I detected someone probing my site for weaknesses, what can I do about it? [duplicate]











up vote
27
down vote

favorite
9













This question already has an answer here:




  • Webserver logs show someone is trying to hack my site, what should I do?

    5 answers




My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.



Is there anything I can do about it at this point?










share|improve this question













marked as duplicate by Dmitry Grigoryev, Community Nov 6 at 13:06


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.















  • Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
    – Jad S
    Nov 6 at 13:05






  • 1




    please note, we all did it at one point.
    – DeerSpotter
    Nov 6 at 13:54















up vote
27
down vote

favorite
9













This question already has an answer here:




  • Webserver logs show someone is trying to hack my site, what should I do?

    5 answers




My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.



Is there anything I can do about it at this point?










share|improve this question













marked as duplicate by Dmitry Grigoryev, Community Nov 6 at 13:06


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.















  • Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
    – Jad S
    Nov 6 at 13:05






  • 1




    please note, we all did it at one point.
    – DeerSpotter
    Nov 6 at 13:54













up vote
27
down vote

favorite
9









up vote
27
down vote

favorite
9






9






This question already has an answer here:




  • Webserver logs show someone is trying to hack my site, what should I do?

    5 answers




My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.



Is there anything I can do about it at this point?










share|improve this question














This question already has an answer here:




  • Webserver logs show someone is trying to hack my site, what should I do?

    5 answers




My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.



Is there anything I can do about it at this point?





This question already has an answer here:




  • Webserver logs show someone is trying to hack my site, what should I do?

    5 answers








web-application attacks attack-prevention defense incident-response






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 5 at 14:00









Jad S

24137




24137




marked as duplicate by Dmitry Grigoryev, Community Nov 6 at 13:06


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.






marked as duplicate by Dmitry Grigoryev, Community Nov 6 at 13:06


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
    – Jad S
    Nov 6 at 13:05






  • 1




    please note, we all did it at one point.
    – DeerSpotter
    Nov 6 at 13:54


















  • Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
    – Jad S
    Nov 6 at 13:05






  • 1




    please note, we all did it at one point.
    – DeerSpotter
    Nov 6 at 13:54
















Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
– Jad S
Nov 6 at 13:05




Yes indeed, very similar questions. Thanks for spotting @DmitryGrigoryev
– Jad S
Nov 6 at 13:05




1




1




please note, we all did it at one point.
– DeerSpotter
Nov 6 at 13:54




please note, we all did it at one point.
– DeerSpotter
Nov 6 at 13:54










5 Answers
5






active

oldest

votes

















up vote
67
down vote













Welcome to the internet! This is the normal situation, business as usual.



You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."



Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.



Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.






share|improve this answer

















  • 19




    How's that voluntary? Didn't you mean involuntary?
    – d33tah
    Nov 5 at 15:43






  • 24




    @d33tah because those helpful security probes are volunteering their resources to pen test your website.
    – aaaaaa
    Nov 5 at 16:22






  • 28




    I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
    – ThoriumBR
    Nov 5 at 17:34






  • 5




    @ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
    – Mooing Duck
    Nov 5 at 18:50






  • 13




    Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
    – peterh
    Nov 6 at 4:53


















up vote
5
down vote













The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?



First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.



Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.



Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.



The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog






share|improve this answer





















  • A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
    – Coomie
    Nov 6 at 3:04


















up vote
2
down vote













Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.



Do not refer them to other sites for huge downloads, and do not leave malware for them to find.




90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.




Look into Fail2Ban and DenyHosts for ideas.



If you are actually running WP, harden it up with a security solution.



Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.






share|improve this answer




























    up vote
    0
    down vote













    If I had a cent for every scan my website gets...



    Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.



    What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.



    What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.



    What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).






    share|improve this answer




























      up vote
      -5
      down vote














      1. Block the whole country


      2. Check ASN and it’s allocated IP range, and block that IP range.


      3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.



