August 24, 2020 03:20PM
I agree with the advice already given

It can also be useful to track the User-Agent header of web requests - both to understand who is trying to do what to your website,
and then to start blocking on the basis of user agent.
There may be some bots and spiders that are helpful or even necessary for your business.

Peter



> On Aug 24, 2020, at 2:54 PM, lists <lists@lazygranch.com> wrote:
>
> I can't find it, but someone wrote a script to decode that style of hacking. For the hacks I was decoding, they were RDP hack attempts. The hackers just "spray" their attacks. Often they are not meaningful to your server.
>
> I have Nginx maps set up to match requests that are not relevant to my server. For instance I don't run WordPress, so anything WordPress related gets a 444 response. On a weekly basis I pull all the IP addresses that generated a 400 or 444 and run them through a IP lookup website. If they come back to a hosting company, VPS, or basically anything not an ISP, I block the associated IP space via my firewall. The only reason I can do this weekly is I have blocked so much IP space already that I don't get many hackers.
>
> At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just hackers. Also block all of OVH. You can block any of the hosting companies since there are no eyeballs there. This blocks many VPNs as well but nobody says you have to accept traffic from VPNs.
>
> Firewalls are very CPU efficient though they do use a lot of memory. In the long run blocking all those hackers improves system efficiency since nginx does have to parse all that nonsense.
>
> I have scripts to pull the hacker IP out of the log file but a have a nonstandard log format. If you can create a file of IPs, this site will return the domains:
>
> https://www.bulkseotools.com/bulk-ip-to-location.php
>
> If you see a domain that is obviously not an ISP, you can find their entire IP space using bgp.he.net
>
> This sounds more complicate than it is. I have it down to about 20 minutes a week.
>
> You can also block countries in the firewall. Some people block all of China. I don't but that does cut down on hackers.
>
>
>
> Original Message
>
>
> From: themadbeaker@gmail.com
> Sent: August 24, 2020 11:06 AM
> To: nginx@nginx.org
> Reply-to: nginx@nginx.org
> Subject: Re: Is this an attack or a normal request?
>
>
>> Is this kind of DDOS attack or a legitimate request(which my server returns
>> 400 for them)?
>
> That's typically how various unicode characters are hex encoded. If
> you aren't expecting that kind of input, then yes it is likely an
> attack (probably trying to exploit an unknown specific piece of
> software). Welcome to the internet where everything connected is
> bombarded 24/7 from everything else with random attacks.
>
> That's why it's important to keep your server (and wordpress) up to date.
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Is this an attack or a normal request?

Anderson dos Santos Donda August 24, 2020 07:24AM

Re: Is this an attack or a normal request?

J.R. August 24, 2020 02:08PM

Re: Is this an attack or a normal request?

gariac August 24, 2020 02:56PM

Re: Is this an attack or a normal request?

pbooth August 24, 2020 03:20PM

Re: Is this an attack or a normal request?

Anderson dos Santos Donda August 25, 2020 01:54AM

Re: Is this an attack or a normal request?

Jonesy August 24, 2020 09:56PM

Re: Is this an attack or a normal request?

gariac August 24, 2020 10:52PM

Re: Is this an attack or a normal request?

gariac August 25, 2020 02:28AM

Re: Is this an attack or a normal request?

jeffdyke August 25, 2020 10:32PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 119
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready