Thank you very much. Everyone! I will try to implement all the insithgts given.
With desperate times come desperate measures, and I implemented a fail2ban that block any IP that doesn't have any GET or POST in the request. It is not efficient, I know. My firewall list is growing abruptly but, at least, it buys me some time to improve the all counter-measure that you guys meantionated. BR, Donda On Mon, Aug 24, 2020 at 9:18 PM Peter Booth <[email protected]> wrote: > I agree with the advice already given > > It can also be useful to track the User-Agent header of web requests - > both to understand who is trying to do what to your website, > and then to start blocking on the basis of user agent. > There may be some bots and spiders that are helpful or even necessary for > your business. > > Peter > > > > > On Aug 24, 2020, at 2:54 PM, lists <[email protected]> wrote: > > > > I can't find it, but someone wrote a script to decode that style of > hacking. For the hacks I was decoding, they were RDP hack attempts. The > hackers just "spray" their attacks. Often they are not meaningful to your > server. > > > > I have Nginx maps set up to match requests that are not relevant to my > server. For instance I don't run WordPress, so anything WordPress related > gets a 444 response. On a weekly basis I pull all the IP addresses that > generated a 400 or 444 and run them through a IP lookup website. If they > come back to a hosting company, VPS, or basically anything not an ISP, I > block the associated IP space via my firewall. The only reason I can do > this weekly is I have blocked so much IP space already that I don't get > many hackers. > > > > At a minimum I suggest blocking all Amazon AWS. No eyeballs there, just > hackers. Also block all of OVH. You can block any of the hosting companies > since there are no eyeballs there. This blocks many VPNs as well but nobody > says you have to accept traffic from VPNs. > > > > Firewalls are very CPU efficient though they do use a lot of memory. In > the long run blocking all those hackers improves system efficiency since > nginx does have to parse all that nonsense. > > > > I have scripts to pull the hacker IP out of the log file but a have a > nonstandard log format. If you can create a file of IPs, this site will > return the domains: > > > > https://www.bulkseotools.com/bulk-ip-to-location.php > > > > If you see a domain that is obviously not an ISP, you can find their > entire IP space using bgp.he.net > > > > This sounds more complicate than it is. I have it down to about 20 > minutes a week. > > > > You can also block countries in the firewall. Some people block all of > China. I don't but that does cut down on hackers. > > > > > > > > Original Message > > > > > > From: [email protected] > > Sent: August 24, 2020 11:06 AM > > To: [email protected] > > Reply-to: [email protected] > > Subject: Re: Is this an attack or a normal request? > > > > > >> Is this kind of DDOS attack or a legitimate request(which my server > returns > >> 400 for them)? > > > > That's typically how various unicode characters are hex encoded. If > > you aren't expecting that kind of input, then yes it is likely an > > attack (probably trying to exploit an unknown specific piece of > > software). Welcome to the internet where everything connected is > > bombarded 24/7 from everything else with random attacks. > > > > That's why it's important to keep your server (and wordpress) up to date. > > _______________________________________________ > > nginx mailing list > > [email protected] > > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > > nginx mailing list > > [email protected] > > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx > -- Att. Anderson Donda *" **Mar calmo não cria bom marinheiro, muito menos bom capitão.**"*
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
