Magento 2 Carding Attack - checkout recaptcha slow performance fix

Recently, attacks on checkout have become more frequent. Hackers can damage the reputation of the store and lower your rating with credit card processing companies. In the event of a strong attack, your payment gateway may simply be blocked automatically.

In order not to overload the cart and checkout with various re-captcha and verification modules, it is recommended to move all filtering and blocking procedures outside the application. By combining Nginx web server with Csf Firewall, you can easily block any attacks on the server and protect /checkout from bots and carder attacks.

The ngx_http_limit_req_module module is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address. The limitation is done using the "leaky bucket" method.

Ridiculously simple configuration.

Map search bots:

## Map good user agents
map $http_user_agent $searchbot {
    default 0;
  ~*(Bot|Baiduspider|DotBot|Googlebot|bingbot|rogerbot|Yahoo|Yandex)  1;  
    }

Define zone name and rate.

## Flood protection example (see conf_m2/extra_protect.conf)
limit_req_zone $binary_remote_addr zone=checkout:35m rate=1r/s;
limit_req_zone $cartId zone=payment:35m rate=10r/m;

Adjust location with advanced security parameters, also checking cookie is set, you can set any secret cookie, check if searchbot return "410 Gone":

location ~ ^/checkout/  {
        limit_req zone=checkout burst=8;
        limit_req_status 429;
	if ($cookie_form_key = "") { return 403; }
        if ($searchbot) { return 410; }
        try_files $uri $uri/ /index.php$is_args$args;
}

location ~ /V1/guest-carts/(?.+)/payment-information {
        if ($cookie_form_key = "") { return 403; }
        limit_req zone=payment;
        limit_req_status 429;
        if ($searchbot) { return 410; }
        try_files $uri $uri/ /index.php$is_args$args;
    }

Install ConfigServer Security & Firewall (csf firewall) - Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. https://www.configserver.com/cp/csf.html Custom regex matching can be added to regex.custom.pm file without it being overwritten by csf upgrades. The format is slightly different to regex.pm to cater for additional parameters. You need to specify the log file that needs to be scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG)

https://github.com/magenx/Magento-2-server-installation/blob/master/regex.custom.pm

Read nginx log and ban IP address with 444 403 401 errors code response. Access forbidden.

# /var/log/nginx/access.log
# Nginx 444 403 401  (Default: 10 errors bans for 24 hours)
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\"\s(444|403|401)\s)/)) {
    return ("Nginx 444 403 401",$1,"nginx_444_403_401","5","443","86400","0");
}

Read nginx log and ban IP address with 429 error code response. Flood attack.

# /var/log/nginx/access.log
# Nginx 429  (Default: 5 errors bans for 10 minute)
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\"\s429\s)/)) {
    return ("Nginx 429",$1,"nginx_429","5","443","600","0");
}

Read nginx log and ban IP address with 400 error code response. Bad request.

# /var/log/nginx/access.log
# Nginx 400  (Default: 5 errors bans for 24 hours)
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*POST.*guest-carts.*payment-information.*(\"\s400\s)/)) {
    return ("Nginx 400",$1,"nginx_400","2","443","86400","0");
}

If you want to get complete protection - all this and many other security and optimization parameters are already fully configured in Magenx ecommerce webstack Support: RedHat 8 | Ubuntu 20.04 | Debian 11 | Amazon Linux 2 + AWS Graviton2 ARM support Production ready -

https://github.com/magenx/Magento-2-server-installation

Drive more sales online!