OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud
Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud
I have just noted, already commented on this sometime back in this thread
Last edited by ACDC on Sun Aug 25, 2019 10:47 am, edited 2 times in total.
Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud
and you supplied a solution which i never got around to tryingACDC wrote:I have just noted, already commented on this sometime back in this thread
i think its called ADD
Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud
I just noticed this on one of IPBan's config panels in their new Web Admin tool:
then Ban them Bastards!!!
<and I bet you could send him a Tomcat log and $25 and let him figure it out and send you back the code to paste in>
It looks like you could point to any log you want and use a pattern matching rule to extract what you need...then Ban them Bastards!!!
<and I bet you could send him a Tomcat log and $25 and let him figure it out and send you back the code to paste in>
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud
Well, i DID contact Jeff (the author) and he kindly gave me some code to check the Tomcat logs.
So now the bastards that hit my Tomcat trying to guess "php" and "cgi-bin" endpoints get smacked down - makes me feel good.
gonna make a new thread
So now the bastards that hit my Tomcat trying to guess "php" and "cgi-bin" endpoints get smacked down - makes me feel good.
gonna make a new thread
Last edited by Jaymer on Mon Mar 23, 2020 8:34 pm, edited 1 time in total.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Anatomy of new rules
02:23:47
asshole started hitting my server:
02:24:22
IP BAN PRO flags him - gives him "2" hits - gonna have to check why so low, I think it should have banned him right now
02:24:37
15 seconds later checks again and he's over my limit so IP is banned
from IP BAN LOG:
2020-03-22 02:24:22.1600|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 123.58.236.228, , Apache, 2
2020-03-22 02:24:37.2240|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 123.58.236.228, , Apache, 4
2020-03-22 02:24:37.2240|WARN|DigitalRuby.IPBan.IPBanLog|Banning ip address: 123.58.236.228, user name: , config black listed: False, count: 4, extra info:
2020-03-22 02:24:37.2469|WARN|DigitalRuby.IPBan.IPBanLog|Updating firewall with 1 entries...
I was messing around with them to catch some other events - I might have messed up something on the PHP check. Seems like it only caught the cgi-bin illegals attempts.
asshole started hitting my server:
Code: Select all
Line 1472: 123.58.236.228 - - [22/Mar/2020:02:23:47 -0400] "GET / HTTP/1.1" 200 7763
Line 1475: 123.58.236.228 - - [22/Mar/2020:02:23:48 -0400] "GET /robots.txt HTTP/1.1" 404 1084
Line 1476: 123.58.236.228 - - [22/Mar/2020:02:23:49 -0400] "POST /Admin2a2a2c98/Login.php HTTP/1.1" 404 1101
Line 1477: 123.58.236.228 - - [22/Mar/2020:02:23:50 -0400] "GET / HTTP/1.1" 200 7763
Line 1478: 123.58.236.228 - - [22/Mar/2020:02:23:51 -0400] "GET /l.php HTTP/1.1" 404 1079
Line 1479: 123.58.236.228 - - [22/Mar/2020:02:23:55 -0400] "GET /phpinfo.php HTTP/1.1" 404 1085
Line 1480: 123.58.236.228 - - [22/Mar/2020:02:23:55 -0400] "GET /test.php HTTP/1.1" 404 1082
Line 1481: 123.58.236.228 - - [22/Mar/2020:02:23:56 -0400] "POST /index.php HTTP/1.1" 404 1083
Line 1482: 123.58.236.228 - - [22/Mar/2020:02:23:59 -0400] "POST /bbs.php HTTP/1.1" 404 1081
Line 1483: 123.58.236.228 - - [22/Mar/2020:02:24:00 -0400] "POST /forum.php HTTP/1.1" 404 1083
Line 1484: 123.58.236.228 - - [22/Mar/2020:02:24:03 -0400] "POST /forums.php HTTP/1.1" 404 1084
Line 1485: 123.58.236.228 - - [22/Mar/2020:02:24:03 -0400] "POST /bbs/index.php HTTP/1.1" 404 1091
Line 1486: 123.58.236.228 - - [22/Mar/2020:02:24:04 -0400] "POST /forum/index.php HTTP/1.1" 404 1093
Line 1487: 123.58.236.228 - - [22/Mar/2020:02:24:07 -0400] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1089
Line 1488: 123.58.236.228 - - [22/Mar/2020:02:24:07 -0400] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1090
