############################################################################## # _ __ _ # # / |/ /__ _(_)__ __ __ # # / / _ `/ / _ \\ \ / # # /_/|_/\_, /_/_//_/_\_\ # # __/___/ __ ___ __ ___ __ __ # # / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ # # / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ # # /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ # # # ############################################################################## # ------------------------------------------------------------------------------ # MIT License # ------------------------------------------------------------------------------ # Copyright (c) 2017 Mitchell Krog - mitchellkrog@gmail.com # https://github.com/mitchellkrogza # ------------------------------------------------------------------------------ # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # ------------------------------------------------------------------------------ # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. # ------------------------------------------------------------------------------ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # ------------------------------------------------------------------------------ # ----------------------------------------- # Additional Security Rules for Nginx Sites # ----------------------------------------- # deny.conf # Global restrictions configuration file. # Designed to be included in any server {} block. # This is an optional and fully customizable add-on to the Nginx Ultimate Bad Bot Blocker # Any rules you DON'T want active simply comment them out # To use this set of rules, add the include below into each server block. # add this at the very top of your server blocks before any other location rules # include /etc/nginx/deny.d/deny.conf; # By default I always issue a 444 response to all rules # you can change this to anything you like # Example: return 403; # Example: deny all; ## ------------- # GENERAL RULES ## ------------- ## # Deny all attempts to access hidden files such as # .htaccess, .htpasswd, .DS_Store (Mac). ## location ~ /\. { return 444; } ## # Deny access to any files with a .php extension in any uploads / files directory # add more folder names to protect as you like ## location ~* /(?:uploads|files)/.*\.php$ { return 444; } ## # Protect Perl/CGI/etc files # Very few sites run perl or cgi scripts anymore, block them !! # and block people even looking for them ## location ~* \.(pl|cgi|py|sh|lua)\$ { return 444; } ## # Protect .git files and repositories # If you use git versioning control on any of your sites, this rule is a must ## location ~ /\.git { return 444; } ## # Block common hacks ## location ~* .(display_errors|set_time_limit|allow_url_include.*disable_functions.*open_basedir|set_magic_quotes_runtime|webconfig.txt.php|file_put_contentssever_root|wlwmanifest) { return 444; } location ~* .(globals|encode|localhost|loopback|xmlrpc|revslider|roundcube|webdav|smtp|http\:|soap|w00tw00t) { return 444; } ## # Protect other sensitive files ## location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { return 444; } ## # Block access to any disallowed server methods ## if ($request_method = PROPFIND) { return 444; } ## # Block server request methods that "may" unnecessary for serving your content # Only activate this rule if you know what you are doing and what the consequences are. ## #if ($request_method !~ ^(GET|POST|HEAD)$ ) { #return 444; #} ## # Help guard against SQL injection ## location ~* .(\;|'|\"|%22).*(request|insert|union|declare|drop)$ { return 444; } ## # Block attempts to access PHPMyAdmin. # If you use phpmyadmin, DO NOT activate this rule !!! # Disabled by default ## #location ~* .(administrator|[pP]hp[mM]y[aA]dmin) { #return 444; #} ## ------------------------ # WORDPRESS SPECIFIC RULES ## ------------------------ ## # Block access to anything non image/video/music/document related from your uploads folder. ## location ~* ^/wp-content/uploads/.*.(asp|cgi|htm|html|js|jsp|php|pl|py|sh|shtml|swf)$ { return 444; } ## # Restrict access to wp-login.php # MUST create the zone wp-login # Add this zone below to nginx.conf or to vhost BEFORE server {} block # limit_req_zone $binary_remote_addr zone=wp-login:10m rate=1r/s; # uncomment this rule below to make it active # also make SURE you have the correct path to your php7 fpm ## #location = /wp-login.php { #limit_req zone=wp-login burst=2 nodelay; #include /etc/nginx/fastcgi_params; #fastcgi_pass unix:/run/php/php7.0-fpm.sock; #fastcgi_param SCRIPT_FILENAME $request_filename; #fastcgi_pass_header Set-Cookie; #fastcgi_pass_header Cookie; #fastcgi_split_path_info ^(.+?.php)(/.+)$; #} ## # Protect any config files in your web root ## location ~* /(wp-config.php|nginx.conf|wp-config-sample.php) { return 444; } ## # Disallows Access to all text and readme files in Wordpress root ## location ~* ^/(readme|license|schema|password|passwords).*.(txt|html)$ { return 444; } ## # Disallows Access to any .conf or .sql files which you may have stored in your root ## location ~* ^/*.(conf|sql)$ { return 444; } ## # Disallows Access to plugin or theme readme files # Also helps block Wordpress Theme Detectors ## location ~* /wp-content/.*.txt$ { return 444; } ## --------------------------------------------- # Let's Encrypt SSL ACME Challenge Requirements ## --------------------------------------------- ## # ACME Challenge Rule ## location /.well-known/acme-challenge { allow all; default_type "text/plain"; root /tmp/letsencrypt; autoindex on; } ## --------------------- # Image Anti-Hotlinking ## --------------------- ## # Allows only specified servers from linking to images # Adjust to your own needs ## location ~* \.(gif|jpg|jpeg|png)$ { valid_referers none blocked ~.google. ~.bing. ~.yahoo. ~.facebook. ~.fbcdn. ~.ask. server_names ~($host); if ($invalid_referer) { return 444; } } ## --------- # END RULES ## --------- # ------------------------------------------------------------------------------ # MIT License # ------------------------------------------------------------------------------ # Copyright (c) 2017 Mitchell Krog - mitchellkrog@gmail.com # https://github.com/mitchellkrogza # ------------------------------------------------------------------------------ # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # ------------------------------------------------------------------------------ # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. # ------------------------------------------------------------------------------ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # ------------------------------------------------------------------------------