Welcome! Log In Create A New Profile

Advanced

Re: Is this an attack or a normal request?

August 25, 2020 10:32PM
I've seen the rest of this thread, and there are many good ideas, fail2ban
is great, i actually use it with wazuh. The best security measure i ever
made with wordpress is changing the name of the /admin/login.php and
disabling or at least access listing the api. If no one needs api access,
shut it off. With fail2ban with wazuh, perhaps fail2band handles this on
its own, you can set up volume rules which will create FW rules. Also, i
like to put in a snippit into nginx config for to many responses.

limit_req_zone $limit_key zone=req_limit:10m rate=10r/s;
limit_req_log_level warn;
# don't use 503 as we have specific logic for that status
limit_req_status 420;

As the comment says we handle 503's and other status codes differently, so
i adopted Twitters Ease You Calm status code. Change the limits to your
environment.

On Mon, Aug 24, 2020 at 7:23 AM Anderson dos Santos Donda <
andersondonda@gmail.com> wrote:

> Hello everyone,
>
> I’m new in the webserver world, and I have a very basic knowledge about
> Nginx, so I want apologize in advance if I'm making a stupid question.
>
> I have a very basic webserver hosting a WordPress webpage and in the past
> 3 days I have receiving thousands of below request:
>
> 5.122.236.249 - - [24/Aug/2020:12:30:41 +0200]
> "\x1E\x80\xEBol\xDF\x86z\x84\xA4A^\xAF;\xA1\x98\x1B\x0E\xB7\x88\xD3h\x8FyW\xE4\x0F=.\x15\xF7f:9\xF7\xC3\xBB\xB1}n\xA5\x88\x8B\xE7\xF4\x5C\x80\x98=\xE2X\xC8\xD4\x1Bv/\xDC3yAI\xEE\xE6\xFA\xB1\xF3\x90]\x9EG\xFD\x9B\xAB\x9B:\xA7q\x82*\xE1:\x1A
> 5.122.236.249 - - [24/Aug/2020:12:30:41 +0200] "P\xCE
> \x9C\xA9\xB6pS\xD6#1\x84\x22\xB0s\xB8\xAA\x09\x06Ex\xDD\x88\x11\xFC\x0E\xDB\x04\x18~*\xE7h\xD2H\xD422\x83,\xB3u\xDF|\xED\x8BP\x9Box\xA4\x042\xFBz\xAAh\xF9\x14^\x96\xDD\x1D\xF6\xDD*\xF4"
> 400 173 "-" "-”
>
> This comes from a hundred of different IPs and in many requests at same
> time.
>
> Is this kind of DDOS attack or a legitimate request(which my server
> returns 400 for them)?
>
> If is an attack, has a specific name that I can search and try to
> understand it better and mitigate it?
>
> Thank so much for the help.
>
> Best Regards,
> Donda
>
>
> --
> Att.
> Anderson Donda
>
> *" **Mar calmo não cria bom marinheiro, muito menos bom capitão..**"*
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Is this an attack or a normal request?

Anderson dos Santos Donda August 24, 2020 07:24AM

Re: Is this an attack or a normal request?

J.R. August 24, 2020 02:08PM

Re: Is this an attack or a normal request?

gariac August 24, 2020 02:56PM

Re: Is this an attack or a normal request?

pbooth August 24, 2020 03:20PM

Re: Is this an attack or a normal request?

Anderson dos Santos Donda August 25, 2020 01:54AM

Re: Is this an attack or a normal request?

Jonesy August 24, 2020 09:56PM

Re: Is this an attack or a normal request?

gariac August 24, 2020 10:52PM

Re: Is this an attack or a normal request?

gariac August 25, 2020 02:28AM

Re: Is this an attack or a normal request?

jeffdyke August 25, 2020 10:32PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 65
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready