Question posted in
Some documentation to get you started can be found here.

Denial of Service – how to prevent this – Apache

I keep getting spam attempts from a single IP address at a time (though this single IP address changes daily) trying to lucky-guess executable files on my web server. They all trace back to the same place – Tencent Cloud Computing in China. These spam attempts keep crashing the server, rendering the website inaccessible. How can I stop this?

I have tried contacting the network abuse email and calling my ISP to see if there’s anything they could do, but to no avail.

Example Apache log shown below.

[Thu Sep 20 22:47:34.169296 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/help.php' not found or unable to stat
[Thu Sep 20 22:47:34.418703 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/java.php' not found or unable to stat
[Thu Sep 20 22:47:34.682234 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/_query.php' not found or unable to stat
[Thu Sep 20 22:47:34.910484 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/test.php' not found or unable to stat
[Thu Sep 20 22:47:35.138673 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/db_cts.php' not found or unable to stat
[Thu Sep 20 22:47:35.369907 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/db_pma.php' not found or unable to stat
[Thu Sep 20 22:47:36.382860 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/logon.php' not found or unable to stat
[Thu Sep 20 22:47:37.920666 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/help-e.php' not found or unable to stat
[Thu Sep 20 22:47:38.149610 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/license.php' not found or unable to stat
[Thu Sep 20 22:47:38.382743 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/log.php' not found or unable to stat
[Thu Sep 20 22:47:38.616254 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/hell.php' not found or unable to stat
[Thu Sep 20 22:47:38.880654 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/pmd_online.php' not found or unable to stat
[Thu Sep 20 22:47:39.111538 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/x.php' not found or unable to stat
[Thu Sep 20 22:47:39.344646 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/shell.php' not found or unable to stat
[Thu Sep 20 22:47:40.321053 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/desktop.ini.php' not found or unable to stat
[Thu Sep 20 22:47:41.916380 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/z.php' not found or unable to stat
[Thu Sep 20 22:47:42.167929 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/lala.php' not found or unable to stat
[Thu Sep 20 22:47:42.429254 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/lala-dpr.php' not found or unable to stat
[Thu Sep 20 22:47:42.691206 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wpo.php' not found or unable to stat
[Thu Sep 20 22:47:42.944551 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/text.php' not found or unable to stat
[Thu Sep 20 22:47:43.199610 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wp-config.php' not found or unable to stat
[Thu Sep 20 22:47:43.455259 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstik.php' not found or unable to stat
[Thu Sep 20 22:47:44.529700 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstik2.php' not found or unable to stat
[Thu Sep 20 22:47:45.925214 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstiks.php' not found or unable to stat
[Thu Sep 20 22:47:46.165955 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/muhstik-dpr.php' not found or unable to stat
[Thu Sep 20 22:47:46.424593 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/lol.php' not found or unable to stat
[Thu Sep 20 22:47:46.683114 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/uploader.php' not found or unable to stat
[Thu Sep 20 22:47:46.941768 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmd.php' not found or unable to stat
[Thu Sep 20 22:47:47.199412 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmx.php' not found or unable to stat
[Thu Sep 20 22:47:47.436995 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmv.php' not found or unable to stat
[Thu Sep 20 22:47:48.608073 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmdd.php' not found or unable to stat
[Thu Sep 20 22:47:49.941993 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/knal.php' not found or unable to stat
[Thu Sep 20 22:47:50.202085 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/cmd.php' not found or unable to stat
[Thu Sep 20 22:47:50.465856 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/shell.php' not found or unable to stat
[Thu Sep 20 22:47:50.719343 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/appserv.php' not found or unable to stat
[Thu Sep 20 22:47:53.919666 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wuwu11.php' not found or unable to stat
[Thu Sep 20 22:47:54.135087 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/xw.php' not found or unable to stat
[Thu Sep 20 22:47:54.365319 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/xw1.php' not found or unable to stat
[Thu Sep 20 22:47:54.600458 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/9678.php' not found or unable to stat
[Thu Sep 20 22:47:54.844971 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/wc.php' not found or unable to stat
[Thu Sep 20 22:47:55.109660 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/xx.php' not found or unable to stat
[Thu Sep 20 22:47:55.364916 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/s.php' not found or unable to stat
[Thu Sep 20 22:47:55.581704 2018] [:error] [pid 27541] [client 192.144.156.249:29474] script '/var/www/html/w.php' not found or unable to stat

update: additional logs

[Tue Sep 25 07:59:21.537385 2018] [core:notice] [pid 28393] AH00094: Command line: '/usr/sbin/apache2' 
[Tue Sep 25 08:32:08.233864 2018] [autoindex:error] [pid 29290] [client 192.141.161.31:41020] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive  
[Tue Sep 25 08:51:23.208687 2018] [autoindex:error] [pid 29759] [client 81.199.17.114:33476] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive   
[Tue Sep 25 09:07:45.829806 2018] [autoindex:error] [pid 30004] [client 157.119.212.30:38609] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive  
[Tue Sep 25 09:33:49.984459 2018] [autoindex:error] [pid 30699] [client 187.10.199.101:35686] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive  
[Tue Sep 25 11:24:46.399677 2018] [autoindex:error] [pid 794] [client 31.7.122.119:57011] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive      
[Tue Sep 25 11:53:06.380975 2018] [autoindex:error] [pid 1362] [client 84.22.54.93:37588] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive      
[Tue Sep 25 12:22:27.732958 2018] [mpm_prefork:notice] [pid 28393] AH00169: caught SIGTERM, shutting down                                                                                                     
[Tue Sep 25 12:22:51.582214 2018] [:notice] [pid 2041] FastCGI: process manager initialized (pid 2041) 
[Tue Sep 25 12:22:51.892511 2018] [mpm_prefork:notice] [pid 2040] AH00163: Apache/2.4.10 (Raspbian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mpm-itk/2.4.7-02 PHP/5.6.36-0+deb8u1 OpenSSL/1.0.1t configured -- resuming normal operations                                                                             
[Tue Sep 25 12:22:51.892924 2018] [core:notice] [pid 2040] AH00094: Command line: '/usr/sbin/apache2'  
[Tue Sep 25 12:23:01.247551 2018] [core:error] [pid 2040] AH00046: child process 2046 still did not exit, sending a SIGKILL                                                                                   
[Tue Sep 25 12:23:01.247755 2018] [core:error] [pid 2040] AH00046: child process 2047 still did not exit, sending a SIGKILL                                                                                   
[Tue Sep 25 12:23:02.249062 2018] [mpm_prefork:notice] [pid 2040] AH00169: caught SIGTERM, shutting down
Tags:

4

Answers


  1. 0

    in China.

    You can’t stop it.

    You could add a firewall rule to drop traffic from that IP; however it’s useless because it will just appear from another IP and eventually you’ll have thousands of drop rules, which will impact performance.

    Limiting requests from a single IP will reduce server load, however it won’t stop the scans. If you do want to go down the “blocking” road, fail2ban works nicely.

    Mostly, your code just needs to be able to handle this.

    If your web app is internal or has a limited audience, you can drop all traffic except authorized addresses.

    Login or Signup to reply.
  2. 0

    this is not “denial of service”, but quite common scans for possible exploits. that the IP is in China, does not matter the least – while not having to serve to that territory, one can refuse to serve them.

    you could a .htaccess file (or vhost configuration); this would at least make the server not respond:

    deny from 192.144.156.249

    one can deny requests from whole sub-nets …which may help to get rid of them, altogether:

    deny from 192.144.

    adding similar firewall rule, would not even let these requests reach the server.

    telling IP traffic apart is barely within the responsibility of application code.

    Login or Signup to reply.
  3. 0

    I have a Node based HTTP server running on a Raspberry Pi3B+ — I know this probe well. Every IP probe uses only IP addresses and so if you look at the HTTP header ‘host’ — it will be your domain’s IP address or worse yet literally localhost.

    This particular probe I captured tonight starts with an attack vector on WebDAV by attempting to overflow a buffer. WebDAV uses a unique HTTP header — PROPFIND. The entire capture doesn’t fit in one image, but the next part uses localhost and further probes WebDAV.

    Probe begins by trying WebDAV exploit.
    The probe then begins checking for PHP scripts, which is what you showed in your Apache log.

    Legitimate traffic does not do that — it uses the domain’s host name and legitimate bots have their name in the user-agent header, so a little HTTP header analysis goes a long way.
    😉

    normal bingbot request headers

    Also — the crash you are experiencing happens on the final bit of the scan, which is NOT a GET — it is a POST. (CGI = Common Gateway Interface — POST).
    Notice that the flurry of GETs is at 24 second intervals…interesting — this scanner is probably probing literally thousands of IPs concurrently — it will likely do you no good to complain about abuse, considering the source of the probe.
    The best advice would be to ignore it entirely. In Node, I can destroy the connection and even blacklist the IP, but — I run a lot of my own analytic code to support that and so I have no idea what Apache offers in that respect.

    This is the tail end of the attack you have described as captured by my server tonight.

    Login or Signup to reply.
  4. 0

    I have created a script that runs every 1 minute, and detect all kind of failes in both error.log and access.log
    It also check asterisk message le for “Failed to”
    When find an IP with over 20 ailed attempt it adds it to ufw.
    So far – It works like a charm.

    Here is the script:

    #!/bin/bash
clear
#ban IPs:
bip() {
echo "" > tmpIPs
ufw status | grep DENY | awk '$1 !="Anywhere" {print $1}' | sort > tmpinc
exst=$(ufw status | grep "Anywhere                   DENY" | awk '{print $3}' | sort | uniq)
cat $cTarget | while read line
do
 add=$(cat tmpinc | grep $line)
 if [ "$add" != "$line" ]
  then
   ip=$(echo $line | cut -d '.' -f 1,2,3)
   if [ $ip != $ignorIP ]
    then
    echo $line >> tmpIPs
   fi
  fi
done

lAdd=$(cat tmpIPs)
cat tmpIPs | while read line
do
 if [ "$line" != "" ]
  then
  /usr/sbin/ufw insert 1 deny from $line to any  >> $cBanIpLog
  /usr/sbin/ufw insert 1 deny to $line from any >> $cBanIpLog
  echo "       Banned $line" >> $cBanIpLog
  fi
done
rm tmpIPs
}

nMax=5 # Maximum failes
cTarget="/tmp/_ban.ip" # Temporary storage file
cLogFile="/var/log/apache2/access.log" # apache2 access log file
cLogFile1="/var/log/apache2/error.log" # apache2 error.log
cLogFile2="/var/log/asterisk/messages" # asterisk log file
cBanLog="/var/log/banips.log"          #This script log file
cBanIpLog="/var/log/banIP.log"
ignorIP="192.168.1" #IP to ignor, usually home network
dt=$(date +%Y-%m-%d)

echo "Banning IP run at $(date)
Maximum offends: $nMax
Checking logs
        $cLogFile
        $cLogFile1
        $cLogFile11
        $cLogFile12
        " > $cBanIpLog

#Get the bastards out of apache2 and asterisk:
#apache2 access.log
grep 404 $cLogFile | cut -d ' ' -f 1,4 | cut -d ':' -f 1,2,3 | tr -d '[' | sort | uniq -c | sort -rn | awk ' $1 > '"$nMax"' {print $2}' | uniq -c | awk '{print $2}' > $cTarget.tmp
#apache2 error.log
grep "not found or unable to stat" $cLogFile1 | awk '{print $1,$2,$3,$5,$10}' | cut -d ':' -f 1 | sort | uniq -c | awk ' $1 > '"$nMax"' {print $6}' >> $cTarget.tmp
#asterisk messages
grep "failed for" $cLogFile2 | awk -F'failed for' '{print $2}' | awk -F' ' '{print $1}' | awk -F':' '{print $1}'  | tr -d "'" | sort | uniq -c | sort -nr | awk ' $1 > '"$nMax"' {print $2}' >> $cTarget.tmp
#asterisk messages
grep "rejected because extension not found" /var/log/asterisk/messages | awk -F'(' '{print $2}' | awk -F':' '{print $1}' | sort | uniq -c | awk ' $1 > '"$nMax"' {print $2}' >> $cTarget.tmp
#Check myAnt logons
#grep LogonERR /var/www/html/_Public/sys_logs/_qryLogIn.log | awk '{print $3}' | sort | uniq -c | sort -nr | awk '$1 > $nMax {print $2}' >> $cTarget.tmp

#Leave uniq ips
cat $cTarget.tmp | sort | uniq > $cTarget
rm $cTarget.tmp

#Banning
bip
if [ "$lAdd" != "" ]
then
 #Conclude:
 /bin/systemctl restart ufw
 /bin/systemctl status ufw >> $cBanIpLog
 /usr/sbin/ufw status >> $cBanIpLog
 cat $cBanLog | sort | uniq | sort >> /var/log/banips.tmp
 rm $cBanLog
 mv /var/log/banips.tmp $cBanLog
 cat $cBanLog | nl >> $cBanIpLog
 echo "Log file at $cBanIpLog
 nano $cBanLog
 Finished banning $(date)
 " >> $cBanIpLog
 #echo nano /var/log/banips.log
 clear
 cat $cBanIpLog
fi
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search