0

Some bot keeps posting strings like this to my server. What do they mean and what's the best way from preventing them?

  1. RaxfkI/IZARdmslPRT3qzmMmaAmJOQ1i3lJWx9f4jJBQ0fVChoXCF3hlRjvticMkgEQxR7RKxb8uWfcbQa9jRqW8JFfOAykAsg7Nkf6MdScjE0bgyo0757jvOKqamcMA/xicZs_/S26J7PFUu2H/TMrJxwhAoAyvoFYavKcqWRccoZKCKAStUxJ6V8nqaXfIc6PL9dVRxWqSPyEUL7Y212kGO9fET70YOJj0lw/hkHUuRzRBSn/LXRE8RJVSGW5HmsLVbrG9Rp_I/omjALqCtBMZ/spkWrRYRK2uOotRCNLNVdQz23ioYLUB3TIpZc6wCwz6HpZe7hhOzlikAZW22acDDAOicP7/i9jaHvvC5ine85J1D7QAd3Nuz6/ZsaQN4koSktdDoK8evUIvHCTpcCxnI/SaH6fmIhtuRaDsEK4K

  2. EaMIk9rLYLRC5UGCKDcSS2GcXmsKekjiO3OPn79AZ/g67w6ensoQufXWcCJaKFq_GEe7/k3qPwbWDyWd1wY/lgptLoFqn_7EE6vUg0WRX/e9DX3vvlZHB2_kkPDGPw2cIL2c8fbEScsQcePT1gNzcCwATzFUgK7SHN2rv01C6jW2qiLzoVPB53Fb9Go9HfAAKmgOj4NYhKSnK7eQW5_M5q9q_EjqO62pj7ohVofKlog7lvQ0h80uwtYjA0DDPbbkBFWFbik5ZULv_KgVhwnx9IUPVRyzXAi2W5KWExWH8u_Lm2wOaNJZHvXagCPIMO4ThHNfpT_5v9mtUfBQR14D1VRnbVHOIg

  3. Rq1ckN7PZJp1PEjQqFJJjzDLdlC666M1FPfhEGF6cqUER4lAw8aIkJKSUc4VgU1lzfx32AyKmQbbjbrmJCEpAVjfhyunmVj7Adh/uK4WEuiwLiQlNs0qWqjtEAJg4b7sAAuODrzS48FtO975UIUlsT85Wj9uzknsqH9M1k0WrCgg7ngkAlcJmlKryDzMtxdQ8RJR75wU77ADuD8tB1Op1Yby2V/Cb4fgH3KQTmU_qSXUNgH5BHXCY_MRSCwbGQVvzsgGwqbcjboZmtACFc850IgPg1Yx9yuLxJfsciGRTUy8B/6QSZjfRGC0ujFOMJ6OUVE2f/owbx6GJKp_ULiIPE42rFEdA6Y5jtoCLMxhT_qzYUaUOcv9WmMwYMkpC9oWHe8SYieEYQ

I've got over 2400 requests like this. They're all posted to my server's IP, not the domain name.

My server keeps throwing a MethodNotAllowedHttpException which is caught by my error handler, which is how I know this keeps happening. I don't think it's causing any harm but if they're eating my server resources, I'd like to prevent that.

mpen
  • 121
  • 5
  • 1
    This does look like encoded binary of some sort. You need to provide way more information on how this is an actual problem and what you are willing to do about it. This might solicit an abuse report to the originating IP addresses holder. Additionally, you could use a firewall to block those requests - but this just eats other resources. I do not see the benefit of that on this scale. – Tobi Nary Oct 28 '17 at 19:53
  • 1
    @SmokeDispenser Well I don't know if it's actual problem. I guess my primary concern right now is that it's flooding my error log and I keep getting emails about it. I can suppress that by putting in a route for this request and just ignoring it so that it doesn't generate an error, but I'm wondering if I should be more concerned and do something else to prevent things like this in the future. If it's not troublesome, then I'm not willing to spend more than an hour or two on it and $0. – mpen Oct 28 '17 at 20:00
  • 2
    I’d send an abuse report as mentioned and add a log rotation that handles the overflowing log while keeping your level of verbosity. – Tobi Nary Oct 28 '17 at 20:22
  • Is this the body of an HTTP POST request? If so, what URL is it posted to? What headers are sent? Or is it sent as quoted to TCP port 80 (or 443)? – Marc Schütz Oct 29 '17 at 08:33
  • @MarcSchütz Yes, POST body. URL is the IP of my server, like https://123.123.123.123/. No path or query params. It's HTTPS, so I guess port 443? Headers are here: https://i.imgur.com/dqZcm8M.png User-agent string is for IE11, and Content-Type is application/x-www-form-urlencoded. – mpen Oct 29 '17 at 17:19
  • I think part of the problem is the way you have your system configured. If someone hits a URL with an HTTP verb it isn't intended for (i.e. POSTing to a URL that supports GET only), I don't consider that an application error. Instead, your application should just return a standard 404 and not bother you with it otherwise (except to log to a 404 errors file). – Conor Mancone Oct 31 '17 at 18:10
  • @ConorMancone I could suppress it entirely, I'm just not sure if I want to. If, for example, I configured one my routes incorrectly -- to say listen for GET requests for a form submission (POST), that would be a legitimate error. If I see a high volume of MethodNotAllowedHttpExceptions for a particular path then I know one of the links on my site is probably wrong, as opposed to bots hitting up random URLs with random verbs. I'll change it to an errorless 404 if it starts happening too much. – mpen Oct 31 '17 at 22:34

1 Answers1

1

One possible way to prevent uploads and attacks as you have described and many more is to install apache mod_security with OWASP ModSecurity CRS rules.

They can also be applied to ngnix, and it will most likely protect you from:

  • SQL Injection (SQLi)
  • Cross Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • Remote Code Execution (RCE)
  • PHP Code Injection
  • HTTP Protocol Violations
  • Shellshock Session Fixation
  • Scanner Detection
  • Metadata/Error Leakages
  • Project Honey Pot Blacklist
  • GeoIP Country Blocking

If you servers are not running on apache, you can however have it server as reverse proxy, and protect your web-application.

Once you have mod_security enabled and configured, you can go further and install and configure fail2ban to ban IP's trying to hack you like this:

  1. Install fail2ban as per your system (yum install or apt install fail2ban...)
  2. Create /etc/fail2ban/filter.d/modsec.conf

  3. Put the following to that file:

    # Fail2Ban configuration file
#
# Author: Florian Roth

[Definition]
failregex = \[.*?\]\s[\w-]*\s<HOST>\s
ignoreregex =

  4. Then put this in /etc/fail2ban/jail.conf

     #
 # HTTP servers
 #

 [modsec]
 enabled  = true 
 filter   = modsec
 action   = iptables-multiport[name=ModSec, port="http,https"]
 sendmail-buffered[name=ModSec, lines=5, dest=hostmaster@rietta.com]
 logpath  = /var/log/apache2/modsec_audit.log
 bantime  = 172800
 maxretry = 3

 [apache]
 enabled  = true
 port        = http,https
 filter   = apache-auth
 logpath  = /var/log/apache*/*error.log
 maxretry = 6

Then make sure that your fail2ban and apache are restarted.

Another way is to purchase some pre-configured device like sophos UTM with web application firewall, it's a good way if you are owning datacenter with servers, because UTM will off-load your web servers from that task (FYI, it's actually running mod security also, plus some additional features like package inspection, antivirus...)

Aleksandar Pavić
  • 272
  • 2
  • 11