Is this an attack or a normal request?

Jeff Dyke jeff.dyke at gmail.com
Wed Aug 26 02:30:38 UTC 2020


I've seen the rest of this thread, and there are many good ideas, fail2ban
is great, i actually use it with wazuh.  The best security measure i ever
made with wordpress is changing the name of the /admin/login.php and
disabling or at least access listing the api.   If no one needs api access,
shut it off.  With fail2ban with wazuh, perhaps fail2band handles this on
its own, you can set up volume rules which will create FW rules.  Also, i
like to put in a snippit into nginx config for to many responses.

  limit_req_zone $limit_key zone=req_limit:10m rate=10r/s;
  limit_req_log_level warn;
  # don't use 503 as we have specific logic for that status
  limit_req_status 420;

As the comment says we handle 503's and other status codes differently, so
i adopted Twitters Ease You Calm status code.  Change the limits to your
environment.

On Mon, Aug 24, 2020 at 7:23 AM Anderson dos Santos Donda <
andersondonda at gmail.com> wrote:

> Hello everyone,
>
> I’m new in the webserver world, and I have a very basic knowledge about
> Nginx, so I want apologize in advance if I'm making a stupid question.
>
> I have a very basic webserver hosting a WordPress webpage and in the past
> 3 days I have receiving thousands of below request:
>
> 5.122.236.249 - - [24/Aug/2020:12:30:41 +0200]
> "\x1E\x80\xEBol\xDF\x86z\x84\xA4A^\xAF;\xA1\x98\x1B\x0E\xB7\x88\xD3h\x8FyW\xE4\x0F=.\x15\xF7f:9\xF7\xC3\xBB\xB1}n\xA5\x88\x8B\xE7\xF4\x5C\x80\x98=\xE2X\xC8\xD4\x1Bv/\xDC3yAI\xEE\xE6\xFA\xB1\xF3\x90]\x9EG\xFD\x9B\xAB\x9B:\xA7q\x82*\xE1:\x1A
> 5.122.236.249 - - [24/Aug/2020:12:30:41 +0200] "P\xCE
> \x9C\xA9\xB6pS\xD6#1\x84\x22\xB0s\xB8\xAA\x09\x06Ex\xDD\x88\x11\xFC\x0E\xDB\x04\x18~*\xE7h\xD2H\xD422\x83,\xB3u\xDF|\xED\x8BP\x9Box\xA4\x042\xFBz\xAAh\xF9\x14^\x96\xDD\x1D\xF6\xDD*\xF4"
> 400 173 "-" "-”
>
> This comes from a hundred of different IPs and in many requests at same
> time.
>
> Is this kind of DDOS attack or a legitimate request(which my server
> returns 400 for them)?
>
> If is an attack, has a specific name that I can search and try to
> understand it better and mitigate it?
>
> Thank so much for the help.
>
> Best Regards,
> Donda
>
>
> --
> Att.
> Anderson Donda
>
> *" **Mar calmo não cria bom marinheiro, muito menos bom capitão.**"*
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200825/9f570dc0/attachment.htm>


More information about the nginx mailing list