Is this an attack or a normal request?
Anderson dos Santos Donda
andersondonda at gmail.com
Tue Aug 25 05:53:22 UTC 2020
Thank you very much. Everyone!
I will try to implement all the insithgts given.
With desperate times come desperate measures, and I implemented a fail2ban
that block any IP that doesn't have any GET or POST in the request.
It is not efficient, I know. My firewall list is growing abruptly but, at
least, it buys me some time to improve the all counter-measure that you
guys meantionated.
BR,
Donda
On Mon, Aug 24, 2020 at 9:18 PM Peter Booth <peter_booth at me.com> wrote:
> I agree with the advice already given
>
> It can also be useful to track the User-Agent header of web requests -
> both to understand who is trying to do what to your website,
> and then to start blocking on the basis of user agent.
> There may be some bots and spiders that are helpful or even necessary for
> your business.
>
> Peter
>
>
>
> > On Aug 24, 2020, at 2:54 PM, lists <lists at lazygranch.com> wrote:
> >
> > I can't find it, but someone wrote a script to decode that style of
> hacking. For the hacks I was decoding, they were RDP hack attempts. The
> hackers just "spray" their attacks. Often they are not meaningful to your
> server.
> >
> > I have Nginx maps set up to match requests that are not relevant to my
> server. For instance I don't run WordPress, so anything WordPress related
> gets a 444 response. On a weekly basis I pull all the IP addresses that
> generated a 400 or 444 and run them through a IP lookup website. If they
> come back to a hosting company, VPS, or basically anything not an ISP, I
> block the associated IP space via my firewall. The only reason I can do
> this weekly is I have blocked so much IP space already that I don't get
> many hackers.
> >
> > At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just
> hackers. Also block all of OVH. You can block any of the hosting companies
> since there are no eyeballs there. This blocks many VPNs as well but nobody
> says you have to accept traffic from VPNs.
> >
> > Firewalls are very CPU efficient though they do use a lot of memory. In
> the long run blocking all those hackers improves system efficiency since
> nginx does have to parse all that nonsense.
> >
> > I have scripts to pull the hacker IP out of the log file but a have a
> nonstandard log format. If you can create a file of IPs, this site will
> return the domains:
> >
> > https://www.bulkseotools.com/bulk-ip-to-location.php
> >
> > If you see a domain that is obviously not an ISP, you can find their
> entire IP space using bgp.he.net
> >
> > This sounds more complicate than it is. I have it down to about 20
> minutes a week.
> >
> > You can also block countries in the firewall. Some people block all of
> China. I don't but that does cut down on hackers.
> >
> >
> >
> > Original Message
> >
> >
> > From: themadbeaker at gmail.com
> > Sent: August 24, 2020 11:06 AM
> > To: nginx at nginx.org
> > Reply-to: nginx at nginx.org
> > Subject: Re: Is this an attack or a normal request?
> >
> >
> >> Is this kind of DDOS attack or a legitimate request(which my server
> returns
> >> 400 for them)?
> >
> > That's typically how various unicode characters are hex encoded. If
> > you aren't expecting that kind of input, then yes it is likely an
> > attack (probably trying to exploit an unknown specific piece of
> > software). Welcome to the internet where everything connected is
> > bombarded 24/7 from everything else with random attacks.
> >
> > That's why it's important to keep your server (and wordpress) up to date.
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
--
Att.
Anderson Donda
*" **Mar calmo não cria bom marinheiro, muito menos bom capitão.**"*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200825/3e4c48ea/attachment-0001.htm>
More information about the nginx
mailing list