Welcome! Log In Create A New Profile

Re: Is this an attack or a normal request?

Forum List Message List New Topic Print View

jeffdyke

August 25, 2020 10:32PM

Registered: 7 years ago
Posts: 35

I've seen the rest of this thread, and there are many good ideas, fail2ban
is great, i actually use it with wazuh. The best security measure i ever
made with wordpress is changing the name of the /admin/login.php and
disabling or at least access listing the api. If no one needs api access,
shut it off. With fail2ban with wazuh, perhaps fail2band handles this on
its own, you can set up volume rules which will create FW rules. Also, i
like to put in a snippit into nginx config for to many responses.

limit_req_zone $limit_key zone=req_limit:10m rate=10r/s;
limit_req_log_level warn;
# don't use 503 as we have specific logic for that status
limit_req_status 420;

As the comment says we handle 503's and other status codes differently, so
i adopted Twitters Ease You Calm status code. Change the limits to your
environment.

On Mon, Aug 24, 2020 at 7:23 AM Anderson dos Santos Donda <
andersondonda@gmail.com> wrote:

> Hello everyone,
>
> I’m new in the webserver world, and I have a very basic knowledge about
> Nginx, so I want apologize in advance if I'm making a stupid question.
>
> I have a very basic webserver hosting a WordPress webpage and in the past
> 3 days I have receiving thousands of below request:
>
> 5.122.236.249 - - [24/Aug/2020:12:30:41 +0200]
> "\x1E\x80\xEBol\xDF\x86z\x84\xA4A^\xAF;\xA1\x98\x1B\x0E\xB7\x88\xD3h\x8FyW\xE4\x0F=.\x15\xF7f:9\xF7\xC3\xBB\xB1}n\xA5\x88\x8B\xE7\xF4\x5C\x80\x98=\xE2X\xC8\xD4\x1Bv/\xDC3yAI\xEE\xE6\xFA\xB1\xF3\x90]\x9EG\xFD\x9B\xAB\x9B:\xA7q\x82*\xE1:\x1A
> 5.122.236.249 - - [24/Aug/2020:12:30:41 +0200] "P\xCE
> \x9C\xA9\xB6pS\xD6#1\x84\x22\xB0s\xB8\xAA\x09\x06Ex\xDD\x88\x11\xFC\x0E\xDB\x04\x18~*\xE7h\xD2H\xD422\x83,\xB3u\xDF|\xED\x8BP\x9Box\xA4\x042\xFBz\xAAh\xF9\x14^\x96\xDD\x1D\xF6\xDD*\xF4"
> 400 173 "-" "-”
>
> This comes from a hundred of different IPs and in many requests at same
> time.
>
> Is this kind of DDOS attack or a legitimate request(which my server
> returns 400 for them)?
>
> If is an attack, has a specific name that I can search and try to
> understand it better and mitigate it?
>
> Thank so much for the help.
>
> Best Regards,
> Donda
>
>
> --
> Att.
> Anderson Donda
>
> *" **Mar calmo não cria bom marinheiro, muito menos bom capitão..**"*
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Is this an attack or a normal request?	Anderson dos Santos Donda	August 24, 2020 07:24AM
Re: Is this an attack or a normal request?	J.R.	August 24, 2020 02:08PM
Re: Is this an attack or a normal request?	gariac	August 24, 2020 02:56PM
Re: Is this an attack or a normal request?	pbooth	August 24, 2020 03:20PM
Re: Is this an attack or a normal request?	Anderson dos Santos Donda	August 25, 2020 01:54AM
Re: Is this an attack or a normal request?	Jonesy	August 24, 2020 09:56PM
Re: Is this an attack or a normal request?	gariac	August 24, 2020 10:52PM
Re: Is this an attack or a normal request?	gariac	August 25, 2020 02:28AM
Re: Is this an attack or a normal request?	jeffdyke	August 25, 2020 10:32PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 142

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018