Direct IP Attacks, ElastickBeanstalk/NGINX












0















I have a bit problem with my site.
So setup is ElasticBeanstalk(NGINX) + Cloudflare



But each day around 4AM I have direct IP attack to my server.
Around 300 requests in 1-2 minutes.
Bot try to access some resources like 



GET /phpMyadmi/index.php HTTP/1.1

GET /shaAdmin/index.php HTTP/1.1

POST /htfr.php HTTP/1.1


For now all of them going to 80 or 8080 ports.
And successfully handled by Nginx configuration that redirect it to example:443



server {

        listen 80 default_server;

        listen 8080 default_server;

        server_name _;

        return 301 https://example.com$request_uri;

      }



      server {

        listen 443 ssl;

        server_name example.com;

        ssl on;    

...


So questions are,




  1. have many site owners/devOps face the same attack. What is your action to prevent such attacks.

  2. For now it is handled very well and did not affect on server work, should I worry about it? Or just filter out logs with /phpmy/ pattern and forgot about it.

  3. Before this attacks I have request with method PROPFIND, should I blocked it for security reasons? It is handled by default server for now.


I know that I can use Cloudflare Argotunel or ELB + WAF. But I am not really want to do it for now.



I have found one solution on stackoverflow. Is whitelist of all cloudflare ips. But i think it is not a good one.



Also another solution that should work I guess it is to check Host header, and compare it with 'example.com'.






amazon-web-services security nginx devops ddos







share|improve this question




















  • 1





    Are the requests from the same IP (or small range of IPs) every time?

    – jarmod
    Nov 13 '18 at 14:14











  • Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

    – Ihor Malanyk
    Nov 13 '18 at 14:17
















0















I have a bit problem with my site.
So setup is ElasticBeanstalk(NGINX) + Cloudflare



But each day around 4AM I have direct IP attack to my server.
Around 300 requests in 1-2 minutes.
Bot try to access some resources like 



GET /phpMyadmi/index.php HTTP/1.1

GET /shaAdmin/index.php HTTP/1.1

POST /htfr.php HTTP/1.1


For now all of them going to 80 or 8080 ports.
And successfully handled by Nginx configuration that redirect it to example:443



server {

        listen 80 default_server;

        listen 8080 default_server;

        server_name _;

        return 301 https://example.com$request_uri;

      }



      server {

        listen 443 ssl;

        server_name example.com;

        ssl on;    

...


So questions are,




  1. have many site owners/devOps face the same attack. What is your action to prevent such attacks.

  2. For now it is handled very well and did not affect on server work, should I worry about it? Or just filter out logs with /phpmy/ pattern and forgot about it.

  3. Before this attacks I have request with method PROPFIND, should I blocked it for security reasons? It is handled by default server for now.


I know that I can use Cloudflare Argotunel or ELB + WAF. But I am not really want to do it for now.



I have found one solution on stackoverflow. Is whitelist of all cloudflare ips. But i think it is not a good one.



Also another solution that should work I guess it is to check Host header, and compare it with 'example.com'.






amazon-web-services security nginx devops ddos







share|improve this question




















  • 1





    Are the requests from the same IP (or small range of IPs) every time?

    – jarmod
    Nov 13 '18 at 14:14











  • Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

    – Ihor Malanyk
    Nov 13 '18 at 14:17














0












0








0


1






I have a bit problem with my site.
So setup is ElasticBeanstalk(NGINX) + Cloudflare



But each day around 4AM I have direct IP attack to my server.
Around 300 requests in 1-2 minutes.
Bot try to access some resources like 



GET /phpMyadmi/index.php HTTP/1.1

GET /shaAdmin/index.php HTTP/1.1

POST /htfr.php HTTP/1.1


For now all of them going to 80 or 8080 ports.
And successfully handled by Nginx configuration that redirect it to example:443



server {

        listen 80 default_server;

        listen 8080 default_server;

        server_name _;

        return 301 https://example.com$request_uri;

      }



      server {

        listen 443 ssl;

        server_name example.com;

        ssl on;    

...


