Direct IP Attacks, ElastickBeanstalk/NGINX












0















I have a bit problem with my site.
So setup is ElasticBeanstalk(NGINX) + Cloudflare



But each day around 4AM I have direct IP attack to my server.
Around 300 requests in 1-2 minutes.
Bot try to access some resources like 



GET /phpMyadmi/index.php HTTP/1.1

GET /shaAdmin/index.php HTTP/1.1

POST /htfr.php HTTP/1.1


For now all of them going to 80 or 8080 ports.
And successfully handled by Nginx configuration that redirect it to example:443



server {

        listen 80 default_server;

        listen 8080 default_server;

        server_name _;

        return 301 https://example.com$request_uri;

      }



      server {

        listen 443 ssl;

        server_name example.com;

        ssl on;    

...


So questions are,




  1. have many site owners/devOps face the same attack. What is your action to prevent such attacks.

  2. For now it is handled very well and did not affect on server work, should I worry about it? Or just filter out logs with /phpmy/ pattern and forgot about it.

  3. Before this attacks I have request with method PROPFIND, should I blocked it for security reasons? It is handled by default server for now.


I know that I can use Cloudflare Argotunel or ELB + WAF. But I am not really want to do it for now.



I have found one solution on stackoverflow. Is whitelist of all cloudflare ips. But i think it is not a good one.



Also another solution that should work I guess it is to check Host header, and compare it with 'example.com'.






amazon-web-services security nginx devops ddos







share|improve this question




















  • 1





    Are the requests from the same IP (or small range of IPs) every time?

    – jarmod
    Nov 13 '18 at 14:14











  • Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

    – Ihor Malanyk
    Nov 13 '18 at 14:17
















0















I have a bit problem with my site.
So setup is ElasticBeanstalk(NGINX) + Cloudflare



But each day around 4AM I have direct IP attack to my server.
Around 300 requests in 1-2 minutes.
Bot try to access some resources like 



GET /phpMyadmi/index.php HTTP/1.1

GET /shaAdmin/index.php HTTP/1.1

POST /htfr.php HTTP/1.1


For now all of them going to 80 or 8080 ports.
And successfully handled by Nginx configuration that redirect it to example:443



server {

        listen 80 default_server;

        listen 8080 default_server;

        server_name _;

        return 301 https://example.com$request_uri;

      }



      server {

        listen 443 ssl;

        server_name example.com;

        ssl on;    

...


So questions are,




  1. have many site owners/devOps face the same attack. What is your action to prevent such attacks.

  2. For now it is handled very well and did not affect on server work, should I worry about it? Or just filter out logs with /phpmy/ pattern and forgot about it.

  3. Before this attacks I have request with method PROPFIND, should I blocked it for security reasons? It is handled by default server for now.


I know that I can use Cloudflare Argotunel or ELB + WAF. But I am not really want to do it for now.



I have found one solution on stackoverflow. Is whitelist of all cloudflare ips. But i think it is not a good one.



Also another solution that should work I guess it is to check Host header, and compare it with 'example.com'.






amazon-web-services security nginx devops ddos







share|improve this question




















  • 1





    Are the requests from the same IP (or small range of IPs) every time?

    – jarmod
    Nov 13 '18 at 14:14











  • Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

    – Ihor Malanyk
    Nov 13 '18 at 14:17














0












0








0


1






I have a bit problem with my site.
So setup is ElasticBeanstalk(NGINX) + Cloudflare



But each day around 4AM I have direct IP attack to my server.
Around 300 requests in 1-2 minutes.
Bot try to access some resources like 



GET /phpMyadmi/index.php HTTP/1.1

GET /shaAdmin/index.php HTTP/1.1

POST /htfr.php HTTP/1.1


For now all of them going to 80 or 8080 ports.
And successfully handled by Nginx configuration that redirect it to example:443



server {

        listen 80 default_server;

        listen 8080 default_server;

        server_name _;

        return 301 https://example.com$request_uri;

      }



      server {

        listen 443 ssl;

        server_name example.com;

        ssl on;    

...


So questions are,




  1. have many site owners/devOps face the same attack. What is your action to prevent such attacks.

  2. For now it is handled very well and did not affect on server work, should I worry about it? Or just filter out logs with /phpmy/ pattern and forgot about it.

  3. Before this attacks I have request with method PROPFIND, should I blocked it for security reasons? It is handled by default server for now.


I know that I can use Cloudflare Argotunel or ELB + WAF. But I am not really want to do it for now.



I have found one solution on stackoverflow. Is whitelist of all cloudflare ips. But i think it is not a good one.



Also another solution that should work I guess it is to check Host header, and compare it with 'example.com'.






amazon-web-services security nginx devops ddos







share|improve this question
















I have a bit problem with my site.
So setup is ElasticBeanstalk(NGINX) + Cloudflare



But each day around 4AM I have direct IP attack to my server.
Around 300 requests in 1-2 minutes.
Bot try to access some resources like 



GET /phpMyadmi/index.php HTTP/1.1

GET /shaAdmin/index.php HTTP/1.1

POST /htfr.php HTTP/1.1


For now all of them going to 80 or 8080 ports.
And successfully handled by Nginx configuration that redirect it to example:443



server {

        listen 80 default_server;

        listen 8080 default_server;

        server_name _;

        return 301 https://example.com$request_uri;

      }



      server {

        listen 443 ssl;

        server_name example.com;

        ssl on;    

...


