I detected someone probing my site for weaknesses, what can I do about it? [duplicate]
up vote
27
down vote
favorite
This question already has an answer here:
Webserver logs show someone is trying to hack my site, what should I do?
5 answers
My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.
Is there anything I can do about it at this point?
web-application attacks attack-prevention defense incident-response
marked as duplicate by Dmitry Grigoryev, Community♦ Nov 6 at 13:06
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
add a comment |
up vote
27
down vote
favorite
This question already has an answer here:
Webserver logs show someone is trying to hack my site, what should I do?
5 answers
My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.
Is there anything I can do about it at this point?
web-application attacks attack-prevention defense incident-response
marked as duplicate by Dmitry Grigoryev, Community♦ Nov 6 at 13:06
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
– Jad S
Nov 6 at 13:05
1
please note, we all did it at one point.
– DeerSpotter
Nov 6 at 13:54
add a comment |
up vote
27
down vote
favorite
up vote
27
down vote
favorite
This question already has an answer here:
Webserver logs show someone is trying to hack my site, what should I do?
5 answers
My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.
Is there anything I can do about it at this point?
web-application attacks attack-prevention defense incident-response
This question already has an answer here:
Webserver logs show someone is trying to hack my site, what should I do?
5 answers
My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.
Is there anything I can do about it at this point?
This question already has an answer here:
Webserver logs show someone is trying to hack my site, what should I do?
5 answers
web-application attacks attack-prevention defense incident-response
web-application attacks attack-prevention defense incident-response
asked Nov 5 at 14:00
Jad S
24137
24137
marked as duplicate by Dmitry Grigoryev, Community♦ Nov 6 at 13:06
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by Dmitry Grigoryev, Community♦ Nov 6 at 13:06
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
– Jad S
Nov 6 at 13:05
1
please note, we all did it at one point.
– DeerSpotter
Nov 6 at 13:54
add a comment |
Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
– Jad S
Nov 6 at 13:05
1
please note, we all did it at one point.
– DeerSpotter
Nov 6 at 13:54
Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
– Jad S
Nov 6 at 13:05
Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
– Jad S
Nov 6 at 13:05
1
1
please note, we all did it at one point.
– DeerSpotter
Nov 6 at 13:54
please note, we all did it at one point.
– DeerSpotter
Nov 6 at 13:54
add a comment |
5 Answers
5
active
oldest
votes
up vote
67
down vote
Welcome to the internet! This is the normal situation, business as usual.
You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."
Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.
Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.
19
How's that voluntary? Didn't you mean involuntary?
– d33tah
Nov 5 at 15:43
24
@d33tah because those helpful security probes are volunteering their resources to pen test your website.
– aaaaaa
Nov 5 at 16:22
28
I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
– ThoriumBR
Nov 5 at 17:34
5
@ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
– Mooing Duck
Nov 5 at 18:50
13
Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
– peterh
Nov 6 at 4:53
|
show 3 more comments
up vote
5
down vote
The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?
First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.
Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.
Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.
The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog
A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
– Coomie
Nov 6 at 3:04
add a comment |
up vote
2
down vote
Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.
Do not refer them to other sites for huge downloads, and do not leave malware for them to find.
90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.
Look into Fail2Ban and DenyHosts for ideas.
If you are actually running WP, harden it up with a security solution.
Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.
add a comment |
up vote
0
down vote
If I had a cent for every scan my website gets...
Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.
What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.
What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.
What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).
add a comment |
up vote
-5
down vote
Block the whole country
Check ASN and it’s allocated IP range, and block that IP range.
Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.
Last but not least, secure your site and monitor attacks regularly.
18
Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
– Michaël Polla
Nov 5 at 16:37
11
No, it is definitely not a good practice ....
– binarym
Nov 5 at 16:48
6
No, but it's good security.
– DavidS
Nov 5 at 16:49
63
Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
– user190573
Nov 5 at 16:54
5
@MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
– Tezra
Nov 5 at 21:54
|
show 14 more comments
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
67
down vote
Welcome to the internet! This is the normal situation, business as usual.
You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."
Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.
Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.
19
How's that voluntary? Didn't you mean involuntary?
