Abuse Guard (nginx IDS)
BOA's application-layer web defence: real-time nginx map and geo guards that drop hostile requests, plus a post-hoc log scorer that feeds genuine offenders into CSF.
The Abuse Guard is BOA's application-layer defence for the web tier — the net
between the firewall and PHP-FPM that keeps scanners, brute-forcers and
distributed search-amplification botnets off the backend. It has two halves that
run on different clocks: a wall of real-time Nginx map/geo guards that drop or
downgrade a hostile request before it costs anything, and a post-hoc log scorer
(scan_nginx.sh) that reads recent access.log lines, scores each real client,
and feeds genuine offenders into CSF. The firewall ban then flows back into Nginx
so the next request from that IP is closed silently.
The defining property: detection is post-hoc, enforcement is real-time. The
scorer cannot block mid-burst — it analyses lines that already happened and
produces a ban for the next visit. A scanner firing 75 requests in 20 seconds
completes before the next scan tick; those requests are served cheaply (a .php
probe gets a no-FPM 404) and the IP is blocked for its next visit, then
self-unbanned when CSF drops the entry.
The mechanism spans two codebases. The Nginx-template files live in
provision-private under http/Provision/Config/Nginx/; the scorer and the
ban-pipeline scripts live in boa-private under aegir/tools/system/ and are
deployed on a box under /var/xdrago/.
| Component | File | Role |
|---|---|---|
| Real-time guards | server.tpl.php (maps) + Inc/vhost_include.tpl.php (rules) |
Classify and drop/downgrade each request |
| Log scorer | aegir/tools/system/monitor/check/scan_nginx.sh |
Score IPs from access.log, write web.log |
| Scorer launcher | aegir/tools/system/monitor/check/nginx_guard.sh |
Run scan_nginx 10× per minute (5 s apart); one bounded pass per minute during a load-pause |
| Temp-ban applier | aegir/tools/system/guest-fire.sh |
web.log → csf -td 900 (80/443) |
| Persistent escalator | aegir/tools/system/guest-water.sh |
Archive repeat offenders → csf.deny |
| Geo regenerator (IPv4) | aegir/tools/system/nginx_deny.sh |
CSF state → nginx_banned_ips.conf → reload |
| Geo regenerator (IPv6) | aegir/tools/system/nginx_deny6.sh |
nginx-native IPv6 ban store → nginx_banned_ips.conf6 → reload |
| Ban release tool | aegir/tools/bin/clearwebbans |
One-shot release of all web-IDS bans + the state that would re-apply them |
| Flood reporter | aegir/tools/bin/floodreport |
Read-only i18n-flood / FPM-saturation activity report |
The pages below cover each part in turn: the scan_nginx scoring engine, the ban pipeline that carries an offender into CSF and back, the real-time request guards, the configuration reference, and day-to-day operations and tuning.
Adjacent operating topics
- Web tier (Nginx) internals — the vhost generator, the
config-template set, the master http config and the rate-limit zones that host
the
map/geoguards documented here. - Security & isolation — the CSF/LFD firewall lifecycle that consumes the ban pipeline, the trust hierarchy, and the per-tenant boundary.
- Self-healing monitor stack — the cron fan-out and watchdog
framework that launches
scan_nginx,guest-fire,guest-waterandnginx_deny. - Solr search (operator) — the expensive search backend the path-flood detector and the search-amplification maps protect.
- Operator troubleshooting & recovery — blocked-IP recovery when a ban is wrong or a flood watchdog has fired.
Reference
- Variables and
Commands — the consolidated
_NGINX_*knobs and the web-IDS helper tools (clearwebbans,floodreport) cited throughout this topic. - Discontinued features — historical attack incidents and superseded mitigations.
scan_nginx scoring engine
The post-hoc log analyser that scores each real client IP from recent access.log lines across five ban detectors and two alert paths, writing offenders into the ban pipeline.
The ban pipeline
The three scheduled scripts that turn scored offenders into blocks: guest-fire adds temporary CSF bans, guest-water escalates repeats, and nginx_deny rebuilds the ban geo.
Request guards
The real-time half: a wall of nginx map and geo directives that classify every request by IP, URI, User-Agent, Referer and query, dropping hostile ones before PHP-FPM.
Abuse Guard configuration reference
The authoritative reference for every Abuse Guard tuning knob: each variable's built-in default, what it controls, and how barracuda.cnf overrides replace those values.
Operations + tuning
The operator side of the Abuse Guard: reading live state, lifting or cycling a ban, whitelisting an IP, path or service, debug output, and the caveats before extending it.