So questions are,




  1. have many site owners/devOps face the same attack. What is your action to prevent such attacks.

  2. For now it is handled very well and did not affect on server work, should I worry about it? Or just filter out logs with /phpmy/ pattern and forgot about it.

  3. Before this attacks I have request with method PROPFIND, should I blocked it for security reasons? It is handled by default server for now.


I know that I can use Cloudflare Argotunel or ELB + WAF. But I am not really want to do it for now.



I have found one solution on stackoverflow. Is whitelist of all cloudflare ips. But i think it is not a good one.



Also another solution that should work I guess it is to check Host header, and compare it with 'example.com'.






amazon-web-services security nginx devops ddos




amazon-web-services security nginx devops ddos






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 13 '18 at 14:01







Ihor Malanyk

















asked Nov 13 '18 at 13:51









Ihor MalanykIhor Malanyk

264




264








  • 1





    Are the requests from the same IP (or small range of IPs) every time?

    – jarmod
    Nov 13 '18 at 14:14











  • Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

    – Ihor Malanyk
    Nov 13 '18 at 14:17














  • 1





    Are the requests from the same IP (or small range of IPs) every time?

    – jarmod
    Nov 13 '18 at 14:14











  • Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

    – Ihor Malanyk
    Nov 13 '18 at 14:17








1




1





Are the requests from the same IP (or small range of IPs) every time?

– jarmod
Nov 13 '18 at 14:14





Are the requests from the same IP (or small range of IPs) every time?

– jarmod
Nov 13 '18 at 14:14













Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

– Ihor Malanyk
Nov 13 '18 at 14:17





Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

– Ihor Malanyk
Nov 13 '18 at 14:17












1 Answer
1






active

oldest

votes


















3














To answer your specific questions:




  1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


  2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


  3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53282530%2fdirect-ip-attacks-elastickbeanstalk-nginx%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3














    To answer your specific questions:




    1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


    2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


    3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



    If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



    If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



    A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.






    share|improve this answer




























      3














      To answer your specific questions:




      1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


      2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


      3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



      If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



      If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



      A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.






      share|improve this answer


























        3












        3








        3







        To answer your specific questions:




        1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


        2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


        3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



        If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



        If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



        A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.






        share|improve this answer













        To answer your specific questions:




        1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


        2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


        3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



        If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



        If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



        A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 14 '18 at 20:27









        MisterSmithMisterSmith

        948611




        948611






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53282530%2fdirect-ip-attacks-elastickbeanstalk-nginx%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Full-time equivalent

            Image
            Full-time equivalent From Wikipedia, the free encyclopedia Jump to navigation Jump to search Full-time equivalent ( FTE ) or whole time equivalent ( WTE ) is a unit that indicates the workload of an employed person (or student) in a way that makes workloads or class loads comparable [1] across various contexts. FTE is often used to measure a worker's or student's involvement in a project, or to track cost reductions in an organization. An FTE of 1.0 is equivalent to a full-time worker or student, while an FTE of 0.5 signals half of a full work or school load. [2] Contents 1 U.S. Federal Government 2 In education 2.1 Example 3 Notes 4 References U.S. Federal Government [ edit ] In the U.S. Federal Government, FTE is defined by the Government Accountability Office (GAO) as the number of total hours worked divided by the maximum number of compensable hours in a full-time schedule as
            Read more

            Bicuculline

            Image
            Bicuculline From Wikipedia, the free encyclopedia Jump to navigation Jump to search Bicuculline Clinical data ATC code none Identifiers IUPAC name (6 R )-​6-​[(5 S )-​6-​methyl-​5,​6,​7,​8-​tetrahydro​[1,3]dioxolo​[4,5- g ]​isoquinolin-​5-​yl]​furo[3,4- e ]​[1,3]​benzodioxol-​8(6 H )-​one CAS Number 485-49-4   Y PubChem CID 10237 IUPHAR/BPS 2312 ChemSpider 9820   Y UNII Y37615DVKC ChEBI CHEBI:3092   N ChEMBL ChEMBL417990   N ECHA InfoCard 100.006.927 Chemical and physical data Formula C 20 H 17 N O 6 Molar mass 367.352 g/mol 3D model (JSmol) Interactive image Melting point 215 °C (419 °F) SMILES O=C1O[C@H](c3c1c2OCOc2cc3)[C@@H]5c4cc6OCOc6cc4CCN5C InChI InChI=1S/C20H17NO6/c1-21-5-4-10-6-14-15(25-8-24-14)7-12(10)17(21)18-11-2-3-13-19(26-9-23-13)16(11)20(22)27-18/h2-3,6-7,17-18H,4-5,8-9H2,1H3/t17-,18+/m0/s1   Y Key:IYGYMKDQCDOMRE-ZWKOTPCHSA-N
            Read more

            What is this shape that looks like a rectangle with rounded ends called?

            Image
            18 2 This cannot be a rounded rectangle because those are not fully or "perfectly" rounded at the two ends. This is more like an elongated circle? A flat cylinder? I searched a lot, but among all guides or pictures that identify and name different shapes, I couldn't get this particular shape. The closest I could get was a stretched ellipse. There are only two processes to get this shape as far as I know: the first one is making a long rectangle and making its corner radius exactly half of the height. The second one is putting two circles a distance apart and adding a rectangle between those. So, are these something like "perfect rounded rectangles" or "rectangular circles"? shapes terminology
            Read more