How to block malicious bots and test server security

Hi everyone! In this video, we're focusing on vulnerability scanning and testing your server's defenses by learning how to block malicious bots and verify your firewall setup. We'll start by looking at a common issue in Single Page Applications (SPAs) known as the "Soft 404" trap. Because SPAs typically route all unknown requests to `index.html`, automated bots looking for sensitive files (like `.env` or `.git`) end up receiving a HTTP 200 Success response instead of a true 404 error. This false success encourages them to continuously hammer your server, wasting bandwidth and resources. I will walk you through fixing this by updating your Nginx configuration. We'll set strict boundaries to immediately drop requests for known malicious paths, PHP admin panels, and common backup files. By returning a hard 404 Not Found and turning off access logging for these specific bad requests, we can protect our server, save disk space, and keep our logs clean from unnecessary noise. Finally, we will use a free security scanner called Nmap to scan our firewall from the outside. I'll demonstrate how to run a fast scan to ensure only the necessary ports (like 22 for SSH, 80 for HTTP, and 443 for HTTPS) are exposed to the public internet. We'll also take a quick look ahead at our next module, which covers automating your deployments and standardizing your code with CI/CD pipelines! Useful links: - GitHub repo: https://github.com/ImadSaddik/FullStackDeploymentHandbook - Nmap network scanner: https://nmap.org/ - SecLists by Daniel Miessler: https://github.com/danielmiessler/seclists - NGINX Ultimate Bad Bot Blocker: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker - Well-known URI (Wikipedia): https://en.wikipedia.org/wiki/Well-known_URI Don't forget to like, subscribe, and leave a comment if you have any questions or feedback! ⭐️ Contents ⭐️ (00:00) Intro and Agenda (00:30) Understanding the Soft 404 (SPA trap) (02:29) Demonstrating the vulnerability live (03:47) Updating the Nginx configuration to drop bad requests (06:34) Reloading Nginx and verifying the fix (07:12) Analyzing Nginx access logs for bot activity (08:08) GitHub resources for blocking bad bots (09:11) Installing and running Nmap (10:18) Analyzing the Nmap firewall scan results (11:45) Summary and what's next (CI/CD automation)