Line 1489: 123.58.236.228 - - [22/Mar/2020:02:24:08 -0400] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1093
Line 1493: 123.58.236.228 - - [22/Mar/2020:02:24:15 -0400] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1090
Line 1494: 123.58.236.228 - - [22/Mar/2020:02:24:15 -0400] "POST /%62%61%73%65/%70%6F%73%74%2E%70%68%70 HTTP/1.1" 404 1115
Line 1498: 123.58.236.228 - - [22/Mar/2020:02:24:23 -0400] "GET /help.php HTTP/1.1" 404 1082
Line 1499: 123.58.236.228 - - [22/Mar/2020:02:24:27 -0400] "GET /_query.php HTTP/1.1" 404 1084
Line 1500: 123.58.236.228 - - [22/Mar/2020:02:24:31 -0400] "GET /test.php HTTP/1.1" 404 1082
Line 1501: 123.58.236.228 - - [22/Mar/2020:02:24:31 -0400] "GET /db_cts.php HTTP/1.1" 404 1084
Line 1502: 123.58.236.228 - - [22/Mar/2020:02:24:32 -0400] "GET /db_pma.php HTTP/1.1" 404 1084
Line 1503: 123.58.236.228 - - [22/Mar/2020:02:24:35 -0400] "GET /help-e.php HTTP/1.1" 404 1084
Line 1504: 123.58.236.228 - - [22/Mar/2020:02:24:35 -0400] "GET /license.php HTTP/1.1" 404 1085
Line 1505: 123.58.236.228 - - [22/Mar/2020:02:24:36 -0400] "GET /log.php HTTP/1.1" 404 1081
Line 1506: 123.58.236.228 - - [22/Mar/2020:02:24:36 -0400] "GET /hell.php HTTP/1.1" 404 1082
02:24:22
IP BAN PRO flags him - gives him "2" hits - gonna have to check why so low, I think it should have banned him right now
02:24:37
15 seconds later checks again and he's over my limit so IP is banned
from IP BAN LOG:
2020-03-22 02:24:22.1600|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 123.58.236.228, , Apache, 2
2020-03-22 02:24:37.2240|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 123.58.236.228, , Apache, 4
2020-03-22 02:24:37.2240|WARN|DigitalRuby.IPBan.IPBanLog|Banning ip address: 123.58.236.228, user name: , config black listed: False, count: 4, extra info:
2020-03-22 02:24:37.2469|WARN|DigitalRuby.IPBan.IPBanLog|Updating firewall with 1 entries...
I was messing around with them to catch some other events - I might have messed up something on the PHP check. Seems like it only caught the cgi-bin illegals attempts.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
-
- Posts: 1457
- Joined: Tue Jan 24, 2017 5:51 am
- Location: 'Stralya
Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud
If you setup a proxy forwarding web server (NGINX for example) in front of Tomcat you can use IPBan on port 80/443 ports and the aggressor never know that they are interrogating Tomcat.ACDC wrote:I thought so, I get hundreds of attempts to hack into Tomcat. I have resorted to banning the IP address by manually changing the rules in the windows firewall on the Tomcat ports. But its a challenge you can imagineSo it doesn't interact with any specific web server or ports.
It would be great if IP BAN could monitor the Tomcat logs in the same way it monitors the windows events and then based on some perceived bad behaviour in the log record set the firewall rules accordingly, It should be an easy plug-in feature upgrade.
I wonder if they would be open to adding this functionality.
It could even be a standalone utility that periodically imports the tomcat logs, makes an assessment of the suspect entries and then updates the windows firewall. A simple rule for me is ban ip address by country, this would get rid of most of the bad guys
Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud
NGINX seems a nice option but it seems it doesn't run under windows, any other suggestion ?If you setup a proxy forwarding web server (NGINX for example) in front of Tomcat you can use IPBan on port 80/443 ports and the aggressor never know that they are interrogating Tomcat.
-
- Posts: 1457
- Joined: Tue Jan 24, 2017 5:51 am
- Location: 'Stralya
Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud
You'd run it as a Linux server in front of your windows box not on the same machineACDC wrote:NGINX seems a nice option but it seems it doesn't run under windows, any other suggestion ?If you setup a proxy forwarding web server (NGINX for example) in front of Tomcat you can use IPBan on port 80/443 ports and the aggressor never know that they are interrogating Tomcat.