Wsrtjtyk

My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.

Is there anything I can do about it at this point?

Welcome to the internet! This is the normal situation, business as usual.

You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."

Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.

Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.

The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?

First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.

Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.

Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.

The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog

Work out what they are looking for, and ban their IP for a month or two if they try it on. You might also dummy up some PHP to slow them down.

Do not refer them to other sites for huge downloads, and do not leave malware for them to find.

90% will be Wordpress, PHPMyAdmin, Telephony. If they are script kiddies the same old values pop up.

Look into Fail2Ban and DenyHosts for ideas.

If you are actually running WP, harden it up with a security solution.

Only allow access to admin tools and any database by exception, and this should almost never be from an Internet address, but something local with it's own Bastion-like protection.

If I had a cent for every scan my website gets...

Literally, if you check your logs, you will notice a constant stream of automated probes and attacks. When I consult clients (I work in information security), I call this "background noise". It is there and any attempt to do anything about it is more costly than just accepting that it's there. I would even go so far as to filter it out before you pipe the logfiles into your monitoring, alerting, SIEM, etc. systems.

What you must do is keep your systems up-to-date and patched. Almost all of these attacks are using well-known and often quite old exploits. They are fishing for easy targets.

What you should do is spend a little bit of time on hardening your system. Setting up permissions correctly, blocking unused ports, disabling unused software, running stuff under dedicated users, that kind of stuff.

What you can do, especially for a private website with a local audience, is to block out broad IP ranges belonging to China, Russia, Europe and/or the USA, depending on where your audience isn't. The vast majority of attacks originate from these origins, and if you don't have anyone in, say, the USA who reads your webpage because your webpage is about your local dog club in Spain, you can reduce the noise just by blocking them out at the firewall. I write "can" because it doesn't make much of a difference, really, but it will reduce the noise in your log (it will also affect your Google ranking, but that's a different subject).

1. Block the whole country




2. Check ASN and it’s allocated IP range, and block that IP range.




3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.

Last but not least, secure your site and monitor attacks regularly.