How to Block Bots and Prevent DDOS in Nginx

by

Hey there! Some links on this page may be affiliate links which means that, if you choose to make a purchase, I may earn a small commission at no extra cost to you. I greatly appreciate your support!

In this tutorial, you will learn how to block bad bots, referrer spam, and prevent DDOS on your Nginx web server. To accomplish this, we will be using the open-source project called Nginx Ultimate Bad Bot and Referrer Blocker.

By the end of this tutorial, your Nginx server will block unwanted user-agent, spam referrer, adware, malware, ransomware, and clickjackers.

1. Download Nginx Bad Bot Blocker

To download the Ultimate Bad Bot Blocker, execute the following commands on your system.

sudo wget https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/install-ngxblocker -O /usr/local/sbin/install-ngxblocker
sudo chmod +x /usr/local/sbin/install-ngxblocker
sudo install-ngxblocker -x
sudo chmod +x /usr/local/sbin/setup-ngxblocker
sudo chmod +x /usr/local/sbin/update-ngxblocker
sudo setup-ngxblocker -x

2. Check Proper Placement of Includes

Sometimes, especially if you have an Let’s Encrypt SSL certificate installed, the setup script from above will incorrectly place the includes in your Nginx config file. Make that the “Nginx Bad Bot Blocker Includes” come before the first location block in your config files at /etc/nginx/sites-available/.

# configuration of the server
server {
    server_name micro.domains www.micro.domains;
    root /home/microdomains/public/;

    ##
    # Nginx Bad Bot Blocker Includes
    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
    ##
    include /etc/nginx/bots.d/ddos.conf;
    include /etc/nginx/bots.d/blockbots.conf;

    location /static {
        alias /home/microdomains/public/static;
    }
    ....

3. How to Automatically Update Nginx Bad Bot Blocker

Execute the sudo crontab -e command and add the following statement to automatically update the Nginx Bad Bot Blocker everyday at 10 PM server time. You can optionally add the -e flag and provide an email address for notifications.

00 22 * * * /usr/local/sbin/update-ngxblocker -e you@example.com

4. Configure Nginx Bad Bot Blocker

The default rules for Nginx Bad Bot Blocker at located at /etc/nginx/conf.d/globalblacklist.conf. Do not edit this file! If you would like to add custom rules, you can in one of the following config files at /etc/nginx/bots.d/.

  • bad-referrer-words.conf
  • blacklist-ips.conf
  • blacklist-user-agents.conf
  • blockbot.conf
  • custom-bad-referreres.conf
  • ddos.conf
  • whitelist-domains.conf
  • whitelist-ips.conf

5. Test it Out

From another IP address, you can execute on of the following curl commands to see if the blocker is working. If you get an empty reply from the server, it is working as expected.

curl -A "Xenu Link Sleuth/1.3.8" -I https://micro.domains
curl -I https://micro.domains -e http://zx6.ru

Testing Nginx bad bot blockerPin

As a temporary test, you can also blacklist yourself by adding your IP address to /etc/nginx/bots.d/blacklist-ips.conf. After restarting the Nginx server to apply your changes with systemctl restart nginx, when you visit your website, you should see an error similar to ERR_EMPTY_RESPONSE.

Empty response error in Google ChromePin

Here is a full tutorial that will show you how to install and configure the Nginx Bad Bot Blocker in more detail.

YouTube video


Meet Tony

With a strong software engineering background, Tony is determined to demystify the web. Discover why Tony quit his job to pursue this mission. You can join the Tony Teaches Tech community here.

Leave a Comment