Search code examples
amazon-web-servicessecuritynginxdevopsddos

Direct IP Attacks, ElastickBeanstalk/NGINX

I have a bit problem with my site. So setup is ElasticBeanstalk(NGINX) + Cloudflare

But each day around 4AM I have direct IP attack to my server. Around 300 requests in 1-2 minutes. Bot try to access some resources like 

GET /phpMyadmi/index.php HTTP/1.1
GET /shaAdmin/index.php HTTP/1.1
POST /htfr.php HTTP/1.1

For now all of them going to 80 or 8080 ports. And successfully handled by Nginx configuration that redirect it to example:443

server {
        listen 80 default_server;
        listen 8080 default_server;
        server_name _;
        return 301 https://example.com$request_uri;
      }

      server {
        listen 443 ssl;
        server_name example.com;
        ssl on;    
...

So questions are,

  1. have many site owners/devOps face the same attack. What is your action to prevent such attacks.
  2. For now it is handled very well and did not affect on server work, should I worry about it? Or just filter out logs with /phpmy/ pattern and forgot about it.
  3. Before this attacks I have request with method PROPFIND, should I blocked it for security reasons? It is handled by default server for now.

I know that I can use Cloudflare Argotunel or ELB + WAF. But I am not really want to do it for now.

I have found one solution on stackoverflow. Is whitelist of all cloudflare ips. But i think it is not a good one.

Also another solution that should work I guess it is to check Host header, and compare it with 'example.com'.

Solution

  • To answer your specific questions:

    1. Every public IP receives unwanted traffic like you describe, sadly its pretty normal. This isnt really an attack as such, its just a bot looking for signs of specific weaknesses, or otherwise trying to provoke a response that contains useful data. This data is no doubt later used in actual attacks, but its basically automated recognisance on a potentially massive scale.

    2. This kind of script likely isnt trying to do any damage, so as long your server is well configured & fully patched its not a big concern. However these kinds of scans are first step towards launching an attack - by identifying services & application versions with known vulnerabilities - so its wise to keep your logs for analysis.

    3. You should follow the principle of least privilege. PROPFIND is related to WebDAV - if you dont use it, disable it (or better white list the verbs you do support and ignore the rest).

    If your site is already behind CloudFlare then you really should firewall access to your IP so only Cloudflares IPs can talk to your server. Those IPs do change, so I would suggest a script to download the latest from https://www.cloudflare.com/ips-v4 and have it periodically update your firewall. Theres a slightly vuage help article from CloudFlare on the subject here: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-

    If for whatever reason you cant firewall the IP, your next best option is something like fail2ban (www.fail2ban.org) - its a log parser that can manipulate the firewall to temporarily or permanently block an IP address based on patterns found in your log files.

    A final thought - id advise against redirecting from your IP to your domain name - your telling the bot/hackers your URL - which they can then use to bypass the CDN and attack your server directly. Unless you have some reason to allow HTTP/HTTPS traffic to your IP address, return a 4XX (maybe 444 a " Connection Closed Without Response") instead of redirecting when requests hit your IP. You should then create a separate server block to handle your redirects, but only have it respond to genuine named URLs.