Recently i’ve added a few method of blocking some ip and user agent for my server. For my server , i am using nginx as my web server. What is Jorgee Vulnerability Scanner?Here are some example of Jorgee Vulnerability Scanner.
46.142.55.116 - - [11/Sep/2017:22:02:10 +0000] "HEAD http://198.167.140.231:80/mysql/admin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" 46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/mysql/dbadmin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" 46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/mysql/sqlmanager/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" 46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/mysql/mysqlmanager/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" 46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/phpmyadmin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee" 46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/phpMyadmin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
As you can notice the user agent is jorgee So i’ve added a block list in my sites-available/ config. i’ve added the code below:-
##
# Block User Agent (Jorgee Vulnerability scan)
##
if ($http_user_agent ~* (Jorgee|curl|wget) ){
return 403;
}
Explanation for codes above:
1.Remember that if() and if () is different, you will failed to reload nginx if you type if() instead of if ().
2.The sign “~*” is case insensitive AND “~” is case sensitive.
3.The code above will return 403 to whom that uses curl or wget to my site and will also block Jorgee User Agent as you can see at the first part the user agent that are using contains jorgee.
Besides , there is a pattern for jorgee attack. Based on my log, they will brute force for 104 or 103 rows like below:-
$ #cat NGINX_LOG_FILE | awk -F\- '{print $1}' | sort | uniq -c | sort -n
21 66.249.79.94
32 66.249.79.65
45 121.122.3.93
100 133.20.179.115
103 107.204.22.107
103 84.84.220.185
104 101.98.141.66
104 115.90.121.189
104 120.151.156.132
104 122.116.94.48
104 140.123.104.106
104 173.212.104.118
104 176.192.188.192
104 185.48.179.142
104 193.2.223.28
104 203.59.41.166
104 203.97.150.131
104 217.247.100.213
104 217.92.148.44
104 218.103.18.33
104 2.227.249.205
104 223.132.86.20
104 61.220.128.188
104 62.155.131.217
104 68.48.72.64
104 75.150.65.94
104 78.234.213.11
104 80.113.214.119
104 83.111.201.28
104 88.147.104.60
104 90.63.223.128
104 90.63.245.57
104 91.211.146.146
104 91.35.192.197
104 91.51.61.137
104 92.154.88.116
I’ve create a file named as blockips.conf and include the blockips.conf in my server configuration.
##
# Block spammers and other unwanted visitors
##
include blockips.conf;
Contents in blockips.conf
deny 68.48.72.64; #20170822 deny 126.130.247.229; #20170822 deny 153.228.237.98; #20170822 deny 173.196.177.69; #20170822 deny 36.224.20.38; #20170822 deny 83.221.223.108; #20170822 deny 87.122.244.224; #20170822 deny 87.60.168.79; #20170822 deny 88.163.253.9; #20170822
And also i did wrote a php script for adding those ip’s into blockips.conf, so that i can block those crawler automatically.Below is the cron code.
$logpath = "/var/log/nginx";
$logfile = "logname";
$shell_check = "cat $logpath/$logfile | awk -F\- '{print $1}' | sort | uniq -c | sort -n";
$row = exec($shell_check,$output,$error);
while(list(,$row) = each($output)){
$tmp = explode(" ",$row);
$clean = array_filter($tmp);#To Remove Empty value in key
$clean = array_values($clean);#To reform key EX: array[2]=20, array[10]=30 bcome array[0]=20,array[1]=30
$count = $clean[0];
$ipadd = $clean[1];
if($count == "103" || $count == "104"){
$output1 = array();
$check_block = "cat /etc/nginx/blockips.conf | grep $ipadd";
$shell_check_block = exec($check_block,$output1,$error1);
if(empty($output1)){
#If Not BLocked
exec("echo 'deny $ipadd; #".date('YmdHi')."' >> /etc/nginx/blockips.conf");
echo "$ipadd Added Into Blockips.conf\n";
}
}
}
exec("/etc/init.d/nginx reload");
echo "Restarting nginx service \n";
On 2017-09-21 , My colleague shared an article with me about block jorgee scanner in firewall level by just typing a single command in to iptables. Blocking user agent jorgee in firewall level is more efficient than the description i talked above. But hopefully it gives you some idea on your other projects and so on 🙂
iptables -A INPUT -m string --algo bm --string "User-Agent: Mozilla/5.0 Jorgee" -j DROP
Here are the reference to the iptables description above.http://sipadcg.org/jorgee/
I’ve been browsing online more than 4 hours today, yet I never found any interesting
article like yours. It’s pretty worth enough for me.
Personally, if all site owners and bloggers made good content as you did, the web will be
a lot more useful than ever before.
http://theelderscrolls5skyrimevolution225.ru
Thanks Care , your comment really ment alot to me 🙂 Thank you