2

I inherited an Nginx setup in front of an Apache server. Today I found some SQL code hitting the apache access logs: GET /mgrayson/splice%27%29%20AND%20%28SELECT%204520%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x716b786b71%2C%28SELECT%20%28ELT...

What's the best way to drop this sort of query in nginx? Is it basically setup a bunch of keywords to trap for and ignore the %xx separator characters?:

if ($query_string ~ “.*select.*from.*(“) {
set $block_sql_injections 1;
}

Is there some better way of blocking this stuff? Thinking this is likely a long-solved problem with a standard mitigation strategy. Thanks!

Server Fault
  • 3,714
  • 12
  • 54
  • 89
  • 1
    Services like CloudFlare and [AWS WAF](http://docs.aws.amazon.com/waf/latest/developerguide/web-acl-sql-conditions.html) are probably the easiest way of dropping this sort of stuff - let someone else manage and test the rules. That said, as long as you're not vulnerable to it, it may not be worth the trouble. – ceejayoz Jul 21 '17 at 20:12
  • Fail2ban, with or without CloudFlare. I have Fail2Ban add bad IPs to the CloudFlare firewall. I have a [fail2ban with Wordpress and CloudFlare tutorial](https://www.photographerstechsupport.com/aws-amazon-web-services/protecting-amazon-linux-server-fail2ban-cloudflare-wordpress/), just ignore the Wordpress part and find another tutorial that covers SQL injection. – Tim Jul 21 '17 at 20:48
  • Thanks. I didn't know about the wordpress cloudflare plugin. I'll have a look. – Server Fault Jul 21 '17 at 21:22
  • @ceejayoz that sounds right in general, but Cloudflare is $200/mo **per domain** (what if you have several dozen on one server) and AWS WAF, [as far as I can tell](https://aws.amazon.com/waf/), can be used with AWS resources only – ᴍᴇʜᴏᴠ Oct 07 '19 at 07:31
  • @aexl CloudFlare is $20/month for the WAF. – ceejayoz Oct 07 '19 at 12:13
  • @ceejayoz that's for "*blogs, and portfolios requiring basic security*", for e-commerce, like I said, it's exactly $200: https://www.cloudflare.com/waf/ – ᴍᴇʜᴏᴠ Oct 08 '19 at 06:28
  • @aexl You can see the different tiers at https://www.cloudflare.com/plans/. $20/month gets you the WAF. You only need the $200 plan if you need the SLA, *custom* WAF rules, etc. – ceejayoz Oct 08 '19 at 13:46
  • 1
    Just a note to add about CF.. At the time I posted this, we couldn't use it because all of our services reside on a sub-domain (salesweb.sales.somecorp.com, smtp.sales.somecorp.com) and as I understand, the entire parent domain (somecorp.com) would need to deletgate DNS to CF for mitigation, which would affect such a broad range of services it wasn't feasible. Looking at the pricing now however, the $200/month option says something about "Use existing name server" which may be a workaround for our situation. hrm. – Server Fault Oct 08 '19 at 19:14

0 Answers0