      Last but not least, secure your site and monitor attacks regularly.






      share|improve this answer

















      • 18




        Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
        – Michaël Polla
        Nov 5 at 16:37






      • 11




        No, it is definitely not a good practice ....
        – binarym
        Nov 5 at 16:48






      • 6




        No, but it's good security.
        – DavidS
        Nov 5 at 16:49






      • 63




        Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
        – user190573
        Nov 5 at 16:54








      • 5




        @MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
        – Tezra
        Nov 5 at 21:54


















      5 Answers
      5






      active

      oldest

      votes








      5 Answers
      5






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      67
      down vote













      Welcome to the internet! This is the normal situation, business as usual.



      You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."



      Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.



      Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.






      share|improve this answer

















      • 19




        How's that voluntary? Didn't you mean involuntary?
        – d33tah
        Nov 5 at 15:43






      • 24




        @d33tah because those helpful security probes are volunteering their resources to pen test your website.
        – aaaaaa
        Nov 5 at 16:22






      • 28




        I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
        – ThoriumBR
        Nov 5 at 17:34






      • 5




        @ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
        – Mooing Duck
        Nov 5 at 18:50






      • 13




        Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
        – peterh
        Nov 6 at 4:53















      up vote
      67
      down vote













      Welcome to the internet! This is the normal situation, business as usual.



      You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."



      Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.



      Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.






      share|improve this answer

















      • 19




        How's that voluntary? Didn't you mean involuntary?
        – d33tah
        Nov 5 at 15:43






      • 24




        @d33tah because those helpful security probes are volunteering their resources to pen test your website.
        – aaaaaa
        Nov 5 at 16:22






      • 28




        I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
        – ThoriumBR
        Nov 5 at 17:34






      • 5




        @ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
        – Mooing Duck
        Nov 5 at 18:50






      • 13




        Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
        – peterh
        Nov 6 at 4:53













      up vote
      67
      down vote










      up vote
      67
      down vote









      Welcome to the internet! This is the normal situation, business as usual.



      You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."



      Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.



      Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.






      share|improve this answer












      Welcome to the internet! This is the normal situation, business as usual.



      You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."



      Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.



      Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Nov 5 at 14:08









      ThoriumBR

      20.1k54868




      20.1k54868








      • 19




        How's that voluntary? Didn't you mean involuntary?
        – d33tah
        Nov 5 at 15:43






      • 24




        @d33tah because those helpful security probes are volunteering their resources to pen test your website.
        – aaaaaa
        Nov 5 at 16:22






      • 28




        I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
        – ThoriumBR
        Nov 5 at 17:34






      • 5




        @ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
        – Mooing Duck
        Nov 5 at 18:50






      • 13




        Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
        – peterh
        Nov 6 at 4:53














      • 19




        How's that voluntary? Didn't you mean involuntary?
        – d33tah
        Nov 5 at 15:43






      • 24




        @d33tah because those helpful security probes are volunteering their resources to pen test your website.
        – aaaaaa
        Nov 5 at 16:22






      • 28




        I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
        – ThoriumBR
        Nov 5 at 17:34






      • 5




        @ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
        – Mooing Duck
        Nov 5 at 18:50






      • 13




        Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
        – peterh
        Nov 6 at 4:53








      19




      19




      How's that voluntary? Didn't you mean involuntary?
      – d33tah
      Nov 5 at 15:43




      How's that voluntary? Didn't you mean involuntary?
      – d33tah
      Nov 5 at 15:43




      24




      24




      @d33tah because those helpful security probes are volunteering their resources to pen test your website.
      – aaaaaa
      Nov 5 at 16:22




      @d33tah because those helpful security probes are volunteering their resources to pen test your website.
      – aaaaaa
      Nov 5 at 16:22




      28




      28




      I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
      – ThoriumBR
      Nov 5 at 17:34




