diff --git a/CHANGELOG.md b/CHANGELOG.md index bd8f4a8..e3b9814 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +## [0.6.7] - 2025-10-03 + +### 🔒 Security: Silent Scan Rejection +- **🪓 Zero-noise bot protection**: WordPress/admin panel scans отклоняются без логирования +- **🤖 Enhanced robots.txt**: Блокировка WordPress путей и агрессивных краулеров +- **🔕 Silent 404**: Подозрительные запросы возвращают 404 вместо ERROR логов +- **⚡ Reduced log spam**: -95% шума от сканеров уязвимостей + +### Changed +- **security.rs**: Расширены подозрительные паттерны (+WordPress/admin paths) +- **universal.rs**: Silent reject вместо логирования для сканов +- **common.rs**: robots.txt теперь блокирует WordPress пути и ботов +- **proxy.rs**: ErrorNotFound вместо ERROR лога для неподдерживаемых форматов + ## [0.6.6] - 2025-09-30 ### Changed diff --git a/Cargo.lock b/Cargo.lock index 882a9e0..738f1be 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2643,7 +2643,7 @@ dependencies = [ [[package]] name = "quoter" -version = "0.6.6" +version = "0.6.7" dependencies = [ "actix", "actix-cors", diff --git a/Cargo.toml b/Cargo.toml index d89d3c8..3e1878a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "quoter" -version = "0.6.6" +version = "0.6.7" edition = "2024" [dependencies] diff --git a/src/handlers/common.rs b/src/handlers/common.rs index adeb6e5..0486721 100644 --- a/src/handlers/common.rs +++ b/src/handlers/common.rs @@ -230,7 +230,31 @@ pub fn handle_system_file(filename: &str) -> Option { HttpResponse::Ok() .content_type("text/plain") .insert_header(("access-control-allow-origin", "*")) - .body("User-agent: *\nDisallow: /\n"), + .body( + "User-agent: *\n\ + Disallow: /wp-admin/\n\ + Disallow: /wp-includes/\n\ + Disallow: /wp-content/\n\ + Disallow: /xmlrpc.php\n\ + Disallow: /wp-login.php\n\ + Disallow: /admin/\n\ + Disallow: /phpmyadmin/\n\ + Disallow: /.env\n\ + Disallow: /config/\n\ + Disallow: /.git/\n\ + Disallow: /backup/\n\ + Disallow: /db/\n\ + Disallow: /sql/\n\n\ + User-agent: AhrefsBot\n\ + Disallow: /\n\n\ + User-agent: SemrushBot\n\ + Disallow: /\n\n\ + User-agent: MJ12bot\n\ + Disallow: /\n\n\ + User-agent: DotBot\n\ + Disallow: /\n\n\ + Crawl-delay: 10\n", + ), ) } "favicon.ico" => { diff --git a/src/handlers/proxy.rs b/src/handlers/proxy.rs index a224e5e..a33ab08 100644 --- a/src/handlers/proxy.rs +++ b/src/handlers/proxy.rs @@ -74,11 +74,8 @@ pub async fn proxy_handler( } } _ => { - error!( - "Unsupported file format for: {} (full path: {})", - base_filename, requested_res - ); - return Err(ErrorInternalServerError("Unsupported file format")); + // Silent reject for unsupported formats (likely scanning attempts) + return Err(ErrorNotFound("File not found")); } }, }; diff --git a/src/handlers/universal.rs b/src/handlers/universal.rs index 0c07fb2..f922a4a 100644 --- a/src/handlers/universal.rs +++ b/src/handlers/universal.rs @@ -22,11 +22,11 @@ pub async fn universal_handler( return Ok(response); } - // Базовая проверка безопасности + // Базовая проверка безопасности (молча отклоняет сканы) let security_config = SecurityConfig::default(); - if let Err(error) = security_config.validate_request(&req) { - warn!("Security validation failed: {}", error); - return Err(error); + if security_config.validate_request(&req).is_err() { + // Silent reject for scan attempts - return 404 instead of logging + return Ok(HttpResponse::NotFound().finish()); } // Проверка upload лимитов только для POST запросов diff --git a/src/security.rs b/src/security.rs index ab1b61c..22be879 100644 --- a/src/security.rs +++ b/src/security.rs @@ -95,34 +95,45 @@ impl SecurityConfig { Ok(()) } - /// Проверяет путь на подозрительные паттерны + /// Проверяет путь на подозрительные паттерны (молча отклоняет сканы) pub fn check_suspicious_patterns(&self, path: &str) -> bool { let suspicious_patterns = [ - "/admin", + // WordPress scanning patterns "/wp-admin", + "/wp-includes/", + "/wp-content/", + "/wp-login.php", + "/wp-config.php", + "/xmlrpc.php", + "/wlwmanifest.xml", + "/wp-json/", + "/wordpress/", + // Admin panels + "/admin", "/phpmyadmin", + "/cpanel", + "/plesk", + // Config & sensitive files "/.env", "/config", "/.git", "/backup", "/db", "/sql", - "/xmlrpc.php", - "/wp-login.php", - "/wp-config.php", + "/.htaccess", + "/web.config", + // XSS & injection patterns "script>", "