - new security measures list

1.    New Hotlink Protection

Preventing other websites from displaying, linking or embedding your images (hotlinking), as this quickly drains your bandwidth and can make your site unavailable.

2.    Disable unused scripting languages

This security measure removes support for the scripting languages WordPress doesn’t use, like Python and Perl. Thus, blocking their related vulnerabilities. Available if you have the corresponding Hosting Settings management permission.

3.    New Bot Protection

Blocks bots that overload your site with unwanted requests, causing resource overuse. Note that you may want to temporarily disable this if you also use a service that scans your site for vulnerabilities, since it may also use bots.

4.    Disabled file editing in WP Dashboard

This measure prevents you from editing plugin and theme file sources directly in the WordPress interface. This is an extra protection layer for the WordPress instance in case an admin account is compromised so no malicious executable code gets into plugins or themes.

5.    Block access to sensitive files

Now you can choose to block files like wp-config.bak and wp-config.php.swp, from public access as they contain sensitive information, like connection credentials. Thus, also preventing exposure of files with info used to determine your WordPress instance. Also included are files like logs, shell scripts and other executables that may exist on your WordPress instance and whose security can be compromised.

6.    Block author scans / user ID phishing

These scans find registered usernames, especially WordPress admin, and brute-force attack your site’s login page. The above block prevents this, but note that depending on your site’s permalink configuration, you may also be preventing visitors from accessing pages that list all articles by a certain author.

7.    Block access to .htaccess and .htpasswd

Attackers who gain access to .htaccess and .htpasswd files can exploit your site to a variety of breaches. These files aren’t usually accessible by default, but sometimes they might be. This is where this security measure steps in.

8.    Disable PHP execution in cache directories

If a compromised PHP file ends up in one of the cache directories of your site, executing it can lead to compromising the whole site. So this measure disables execution of PHP files in cache directories to prevent such exploits. However, certain plugins and themes may ignore WordPress Security recommendations and store valid PHP executables in their cache anyway. So you can disable this security feature for them to work, or find a more secure alternative, as recommended.

You’re in Control of Security Updates

You should be able to supervise any website-affecting changes so WordPress Toolkit won’t automatically apply these new security measures on existing installations. So upon opening your list of WordPress instances after the WordPress Toolkit 3.5 update, you’ll see a one-time notification about this.

On that note, you’ll now see that two existing security measures are now less restrictive. First, the “Security of the wp-includes directory” checker now excludes the wp-tinymce.php file to avoid potential issues with Gutenberg and other editing  plugins. Second, the “Security of the wp-content directory” measure now prevents the execution of PHP files only in the wp-content/uploads directory.

New Plesk WordPress Toolkit 3.5 Screenshot 3 - control security updates

These checkers will be reapplied automatically for convenience and do not reduce WordPress security in any noticeable way.

New WordPress Toolkit 3.5 Installation Experience

WordPress Toolkit previously offered two installation options: Quick and Custom. Both had unfortunate shortcomings. ‘Quick’ didn’t ask you questions, but also didn’t give info on the parameters to use when installing WordPress. ‘Custom’ gave you control and displayed everything, but you had to fill out the form.

New WordPress Toolkit installation experience

Now users can make an informed choice whether to confirm defaults and install WordPress quick, or take time to change the options they want. With the new, unified WordPress installation, you can still install WordPress in one click, but you’ll always know how it’s happening. Meanwhile, you can change all relevant installation parameters when necessary.

Bonus: You now have to enable automatic updates of plugins and themes within a more streamlined form, without Search Engine Visibility and Debug Mode.

WordPress Toolkit - Automatic update settings

The final change to the WordPress installation process is the ability to install on any domain from any accessible subscription. This is available anytime you click WordPress in the left navigation panel, even if you’re a reseller or server admin. One small step for WordPress Toolkit, one giant leap for adminkind.

New Plesk WordPress Toolkit 3.5 Screenshot 6 - install on any domain from any accessible subscription

WordPress Classic Plugin anyone?

If you’re not yet ready to use Gutenberg, you have a new ‘WordPress Classic’ plugin set. It also has a sibling ‘WordPress Classic with Jetpack’. However, note that we don’t plan to add immediate support for ClassicPress.

WordPress Classic plugin

Updates to CLI

We updated the CLI command for the new WordPress installation. Specifically adding -auto-updates, -plugins-auto-updates, and -themes-auto-updates to the plesk ext wp-toolkit install command. And plesk ext wp-toolkit –clear-wpt-cache to clean WordPress Toolkit cache and handle issues with invalid cache data like corrupted WordPress distributive lists, or broken lists of languages and versions.

WordPress Toolkit 3.6 Spoilers

The Plesk team fixed a record 43 issues reported by customers and over 140 bugs reported overall. Moving forward, WordPress Toolkit 3.6 will lay foundations for the upcoming release of Remote Management for WordPress Toolkit. Plus, we’re continuing the switch to the new UI, this time redesigning the Clone and Sync procedures along with more relevant user-requested improvements. We’re also busy improving our internal process so we can deliver more high-quality stuff in less time, so stay tuned!