search

littlebizzy / slickstack

Lightning-fast WordPress on Nginx
https://slickstack.io
GNU General Public License v3.0
629 stars 112 forks source link

Can SlickStack integrate the Nginx Bad Bot Blocker security module? #74

Closed LCBO closed 3 years ago

LCBO commented 3 years ago

Hello, SS is the best stack in terms of security but as nowadays there are a lot of bots I think that I would be a good idea to implement the Nginx Bad Bot Blocker - https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker

Thank you.

jessuppi commented 3 years ago

Thanks for your suggestion @LCBO

I'm not too familar with that package but it seems well maintained with several contributors. That being said, it also looks pretty heavy actually, and would add a complex layer to SlickStack that I'm not sure would be appropriate.

For example, DNS-level proxies and WAF like CloudFlare already perform most of the functions that this package offers, from what I've initially reviewed on their repo. I think not relying on third party services like CloudFlare would be a nice goal for any FOSS project like SlickStack, but ultimately maintaining "lists" of bots and spammers is literally a full-time job for thousands of corporate employees at companies like CloudFlare, and their software updates automatically 24/7 without any need for server configuration or dependencies, so I'm not sure if we would want to add this.

Perhaps another option is allowing for custom Nginx add-ons to be installed, but not bundling them by default.

Anyway I will keep this Issue open for now. I also saw this resource:

https://github.com/wallarm/awesome-nginx-security

jessuppi commented 3 years ago

For those interested, please refer to the Bot Fight Mode that was launched on CloudFlare last year:

https://blog.cloudflare.com/cleaning-up-bad-bots/

The advantage to services like CloudFlare is they can "compare" bot activity across millions of domains simultaneously, whereas a community Nginx package relies on a few people added patches here and there (and then running package updates).

LCBO commented 3 years ago

I think that your point is correct while we use Cloudflare.

jessuppi commented 3 years ago

Just an update that CloudFlare has now released more advanced bot-fighting features, called Super Bot Fight Mode. It is becoming next to impossible for community packages to keep up with edge-services like this. I fully expect that CloudFlare competitors are working on similar advanced features (or already have them):

https://blog.cloudflare.com/super-bot-fight-mode/

Keep in mind that activating certain bot-fighting features (whether on your CDN, or your origin server) can cause problems in many cases, such as blocking API access to your site, etc. I've had a few clients recently who were trying too hard to beef up their anti-bot security and ended up breaking WooCommerce features, e.g. stock management.

For now, I will close this Issue, thanks ~