In my nginx access.log have seen some POST request like these, this request is over 20 time in 1 second, this tunnel.jsp there is no inside my server, but this ip can through this way(using 80 port) to change something on my server, how can I only block the tunnel.jsp using nginx or there are other ways to stop this without close 80 port?
xxx.xxx.xxx.xxx - - [14/Mar/2017:02:26:24 +0800] "POST /v1/bet/attach/tunnel.jsp?cmd=read HTTP/1.1" 200 5 "-" "-"
xxx.xxx.xxx.xxx - - [14/Mar/2017:02:26:24 +0800] "POST /v1/bet/attach/tunnel.jsp?cmd=read HTTP/1.1" 200 5 "-" "-"
xxx.xxx.xxx.xxx - - [14/Mar/2017:02:26:24 +0800] "POST /v1/bet/attach/tunnel.jsp?cmd=read HTTP/1.1" 200 5 "-" "-"
xxx.xxx.xxx.xxx - - [14/Mar/2017:02:26:24 +0800] "POST /v1/bet/attach/tunnel.jsp?cmd=read HTTP/1.1" 200 5 "-" "-"
xxx.xxx.xxx.xxx - - [14/Mar/2017:02:26:24 +0800] "POST /v1/bet/attach/tunnel.jsp?cmd=read HTTP/1.1" 200 5 "-" "-"
xxx.xxx.xxx.xxx - - [14/Mar/2017:02:26:24 +0800] "POST /v1/bet/attach/tunnel.jsp?cmd=read HTTP/1.1" 200 5 "-" "-"
if you are planning to ban the IP where the request is coming from, you can try fail2ban
Related
A curious question this time. Someone just made the following HTTP requests to my server:
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //xmlrpc.php?rsd HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET / HTTP/1.0" 200 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //blog/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //web/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //website/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wp/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //news/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //2018/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //2019/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //shop/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //test/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //media/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //site/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:02] "GET //cms/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:02] "GET //sito/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
Anyone any idea why someone would try this. I know it has something to do with WordPress (that I don't use/have installed anyway) But I still wonder why someone would try to make these requests.
Thx a lot,
Jules
P.S. The server says it comes from localhost but that is because it goes through Nginx
This is commonplace. Today more than 40% of the world's internet traffic are bots and 25% are malicious bots.
They are just bots that are constantly looking for possible security flaws in as many indexed domains as possible in order to compromise the site.
There are tools that can help you detect these requests and take action. For example fail2ban.
This is my docker-compose file:
version: '2'
services:
db:
image: mysql:5.7
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: wordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_PASSWORD: wordpress
varnish:
image: eeacms/varnish
depends_on:
- wordpress
ports:
- 9000:6081
environment:
DNS_ENABLED: "true"
BACKENDS: wordpress
BACKENDS_PORT: 80
volumes:
db_data:
wordpress is running on 0.0.0.0:8080 and on 172.17.0.1:8080
But the /etc/hosts of varnish container is like this
root#4cc3dc214d69:/# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 wordpress fd3f01c29d6a dockoor_wordpress_1
172.17.0.3 wordpress_1 fd3f01c29d6a dockoor_wordpress_1
172.17.0.3 dockoor_wordpress_1 fd3f01c29d6a
172.17.0.4 4cc3dc214d69
varnish is mapping wordpress to 172.17.0.3
That why while trying to access 0.0.0.0:8000 i get
Error 503 Backend fetch failed
Backend fetch failed
Guru Meditation:
XID: 3
Varnish cache server
Can someone please point out whats wrong with my compose file?
P.S docker-compose log shows that varnish do hit worpress but its getting a 302 response.
02 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:19 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:20 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:21 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:22 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:23 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:24 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:25 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:26 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:27 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:29 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:30 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:31 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:32 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:33 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:34 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:35 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:36 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:37 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:38 +0000] "GET / HTTP/1.1" 302 338 "-" "-"
wordpress_1 | 172.17.0.4 - - [25/Mar/2017:10:45:39 +0000] "G
Your link appears to be working as expected. 0.0.0.0 is not an IP address you connect to, that's a listener IP that tells the networking stack to listen on all interfaces rather than a specific IP on the host. In your case, all IP's includes 127.0.0.1 (loopback inside the container) and 172.17.0.3 (the IP reachable by other containers on that network.
Note that links are largely deprecated, it's preferred to configure the containers on a network (other than the default bridge) and use the built in DNS discovery. Similarly, compose version 1 file formats are also largely deprecated, you should consider upgrading to at least the version 2 compose file format. With that format, a network will be created by default for your containers to communicate.
Here's an example of your compose file in version 2 format:
version: '2'
services:
wordpress:
image: wordpress
ports:
- 8080:80
mysql:
image: mariadb
environment:
MYSQL_ROOT_PASSWORD: examplepass
varnish:
image: eeacms/varnish
ports:
- "8000:6081"
environment:
DNS_ENABLED: "true"
BACKENDS: "wordpress"
BACKENDS_PORT: 8080
The http 302 is a redirect, whatever you are running is able to see the url but isn't following the redirect or wordpress is not configured to give a correct redirect.
Update: The varnish error you are seeing is because you are probing / on the wordpress server which is responding with a 302 redirect. Varnish appears to need a 200 success code for the url it is probing. For that, you can add a variable like the following to your varnish environment:
BACKENDS_PROBE_URL: /wp-includes/js/jquery/jquery.js
I noticed that in my access logs these records are flooding. I'm not sure is this a brute force attack because the IP address is my server's IP.
How can I figure what's going on?
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-"
The Solution was to Create a mod_security rule to block such offending IP address.
Create file name “wpbrute.conf” in /usr/local/apache/conf/modsec_rules and add following to it.
SecRule REQUEST_LINE "POST .wp-login."
"pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:35011"
SecRule IP:MAXLIMIT "#gt 10" "log,deny,id:350111,msg:'wp-bruteforce:
denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"
Open file /usr/local/apache/conf/modsec2.user.conf and add include path as below and save the file.
Include /usr/local/apache/conf/modsec_rules/wpbrute.conf
Now all the attacked to the “wp-login.php” should be stopped
When i send this request:
GET /test.php HTTP/1.1
Host: localhost
The connection just times out. When looking into the server log, this is what i found:
127.0.0.1 - - [16/Nov/2016:07:58:01 +0100] "GET /test.php HTTP/1.1" 408 321 "-" "-"
Any ideas why it does that?
I'm running an nginx web server on the local network. I'm behind a linksys EA3500 router. I've noticed a lot of strange activity on my web server coming from the router (192.168.1.1). I've tried power-cycling the router and haven't seen any change. Here is a section of my nginx access logs with the strange activity:
192.168.1.1 - - [19/Jun/2016:13:40:00 -0400] "GET /HNAP1/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:40:00 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:40:00 -0400] "POST /JNAP/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:40:00 -0400] "GET /admin/login HTTP/1.1" 200 2581 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:40:00 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:40:00 -0400] "GET /admin/login HTTP/1.1" 200 2588 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:42:16 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:42:16 -0400] "GET /HNAP1/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:42:16 -0400] "GET /admin/login HTTP/1.1" 200 2588 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:42:16 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:42:16 -0400] "GET /HNAP1/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:42:16 -0400] "POST /JNAP/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:42:16 -0400] "POST /JNAP/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:42:16 -0400] "GET /admin/login HTTP/1.1" 200 2588 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:48:31 -0400] "GET /HNAP1/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:48:31 -0400] "POST /JNAP/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:48:31 -0400] "POST /JNAP/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:48:31 -0400] "GET /HNAP1/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:48:31 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:48:31 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:48:31 -0400] "GET /admin/login HTTP/1.1" 200 2588 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:48:31 -0400] "GET /admin/login HTTP/1.1" 200 2588 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:50:31 -0400] "GET /HNAP1/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:50:31 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:50:31 -0400] "POST /JNAP/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:50:31 -0400] "GET /HNAP1/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:50:31 -0400] "GET /admin/login HTTP/1.1" 200 2588 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:50:31 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:50:31 -0400] "GET /admin/login HTTP/1.1" 200 2588 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:50:31 -0400] "POST /JNAP/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:55:49 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:55:49 -0400] "POST /JNAP/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:55:49 -0400] "GET /HNAP1/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:55:49 -0400] "GET /admin/login HTTP/1.1" 200 2588 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:55:49 -0400] "GET /HNAP1/ HTTP/1.1" 404 1564 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:55:49 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:13:55:49 -0400] "GET /admin/login HTTP/1.1" 200 2588 "-" "-"
192.168.1.1 - - [19/Jun/2016:14:36:39 -0400] "GET / HTTP/1.1" 302 107 "-" "-"
192.168.1.1 - - [19/Jun/2016:14:36:39 -0400] "POST /JNAP/ HTTP/1.1" 404 1564 "-" "-"
The thing that concerns me most is that the router appears to be trying to log into my web server's web app (it hasn't gotten in so far, and never provides credentials). Any ideas what is going on and how I can stop the router from making these requests?