So questions are,




  1. have many site owners/devOps face the same attack. What is your action to prevent such attacks.

  2. For now it is handled very well and did not affect on server work, should I worry about it? Or just filter out logs with /phpmy/ pattern and forgot about it.

  3. Before this attacks I have request with method PROPFIND, should I blocked it for security reasons? It is handled by default server for now.


I know that I can use Cloudflare Argotunel or ELB + WAF. But I am not really want to do it for now.



I have found one solution on stackoverflow. Is whitelist of all cloudflare ips. But i think it is not a good one.



Also another solution that should work I guess it is to check Host header, and compare it with 'example.com'.






amazon-web-services security nginx devops ddos







share|improve this question
















I have a bit problem with my site.
So setup is ElasticBeanstalk(NGINX) + Cloudflare



But each day around 4AM I have direct IP attack to my server.
Around 300 requests in 1-2 minutes.
Bot try to access some resources like 



GET /phpMyadmi/index.php HTTP/1.1

GET /shaAdmin/index.php HTTP/1.1

POST /htfr.php HTTP/1.1


For now all of them going to 80 or 8080 ports.
And successfully handled by Nginx configuration that redirect it to example:443



server {

        listen 80 default_server;

        listen 8080 default_server;

        server_name _;

        return 301 https://example.com$request_uri;

      }



      server {

        listen 443 ssl;

        server_name example.com;

        ssl on;    

...


So questions are,




  1. have many site owners/devOps face the same attack. What is your action to prevent such attacks.

  2. For now it is handled very well and did not affect on server work, should I worry about it? Or just filter out logs with /phpmy/ pattern and forgot about it.

  3. Before this attacks I have request with method PROPFIND, should I blocked it for security reasons? It is handled by default server for now.


I know that I can use Cloudflare Argotunel or ELB + WAF. But I am not really want to do it for now.



I have found one solution on stackoverflow. Is whitelist of all cloudflare ips. But i think it is not a good one.



Also another solution that should work I guess it is to check Host header, and compare it with 'example.com'.






amazon-web-services security nginx devops ddos




amazon-web-services security nginx devops ddos






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 13 '18 at 14:01







Ihor Malanyk

















asked Nov 13 '18 at 13:51









Ihor MalanykIhor Malanyk

264




264








  • 1





    Are the requests from the same IP (or small range of IPs) every time?

    – jarmod
    Nov 13 '18 at 14:14











  • Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

    – Ihor Malanyk
    Nov 13 '18 at 14:17














  • 1





    Are the requests from the same IP (or small range of IPs) every time?

    – jarmod
    Nov 13 '18 at 14:14











  • Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

    – Ihor Malanyk
    Nov 13 '18 at 14:17








1




1





Are the requests from the same IP (or small range of IPs) every time?

– jarmod
Nov 13 '18 at 14:14





Are the requests from the same IP (or small range of IPs) every time?

– jarmod
Nov 13 '18 at 14:14













Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

– Ihor Malanyk
Nov 13 '18 at 14:17





Yes, typically all requests in attack from one IP address. But IP is different each attack, and from different locations.

– Ihor Malanyk
Nov 13 '18 at 14:17












1 Answer
1






active

oldest

votes


















3














To answer your specific questions:




  1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


  2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


  3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53282530%2fdirect-ip-attacks-elastickbeanstalk-nginx%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3














    To answer your specific questions:




    1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


    2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


    3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



    If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



    If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



    A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.






    share|improve this answer




























      3














      To answer your specific questions:




      1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


      2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


      3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



      If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



      If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



      A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.






      share|improve this answer


























        3












        3








        3







        To answer your specific questions:




        1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


        2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


        3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



        If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



        If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



        A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.






        share|improve this answer













        To answer your specific questions:




        1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.


        2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.


        3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).



        If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-



        If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.



        A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 14 '18 at 20:27









        MisterSmithMisterSmith

        948611




        948611






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53282530%2fdirect-ip-attacks-elastickbeanstalk-nginx%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Full-time equivalent

            Image
            Full-time equivalent From Wikipedia, the free encyclopedia Jump to navigation Jump to search Full-time equivalent ( FTE ) or whole time equivalent ( WTE ) is a unit that indicates the workload of an employed person (or student) in a way that makes workloads or class loads comparable [1] across various contexts. FTE is often used to measure a worker's or student's involvement in a project, or to track cost reductions in an organization. An FTE of 1.0 is equivalent to a full-time worker or student, while an FTE of 0.5 signals half of a full work or school load. [2] Contents 1 U.S. Federal Government 2 In education 2.1 Example 3 Notes 4 References U.S. Federal Government [ edit ] In the U.S. Federal Government, FTE is defined by the Government Accountability Office (GAO) as the number of total hours worked divided by the maximum number of compensable hours in a full-time schedule as
            Read more

            さくらももこ

            Image
            さくら ももこ 本名 非公開 [1] 生誕 ( 1965-05-08 ) 1965年5月8日 日本・静岡県清水市 (現・静岡市清水区) 死没 ( 2018-08-15 ) 2018年8月15日(53歳没) 日本・東京都目黒区 国籍 日本 職業 漫画家 エッセイスト 作詞家 活動期間 1984年 - 2018年 ジャンル 少女漫画 青年漫画 児童漫画 代表作 『ちびまる子ちゃん』 『コジコジ』 受賞 1989年:第13回講談社漫画賞少女部門 (『ちびまる子ちゃん』) 1990年:第32回日本レコード大賞 (『おどるポンポコリン』作詞) 公式サイト さくらプロダクション テンプレートを表示 さくら ももこ (1965年5月8日 - 2018年8月15日 [2] )は、日本の漫画家、エッセイスト、作詞家、脚本家。また、自身の少女時代をモデルとした代表作のコミック『ちびまる子ちゃん』の主人公の名前でもある。静岡県清水市(現・静岡市清水区)出身。血液型はA型。身長159cm。一男の母親。 代表作のコミック『ちびまる子ちゃん』の単行本の売上は累計3000万部を超える。また、エッセイストとしても独特の視点と語り口で人気が高く、初期エッセイ集三部作『もものかんづめ』『さるのこしかけ』『たいのおかしら』はいずれもミリオンセラーを記録。 目次 1 経歴 2 人物・交遊関係 3 主な作品 3.1 漫画 3.2 エッセイ 3.3 作詞 3.4 詩集 3.5 雑誌・ムック本 3.6 翻訳 3.7 絵本、ドラマ脚本他 3.8 ラジオ出演 3.9 その他 4 関係人物 4.1 アシスタント 4.2 さくらももこを演じた人物 5 脚注 5.1 注釈 5.2 出典 6 外部リンク 経歴 年譜形式の経歴は推奨されていません 。人物の伝記は流れのあるまとまった文章で記述し、年譜は補助的な使用にとどめてください。 ( 2018年8月 ) 清水市立(当時)入江小学校
            Read more

            13 indicted, 8 arrested in Calif. drug cartel investigation

            Image
            Fox News U.S. World Opinion Politics Entertainment Business Lifestyle TV Radio More Expand / Collapse search Login Watch TV ☰ Hot Topics U.S. Crime Military Education Terror Immigration Economy Personal Freedoms World U.N. Conflicts Terrorism Disasters Global Economy Environment Religion Scandals Opinion Politics Executive Senate House Judiciary Foreign policy Polls Elections Entertainment Celebrity News Movies TV News Music News Style News Entertainment Video Business Markets Politics Technology Features Business Leaders Lifestyle Food + Drink Cars + Trucks Travel + Outdoors House + Home Fitness + Well-being Style + Beauty Family Science Archaeology Air & Space Planet Earth Wild Nature Natural Science Dinosaurs Tech Security Innovation Drones Computers Video Games Military Tech Health Healthy Living Medical Research Mental Health Cancer Heart Health Children'
            Read more