<div dir="ltr">Thank you very much. Everyone!<div><br></div><div>I will try to implement all the insithgts given.</div><div><br></div><div>With desperate times come desperate measures, and I implemented a fail2ban that block any IP that doesn't have any GET or POST in the request.</div><div><br></div><div>It is not efficient, I know. My firewall list is growing abruptly but, at least, it buys me some time to improve the all counter-measure that you guys meantionated.</div><div><br></div><div>BR,</div><div>Donda</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Aug 24, 2020 at 9:18 PM Peter Booth <<a href="mailto:peter_booth@me.com">peter_booth@me.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I agree with the advice already given<br>
<br>
It can also be useful to track the User-Agent header of web requests - both to understand who is trying to do what to your website,<br>
and then to start blocking on the basis of user agent. <br>
There may be some bots and spiders that are helpful or even necessary for your business.<br>
<br>
Peter<br>
<br>
<br>
<br>
> On Aug 24, 2020, at 2:54 PM, lists <<a href="mailto:lists@lazygranch.com" target="_blank">lists@lazygranch.com</a>> wrote:<br>
> <br>
> I can't find it, but someone wrote a script to decode that style of hacking. For the hacks I was decoding, they were RDP hack attempts. The hackers just "spray" their attacks. Often they are not meaningful to your server.<br>
> <br>
> I have Nginx maps set up to match requests that are not relevant to my server. For instance I don't run WordPress, so anything WordPress related gets a 444 response. On a weekly basis I pull all the IP addresses that generated a 400 or 444 and run them through a IP lookup website. If they come back to a hosting company, VPS, or basically anything not an ISP, I block the associated IP space via my firewall. The only reason I can do this weekly is I have blocked so much IP space already that I don't get many hackers.<br>
> <br>
> At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just hackers. Also block all of OVH. You can block any of the hosting companies since there are no eyeballs there. This blocks many VPNs as well but nobody says you have to accept traffic from VPNs. <br>
> <br>
> Firewalls are very CPU efficient though they do use a lot of memory. In the long run blocking all those hackers improves system efficiency since nginx does have to parse all that nonsense.<br>
> <br>
> I have scripts to pull the hacker IP out of the log file but a have a nonstandard log format. If you can create a file of IPs, this site will return the domains:<br>
> <br>
> <a href="https://www.bulkseotools.com/bulk-ip-to-location.php" rel="noreferrer" target="_blank">https://www.bulkseotools.com/bulk-ip-to-location.php</a><br>
> <br>
> If you see a domain that is obviously not an ISP, you can find their entire IP space using <a href="http://bgp.he.net" rel="noreferrer" target="_blank">bgp.he.net</a><br>
> <br>
> This sounds more complicate than it is. I have it down to about 20 minutes a week. <br>
> <br>
> You can also block countries in the firewall. Some people block all of China. I don't but that does cut down on hackers. <br>
> <br>
> <br>
> <br>
> Original Message <br>
> <br>
> <br>
> From: <a href="mailto:themadbeaker@gmail.com" target="_blank">themadbeaker@gmail.com</a><br>
> Sent: August 24, 2020 11:06 AM<br>
> To: <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
> Reply-to: <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
> Subject: Re: Is this an attack or a normal request?<br>
> <br>
> <br>
>> Is this kind of DDOS attack or a legitimate request(which my server returns<br>
>> 400 for them)?<br>
> <br>
> That's typically how various unicode characters are hex encoded. If<br>
> you aren't expecting that kind of input, then yes it is likely an<br>
> attack (probably trying to exploit an unknown specific piece of<br>
> software). Welcome to the internet where everything connected is<br>
> bombarded 24/7 from everything else with random attacks.<br>
> <br>
> That's why it's important to keep your server (and wordpress) up to date.<br>
> _______________________________________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
> <a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
> _______________________________________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
> <a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr">Att.<br>Anderson Donda<br><div><br></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><i style="background-color:rgb(255,255,255)"><font color="#000099">" </font></i><i style="font-family:arial;font-size:small"><font color="#000099">Mar calmo não cria bom marinheiro, muito menos bom capitão.</font></i><i style="background-color:rgb(255,255,255)"><font color="#000099">"</font></i></blockquote></div></div></div></div>