Skip to content

Powered by Grav

Abuse Guard (nginx IDS)

Abuse Guard (nginx IDS)

BOA's application-layer web defence: real-time nginx map and geo guards that drop hostile requests, plus a post-hoc log scorer that feeds genuine offenders into CSF.

The Abuse Guard is BOA's application-layer defence for the web tier — the net between the firewall and PHP-FPM that keeps scanners, brute-forcers and distributed search-amplification botnets off the backend. It has two halves that run on different clocks: a wall of real-time Nginx map/geo guards that drop or downgrade a hostile request before it costs anything, and a post-hoc log scorer (scan_nginx.sh) that reads recent access.log lines, scores each real client, and feeds genuine offenders into CSF. The firewall ban then flows back into Nginx so the next request from that IP is closed silently.

The defining property: detection is post-hoc, enforcement is real-time. The scorer cannot block mid-burst — it analyses lines that already happened and produces a ban for the next visit. A scanner firing 75 requests in 20 seconds completes before the next scan tick; those requests are served cheaply (a .php probe gets a no-FPM 404) and the IP is blocked for its next visit, then self-unbanned when CSF drops the entry.

The mechanism spans two codebases. The Nginx-template files live in provision-private under http/Provision/Config/Nginx/; the scorer and the ban-pipeline scripts live in boa-private under aegir/tools/system/ and are deployed on a box under /var/xdrago/.

Component File Role
Real-time guards server.tpl.php (maps) + Inc/vhost_include.tpl.php (rules) Classify and drop/downgrade each request
Log scorer aegir/tools/system/monitor/check/scan_nginx.sh Score IPs from access.log, write web.log
Scorer launcher aegir/tools/system/monitor/check/nginx_guard.sh Run scan_nginx 10× per minute (5 s apart); one bounded pass per minute during a load-pause
Temp-ban applier aegir/tools/system/guest-fire.sh web.logcsf -td 900 (80/443)
Persistent escalator aegir/tools/system/guest-water.sh Archive repeat offenders → csf.deny
Geo regenerator (IPv4) aegir/tools/system/nginx_deny.sh CSF state → nginx_banned_ips.conf → reload
Geo regenerator (IPv6) aegir/tools/system/nginx_deny6.sh nginx-native IPv6 ban store → nginx_banned_ips.conf6 → reload
Ban release tool aegir/tools/bin/clearwebbans One-shot release of all web-IDS bans + the state that would re-apply them
Flood reporter aegir/tools/bin/floodreport Read-only i18n-flood / FPM-saturation activity report

The pages below cover each part in turn: the scan_nginx scoring engine, the ban pipeline that carries an offender into CSF and back, the real-time request guards, the configuration reference, and day-to-day operations and tuning.

Adjacent operating topics

  • Web tier (Nginx) internals — the vhost generator, the config-template set, the master http config and the rate-limit zones that host the map/geo guards documented here.
  • Security & isolation — the CSF/LFD firewall lifecycle that consumes the ban pipeline, the trust hierarchy, and the per-tenant boundary.
  • Self-healing monitor stack — the cron fan-out and watchdog framework that launches scan_nginx, guest-fire, guest-water and nginx_deny.
  • Solr search (operator) — the expensive search backend the path-flood detector and the search-amplification maps protect.
  • Operator troubleshooting & recovery — blocked-IP recovery when a ban is wrong or a flood watchdog has fired.

Reference

  • Variables and Commands — the consolidated _NGINX_* knobs and the web-IDS helper tools (clearwebbans, floodreport) cited throughout this topic.
  • Discontinued features — historical attack incidents and superseded mitigations.

© 2026 BOA Documentation. All rights reserved.