Anderson dos Santos Donda
August 25, 2020 01:54AM
Thank you very much. Everyone!

I will try to implement all the insithgts given.

With desperate times come desperate measures, and I implemented a fail2ban
that block any IP that doesn't have any GET or POST in the request.

It is not efficient, I know. My firewall list is growing abruptly but, at
least, it buys me some time to improve the all counter-measure that you
guys meantionated.

BR,
Donda

On Mon, Aug 24, 2020 at 9:18 PM Peter Booth <peter_booth@me.com> wrote:

> I agree with the advice already given
>
> It can also be useful to track the User-Agent header of web requests -
> both to understand who is trying to do what to your website,
> and then to start blocking on the basis of user agent.
> There may be some bots and spiders that are helpful or even necessary for
> your business.
>
> Peter
>
>
>
> > On Aug 24, 2020, at 2:54 PM, lists <lists@lazygranch.com> wrote:
> >
> > I can't find it, but someone wrote a script to decode that style of
> hacking. For the hacks I was decoding, they were RDP hack attempts. The
> hackers just "spray" their attacks. Often they are not meaningful to your
> server.
> >
> > I have Nginx maps set up to match requests that are not relevant to my
> server. For instance I don't run WordPress, so anything WordPress related
> gets a 444 response. On a weekly basis I pull all the IP addresses that
> generated a 400 or 444 and run them through a IP lookup website. If they
> come back to a hosting company, VPS, or basically anything not an ISP, I
> block the associated IP space via my firewall. The only reason I can do
> this weekly is I have blocked so much IP space already that I don't get
> many hackers.
> >
> > At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just
> hackers. Also block all of OVH. You can block any of the hosting companies
> since there are no eyeballs there. This blocks many VPNs as well but nobody
> says you have to accept traffic from VPNs.
> >
> > Firewalls are very CPU efficient though they do use a lot of memory. In
> the long run blocking all those hackers improves system efficiency since
> nginx does have to parse all that nonsense.
> >
> > I have scripts to pull the hacker IP out of the log file but a have a
> nonstandard log format. If you can create a file of IPs, this site will
> return the domains:
> >
> > https://www.bulkseotools.com/bulk-ip-to-location.php
> >
> > If you see a domain that is obviously not an ISP, you can find their
> entire IP space using bgp.he.net
> >
> > This sounds more complicate than it is. I have it down to about 20
> minutes a week.
> >
> > You can also block countries in the firewall. Some people block all of
> China. I don't but that does cut down on hackers.
> >
> >
> >
> > Original Message
> >
> >
> > From: themadbeaker@gmail.com
> > Sent: August 24, 2020 11:06 AM
> > To: nginx@nginx.org
> > Reply-to: nginx@nginx.org
> > Subject: Re: Is this an attack or a normal request?
> >
> >
> >> Is this kind of DDOS attack or a legitimate request(which my server
> returns
> >> 400 for them)?
> >
> > That's typically how various unicode characters are hex encoded. If
> > you aren't expecting that kind of input, then yes it is likely an
> > attack (probably trying to exploit an unknown specific piece of
> > software). Welcome to the internet where everything connected is
> > bombarded 24/7 from everything else with random attacks.
> >
> > That's why it's important to keep your server (and wordpress) up to date.
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>


--
Att.
Anderson Donda

*" **Mar calmo não cria bom marinheiro, muito menos bom capitão.**"*
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Is this an attack or a normal request?

Anderson dos Santos Donda August 24, 2020 07:24AM

Re: Is this an attack or a normal request?

J.R. August 24, 2020 02:08PM

Re: Is this an attack or a normal request?

gariac August 24, 2020 02:56PM

Re: Is this an attack or a normal request?

pbooth August 24, 2020 03:20PM

Re: Is this an attack or a normal request?

Anderson dos Santos Donda August 25, 2020 01:54AM

Re: Is this an attack or a normal request?

Jonesy August 24, 2020 09:56PM

Re: Is this an attack or a normal request?

gariac August 24, 2020 10:52PM

Re: Is this an attack or a normal request?

gariac August 25, 2020 02:28AM

Re: Is this an attack or a normal request?

jeffdyke August 25, 2020 10:32PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 193
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready