728x90
In the configuration file, set folder to close, it is only necessary to load the file with passwords.
There are two examples for closing of the folder with files:
location ^~ /files/ { root /path/to/server; autoindex on; autoindex_exact_size off; auth_basic "Hello, please login"; auth_basic_user_file /usr/nginx/passwords; access_log /usr/nginx/logs/files.log download; }and for closing of the admin-folder with the additional restriction on IP:
location ^~ /admin/ { fastcgi_pass unix:/home/project/server.sock; include conf/fastcgi.conf; allow 11.11.0.0/16; allow 22.22.22.22; deny all; auth_basic "Hello, Admin, please login"; auth_basic_user_file /usr/nginx/adminpassword; access_log /usr/nginx/logs/admin.log main; }The passwd program utility of Apache can be used to create and update usernames and passwords of new users:
htpasswd -b passwords NewUser NewPasswordIn the file the writing with the encoded password looks like:
NewUser:P47ghZ4kloG78: Your Can Comment HereThe protection from cracking the password can be organized at the same time with two methods based on the use iptables:
- Blocking IP temporarily if the amount of the requests per second exceeds any reasonable amount.
- Write failed attempts in the log, check it with the script every minute, than pumps the IP addresses in iptables
iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW -m recent --name bhttp --set iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW -m recent --name bhttp --update --seconds 120 --hitcount 360 -j DROP iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -j ACCEPTIt is possible to use TARPIT instead of DROP to complicate the life of the crackers.
For the second variant it is necessary to add in config:
location /401.html { root /usr/nginx; access_log /usr/nginx/logs/denied.log error401; }For example the format error 401 looks at me:
log_format error401 '$remote_addr - $remote_user [$time_local] ' '$status "$request"';Now all wrong logins are saved in a separate log file, which is checked per cron job:
*/1 * * * * root /usr/nginx/parser401.pl >/dev/null 2>&1For example this script: parser401.pl Скрипт проверяет лог, и если обнаруживает больше 4-х попыток неправильного набора пароля, блокирует этот IP. Script checks the log file and if it finds more than 4 attempts of the wrong password, it blocks this IP address.
NginxModules : http://wiki.nginx.org/NginxModules
728x90