      I mean voluntary. They are testing your site for free. Sometimes they even send you a damage report, but don't count on that...
      – ThoriumBR
      Nov 5 at 17:34




      5




      5




      @ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
      – Mooing Duck
      Nov 5 at 18:50




      @ThoriumBR: Ah. The "attacker" is volunteering. Got it. That's also only questionably legal, last I checked. Not outright illegal, but a grey area.
      – Mooing Duck
      Nov 5 at 18:50




      13




      13




      Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
      – peterh
      Nov 6 at 4:53




      Nice to see these generous people for their volunteer work. Maybe they would even crack my site and create backups of my customer data, for free! It is very helpful. :-)
      – peterh
      Nov 6 at 4:53












      up vote
      5
      down vote













      The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?



      First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.



      Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.



      Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.



      The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog






      share|improve this answer





















      • A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
        – Coomie
        Nov 6 at 3:04















      up vote
      5
      down vote













      The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?



      First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.



      Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.



      Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.



      The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog






      share|improve this answer





















      • A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
        – Coomie
        Nov 6 at 3:04













      up vote
      5
      down vote










      up vote
      5
      down vote









      The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?



      First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.



      Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.



      Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.



      The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog






      share|improve this answer












      The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?



      First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.



      Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.



      Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.



      The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Nov 5 at 15:18









      NASAhorse

      1165




      1165












      • A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
        – Coomie
        Nov 6 at 3:04


















      • A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
        – Coomie
        Nov 6 at 3:04
















      A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
      – Coomie
      Nov 6 at 3:04




      A great plugin for Wordpress is Wordfence. It automatically blocks suspicious requests. Also it makes it easy to view all traffic and block in one click.
      – Coomie
      Nov 6 at 3:04










      up vote
      2
      down vote













      Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.



      Do not refer them to other sites for huge downloads, and do not leave malware for them to find.




      90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.




      Look into Fail2Ban and DenyHosts for ideas.



      If you are actually running WP, harden it up with a security solution.



      Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.






      share|improve this answer

























        up vote
        2
        down vote













        Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.



        Do not refer them to other sites for huge downloads, and do not leave malware for them to find.




        90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.




        Look into Fail2Ban and DenyHosts for ideas.



        If you are actually running WP, harden it up with a security solution.



        Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.






        share|improve this answer























          up vote
          2
          down vote










          up vote
          2
          down vote









          Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.



          Do not refer them to other sites for huge downloads, and do not leave malware for them to find.




          90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.




          Look into Fail2Ban and DenyHosts for ideas.



          If you are actually running WP, harden it up with a security solution.



          Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.






          share|improve this answer












          Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.



          Do not refer them to other sites for huge downloads, and do not leave malware for them to find.




          90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.




          Look into Fail2Ban and DenyHosts for ideas.



          If you are actually running WP, harden it up with a security solution.



          Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 6 at 2:09









          mckenzm

          21913




          21913






















              up vote
              0
              down vote













              If I had a cent for every scan my website gets...



              Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.



              What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.



              What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.



              What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).






              share|improve this answer

























                up vote
                0
                down vote













                If I had a cent for every scan my website gets...



                Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.



                What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.



                What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.



                What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).






                share|improve this answer























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  If I had a cent for every scan my website gets...



                  Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.



                  What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.



                  What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.



                  What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).






                  share|improve this answer












                  If I had a cent for every scan my website gets...



                  Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.



                  What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.



                  What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.



                  What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 6 at 13:06









                  Tom

                  4,277628




                  4,277628






















                      up vote
                      -5
                      down vote














                      1. Block the whole country


                      2. Check ASN and it’s allocated IP range, and block that IP range.


                      3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.



