From ad53f0f86730c54a2183d05363925b53d58affc2 Mon Sep 17 00:00:00 2001 From: Mitchell Krog Date: Fri, 28 Jun 2019 10:49:12 +0200 Subject: [PATCH] UPDATE bad-referrer-words.conf include file [ci skip] --- bots.d/bad-referrer-words.conf | 39 +++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/bots.d/bad-referrer-words.conf b/bots.d/bad-referrer-words.conf index fbdc76f22..e4524bc84 100644 --- a/bots.d/bad-referrer-words.conf +++ b/bots.d/bad-referrer-words.conf @@ -1,10 +1,10 @@ # EDIT THIS FILE AS YOU LIKE TO ADD OR REMOVE ANY BAD WORDS YOU WANT TO SCAN FOR ### ### VERSION INFORMATION # -################################################### -### Version: V4.2019.09 -### Updated: 2019-06-25 -################################################### +#-------------------------------------------------- +### Version: V4.2019.10 +### Updated: 2019-06-28 +#-------------------------------------------------- ### VERSION INFORMATION ## ############################################################################## @@ -25,13 +25,13 @@ # completely blank if you do not want your Nginx Blocker to include scanning for bad words within urls or referrer string # Only add one entry per line -# ******************************* +# ------------------------------- # !!! WARNING WARNING WARNING !!! -# ******************************* +# ------------------------------- -# *************************************** +# --------------------------------------- # PLEASE BE VERY CAREFUL HOW YOU USE THIS -# *************************************** +# --------------------------------------- # Here is an example of how one supposed bad word can cause your whole site to go down. # An issue was logged where the users own domain name was specialisteparquet.com # Because this list contained the word "cialis" it was detected within his domain name causing @@ -42,9 +42,9 @@ # Think very carefully before you add any word here -# ***************************************************************************************** +# ----------------------------------------------------------------------------------------- # PLEASE MAKE SURE that you use word regex boundaries to avoid false positive detection !!! -# ***************************************************************************************** +# ----------------------------------------------------------------------------------------- # BY DEFAULT ALL THE EXAMPLES BELOW ARE COMMENTED OUT AND HENCE NOT ENABLED @@ -69,9 +69,24 @@ # "~*(?:\b)webfuck(?:\b|)" 1; # "~*(?:\b)xxxrus(?:\b|)" 1; # "~*(?:\b)zeroredirect(?:\b|)" 1; +# "~*(?:\b|)x22(?:\b|)" 1; (in this string if your own domain name was sex22.com it would be blocked) -# Here is a list of unsanitary words to be in a referrer string - these are used in various injection attacks +# Here is a list of unsanitary words used in referrer strings - used in various injection attacks +# THE RULES BELOW ARE ENABLED BY DEFAULT # You can disable this default list by switching the values to 0 - "~*(?:\b)mb_ereg_replace(?:\b|)" 1; + "~*(?:\b|)mb_ereg_replace(?:\b|)" 1; + +# ----------- +# PLEASE NOTE +# ----------- + +# If you whitelist your own domain in whitelist-domains.conf and your own domain is passed in the referrer string with an attack string it will NOT be blocked. + +# -------- +# EXAMPLE: +# -------- +# This string "http://yourwebsite.com/?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=gqopu.php&vars[1][]=$" +# contains the above 'mb_ereg_replace" attack string +# If your domain is whitelisted in whitelist-domains.conf this string will NOT be detected