May 012017

This is another way to quickly analyze nginx logs.  It will spit out the top 25 ip’s, domains, requests and some other data.  You may need to change the array value to match the format of your nginx logs.

It uses perl so it is very fast and takes just seconds to analyze hundreds of thousands of lines in a log file.  It can also be used for apache too or other column whitespaced logs.

Continue reading »

May 012017

I’ve wrote about this before in Using Sed to search between dates and offered a ad-hoc solution but the other day I came up with a much better solution using a little known option of ‘date’ command.  Using this new method, you just pass the time in minutes prior to current time.  I.e. if you want the last hour, you would simply type ‘./ 60’ and it will spit out the correctly formatted sed command like this:

$ ./ 60
sed -n '/01\/May\/2017\:07\:16\:15/,/01\/May\/2017\:08\:16\:15/ p'

Continue reading »

Feb 172016

This is a silly script but you would be surprised how many times a day I have to do this and no matter how many times I type the command, I always get it wrong (or more than likely I forget to escape something).  Its also interesting to note that the scripts I find silly are usually the ones that are the most popular on this site….so here it is.

Basically, if you copy and paste this script into a file and run it, it will give you the exact date and time in the sed command to run to search all lines in a log file from the previous hour to now and save it to another file.

Continue reading »

Oct 272013

This is a really simple fix which will block the user enumeration on a wordpress site (like the method by wpscan).

Before I get into this, I am very well aware of the IfIsEvil page on nginx wiki.  But it also says on this page, “The only 100% safe things which may be done inside if in location context are:  return and rewrite as the last statement in a location block”  With that in mind, we are going to use ONLY rewrite as the last statement in our location block.

Continue reading »

Apr 182013

Some of the posts I am seeing on the internet regarding the wordpress password crack via botnet is pretty funny as various people offer suggestions to fix the problem.  The quickest fix is simple and although it protects the wp-admin page, it wont protect you from the inbound traffic or sql injection.

Continue reading »

Mar 162013

So one thing you learn pretty quick once you move into the cloud, is that what you normally would do to stop bots, rogue traffic, hackers, etc doesn’t quit work…even at the packet level.  What I mean is this, you have a web server sitting behind an aws load balancer and its under attack.  You are running linux.  First thing you do is set up an iptables rule to drop connections from that ip address.  The problem is, iptables never sees that ip address.  Iptables can’t look into packets.  Instead, it sees the load balancer ip address.  The ip address of the user is hidden in the x-forward-for.  So first thing you need to do is enable x-forward-for logging in your web server.  I will use nginx as an example:

Continue reading »

Mar 092013

As I use nginx more and more, one of the things I miss is being able to see who is connecting to the server and the request they are making.  This is often helpful in determining attacks.  So, I basically wrote this script which does it.

# By Ed Wiget
# This shows active GET and POSTS to port 80
# One of the things i hate about nginx is the lack of an apache style status page showing requests
# hence I wront this script....which does it at a network layer, using ngrep
# 20130308 - original script
## grep all HTTP GET or POST requests from network traffic on eth0 interface  ##
# sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
if [ `which ngrep | head -1 | wc -l` == "0" ]; then
	echo "missing ngrep....please install"
if [ $1 = "" ]; then
	echo "You must pass the interface as an option, i.e. eth0 or eth1, etc"
	read CIF
until [ $thing = "0" ]; do
	# uncomment top line if you dont need x-forward-for
        #sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
        # use the next line if you do need x-forward-for
	#sudo ngrep -d eth1 -q 'X-Forwarded-For'  tcp and port 80
	ngrep -d ${CIF} -t '^(GET|POST) ' tcp and port 80
	sleep 1;


20130905 – added option to pass interface

Apr 112012

When I reviewed memcached previously, I got faster performance with wp-cache than memcached…..but that was about 16 months ago.  So I decided to give it another run for the money on a few sites.  The installation is pretty simple….especially since I scripted most of it for you…..

Continue reading »

Jan 182012


I usually don’t disable apache, php, nginx headers because to me that is just security through obscurity.

My thoughts are this…..

  1. if someone doesn’t know what version of software you are running and they decide to hack your domain or server, they will simply throw every public exploit at it that exists for said product or even simply “fingerprint” it for the correct version
  2. It makes my life easier because I can also query for those headers if for some reason I don’t remember the version of software (which saves me from logging in to the server or using other methods that might take longer – efficiency is key!)
  3. skiddies are going to throw everything at it anyways

On the flipside…..

Continue reading »

Sep 122011

This is just a quick note on how to password protect wp-admin using nginx.

You may have to fiddle with the location of the lines in the site.conf file.

Where I thought the config variables needed to go, gave me a “download file” of type bin in nginx after authentication.

So, here is how I did it:

server {
   listen 80;
   access_log /logs/;
   error_log /logs/;
   root /var/www/sites/;
location / {
try_files $uri $uri/ /index.php?q=$request_uri;
include /usr/nginx/conf/staticfiles.conf;
include /usr/nginx/conf/php.conf;
include /usr/nginx/conf/drop.conf;
        # password protect wp-admin
                location ~ ^/wp-admin {
                auth_basic “Restricted”;
                auth_basic_user_file /path/to/htpasswd/file;
                try_files $uri $uri/ /index.php?q=$request_uri;