                      Last but not least, secure your site and monitor attacks regularly.






                      share|improve this answer

















                      • 18




                        Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
                        – Michaël Polla
                        Nov 5 at 16:37






                      • 11




                        No, it is definitely not a good practice ....
                        – binarym
                        Nov 5 at 16:48






                      • 6




                        No, but it's good security.
                        – DavidS
                        Nov 5 at 16:49






                      • 63




                        Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
                        – user190573
                        Nov 5 at 16:54








                      • 5




                        @MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
                        – Tezra
                        Nov 5 at 21:54















                      up vote
                      -5
                      down vote














                      1. Block the whole country


                      2. Check ASN and it’s allocated IP range, and block that IP range.


                      3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.



                      Last but not least, secure your site and monitor attacks regularly.






                      share|improve this answer

















                      • 18




                        Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
                        – Michaël Polla
                        Nov 5 at 16:37






                      • 11




                        No, it is definitely not a good practice ....
                        – binarym
                        Nov 5 at 16:48






                      • 6




                        No, but it's good security.
                        – DavidS
                        Nov 5 at 16:49






                      • 63




                        Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
                        – user190573
                        Nov 5 at 16:54








                      • 5




                        @MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
                        – Tezra
                        Nov 5 at 21:54













                      up vote
                      -5
                      down vote










                      up vote
                      -5
                      down vote










                      1. Block the whole country


                      2. Check ASN and it’s allocated IP range, and block that IP range.


                      3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.



                      Last but not least, secure your site and monitor attacks regularly.






                      share|improve this answer













                      1. Block the whole country


                      2. Check ASN and it’s allocated IP range, and block that IP range.


                      3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.



                      Last but not least, secure your site and monitor attacks regularly.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Nov 5 at 14:07









                      Moonsik Park

                      54916




                      54916








                      • 18




                        Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
                        – Michaël Polla
                        Nov 5 at 16:37






                      • 11




                        No, it is definitely not a good practice ....
                        – binarym
                        Nov 5 at 16:48






                      • 6




                        No, but it's good security.
                        – DavidS
                        Nov 5 at 16:49






                      • 63




                        Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
                        – user190573
                        Nov 5 at 16:54








                      • 5




                        @MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
                        – Tezra
                        Nov 5 at 21:54














                      • 18




                        Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
                        – Michaël Polla
                        Nov 5 at 16:37






                      • 11




                        No, it is definitely not a good practice ....
                        – binarym
                        Nov 5 at 16:48






                      • 6




                        No, but it's good security.
                        – DavidS
                        Nov 5 at 16:49






                      • 63




                        Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
                        – user190573
                        Nov 5 at 16:54








                      • 5




                        @MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
                        – Tezra
                        Nov 5 at 21:54








                      18




                      18




                      Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
                      – Michaël Polla
                      Nov 5 at 16:37




                      Blocking the whole country will prevent all its people from accessing the website. Is this really a good practice ?
                      – Michaël Polla
                      Nov 5 at 16:37




                      11




                      11




                      No, it is definitely not a good practice ....
                      – binarym
                      Nov 5 at 16:48




                      No, it is definitely not a good practice ....
                      – binarym
                      Nov 5 at 16:48




                      6




                      6




                      No, but it's good security.
                      – DavidS
                      Nov 5 at 16:49




                      No, but it's good security.
                      – DavidS
                      Nov 5 at 16:49




                      63




                      63




                      Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
                      – user190573
                      Nov 5 at 16:54






                      Even better security is obtained by blocingk the entire world, i.e. disconnecting from the internet just in case.
                      – user190573
                      Nov 5 at 16:54






                      5




                      5




                      @MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
                      – Tezra
                      Nov 5 at 21:54




                      @MichaëlPolla Good security is only giving read permission to those who need it. If the nature of your site makes it so that no one living or vacationing in that county could possibly have any business being on your site, than there is no point wasting server resources to cater to them. As with most things with security, it's a trade-off.
                      – Tezra
                      Nov 5 at 21:54



                      這個網誌中的熱門文章

                      Xamarin.form Move up view when keyboard appear

                      Post-Redirect-Get with Spring WebFlux and Thymeleaf

                      Anylogic : not able to use stopDelay()