– d33tah
Nov 5 at 15:43
24
@d33tah because those helpful security probes are volunteering their resources to pen test your website.
– aaaaaa
Nov 5 at 16:22
28
I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
– ThoriumBR
Nov 5 at 17:34
5
@ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
– Mooing Duck
Nov 5 at 18:50
13
Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
– peterh
Nov 6 at 4:53
|
show 3 more comments
up vote
67
down vote
Welcome to the internet! This is the normal situation, business as usual.
You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."
Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.
Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.
19
How's that voluntary? Didn't you mean involuntary?
– d33tah
Nov 5 at 15:43
24
@d33tah because those helpful security probes are volunteering their resources to pen test your website.
– aaaaaa
Nov 5 at 16:22
28
I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
– ThoriumBR
Nov 5 at 17:34
5
@ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
– Mooing Duck
Nov 5 at 18:50
13
Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
– peterh
Nov 6 at 4:53
|
show 3 more comments
up vote
67
down vote
up vote
67
down vote
Welcome to the internet! This is the normal situation, business as usual.
You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."
Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.
Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.
Welcome to the internet! This is the normal situation, business as usual.
You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."
Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.
Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.
answered Nov 5 at 14:08
ThoriumBR
20.1k54868
20.1k54868
19
How's that voluntary? Didn't you mean involuntary?
– d33tah
Nov 5 at 15:43
24
@d33tah because those helpful security probes are volunteering their resources to pen test your website.
– aaaaaa
Nov 5 at 16:22
28
I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
– ThoriumBR
Nov 5 at 17:34
5
@ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
– Mooing Duck
Nov 5 at 18:50
13
Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
– peterh
Nov 6 at 4:53
|
show 3 more comments
19
How's that voluntary? Didn't you mean involuntary?
– d33tah
Nov 5 at 15:43
24
@d33tah because those helpful security probes are volunteering their resources to pen test your website.
– aaaaaa
Nov 5 at 16:22
28
I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
– ThoriumBR
Nov 5 at 17:34
5
@ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
– Mooing Duck
Nov 5 at 18:50
13
Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
– peterh
Nov 6 at 4:53
19
19
How's that voluntary? Didn't you mean involuntary?
– d33tah
Nov 5 at 15:43
How's that voluntary? Didn't you mean involuntary?
– d33tah
Nov 5 at 15:43
24
24
@d33tah because those helpful security probes are volunteering their resources to pen test your website.
– aaaaaa
Nov 5 at 16:22
@d33tah because those helpful security probes are volunteering their resources to pen test your website.
– aaaaaa
Nov 5 at 16:22
28
28
I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
– ThoriumBR
Nov 5 at 17:34
I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
– ThoriumBR
Nov 5 at 17:34
5
5
@ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
– Mooing Duck
Nov 5 at 18:50
@ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
– Mooing Duck
Nov 5 at 18:50
13
13
Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
– peterh
Nov 6 at 4:53
Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
– peterh
Nov 6 at 4:53
|
show 3 more comments
up vote
5
down vote
The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?
First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.
Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.
Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.
The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog
A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
– Coomie
Nov 6 at 3:04
add a comment |
up vote
5
down vote
The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?
First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.
Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.
Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.
The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog
A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
– Coomie
Nov 6 at 3:04
add a comment |
up vote
5
down vote
up vote
5
down vote
The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?
First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.
Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.
Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.
The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog
The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?
First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.
Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.
Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.
The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog
answered Nov 5 at 15:18
NASAhorse
1165
1165
A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
– Coomie
Nov 6 at 3:04
add a comment |
A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
– Coomie
Nov 6 at 3:04
A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
– Coomie
Nov 6 at 3:04
A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
– Coomie
Nov 6 at 3:04
add a comment |
up vote
2
down vote
Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.
Do not refer them to other sites for huge downloads, and do not leave malware for them to find.
90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.
Look into Fail2Ban and DenyHosts for ideas.
If you are actually running WP, harden it up with a security solution.
Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.
add a comment |
up vote
2
down vote
Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.
Do not refer them to other sites for huge downloads, and do not leave malware for them to find.
90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.
Look into Fail2Ban and DenyHosts for ideas.
If you are actually running WP, harden it up with a security solution.
Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.
add a comment |
up vote
2
down vote
up vote
2
down vote
Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.
Do not refer them to other sites for huge downloads, and do not leave malware for them to find.
90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.
Look into Fail2Ban and DenyHosts for ideas.
If you are actually running WP, harden it up with a security solution.
Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.
Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.
Do not refer them to other sites for huge downloads, and do not leave malware for them to find.
90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.
Look into Fail2Ban and DenyHosts for ideas.
If you are actually running WP, harden it up with a security solution.
Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.
answered Nov 6 at 2:09
mckenzm
21913
21913
add a comment |
add a comment |
up vote
0
down vote
If I had a cent for every scan my website gets...
Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.
What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.
What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.
What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).
add a comment |
up vote
0
down vote
If I had a cent for every scan my website gets...
Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.
What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.
What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.
What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).
add a comment |
up vote
0
down vote
up vote
0
down vote
If I had a cent for every scan my website gets...
Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.
What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.
What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.
What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).
If I had a cent for every scan my website gets...
Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.
What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.
What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.
What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).
answered Nov 6 at 13:06
Tom
4,277628
4,277628
add a comment |
add a comment |
up vote
-5
down vote
Block the whole country
Check ASN and it’s allocated IP range, and block that IP range.
Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.
Last but not least, secure your site and monitor attacks regularly.
18
Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
– Michaël Polla
Nov 5 at 16:37
11
No, it is definitely not a good practice ....
– binarym
Nov 5 at 16:48
6
No, but it's good security.
– DavidS
Nov 5 at 16:49
63
Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
– user190573
Nov 5 at 16:54
5
@MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
– Tezra
Nov 5 at 21:54
|
show 14 more comments
up vote
-5
down vote
Block the whole country
Check ASN and it’s allocated IP range, and block that IP range.
Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.
Last but not least, secure your site and monitor attacks regularly.
18
Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
– Michaël Polla
Nov 5 at 16:37
11
No, it is definitely not a good practice ....
– binarym
Nov 5 at 16:48
6
No, but it's good security.
– DavidS
Nov 5 at 16:49
63
Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
– user190573
Nov 5 at 16:54
5
@MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
– Tezra
Nov 5 at 21:54
|
show 14 more comments
up vote
-5
down vote
up vote
-5
down vote
Block the whole country
Check ASN and it’s allocated IP range, and block that IP range.
Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.
Last but not least, secure your site and monitor attacks regularly.
Block the whole country
Check ASN and it’s allocated IP range, and block that IP range.
Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.
Last but not least, secure your site and monitor attacks regularly.
answered Nov 5 at 14:07
Moonsik Park
54916
54916
18
Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
– Michaël Polla
Nov 5 at 16:37
11
No, it is definitely not a good practice ....
– binarym
Nov 5 at 16:48
6
No, but it's good security.
– DavidS
Nov 5 at 16:49
63
Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
– user190573
Nov 5 at 16:54
5
@MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
– Tezra
Nov 5 at 21:54
|
show 14 more comments
18
Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
– Michaël Polla
Nov 5 at 16:37
11
No, it is definitely not a good practice ....
– binarym
Nov 5 at 16:48
6
No, but it's good security.
– DavidS
Nov 5 at 16:49
63
Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
– user190573
Nov 5 at 16:54
5
@MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
– Tezra
Nov 5 at 21:54
18
18
Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
– Michaël Polla
Nov 5 at 16:37
Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
– Michaël Polla
Nov 5 at 16:37
11
11
No, it is definitely not a good practice ....
– binarym
Nov 5 at 16:48
No, it is definitely not a good practice ....
– binarym
Nov 5 at 16:48
6
6
No, but it's good security.
– DavidS
Nov 5 at 16:49
No, but it's good security.
– DavidS
Nov 5 at 16:49
63
63
Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
– user190573
Nov 5 at 16:54
Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
– user190573
Nov 5 at 16:54
5
5
@MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
– Tezra
Nov 5 at 21:54
@MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
– Tezra
Nov 5 at 21:54
|
show 14 more comments
Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
– Jad S
Nov 6 at 13:05
1
please note, we all did it at one point.
– DeerSpotter
Nov 6 at 13:54