Ninja Firewall don't stop this attack

  • Resolved gagomap

    (@gagomap)


    9 years, 1 month ago

    Hi,
    NinjaFirewall don’t block this scanning. Fortunately, fail2ban stop it.

    176.9.64.220 - BYPASS [23/Oct/2015:07:29:21 +0700] dautu365.com "GET /wp-includes/pomo/ HTTP/1.0" 403 162 "-" "-"
176.9.64.220 - BYPASS [23/Oct/2015:07:29:21 +0700] dautu365.com "GET /wso.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 162 "-" "-"
176.9.64.220 - BYPASS [23/Oct/2015:07:29:22 +0700] dautu365.com "GET /ww.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 162 "-" "-"
176.9.64.220 - BYPASS [23/Oct/2015:07:29:23 +0700] dautu365.com "GET /ss.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 162 "-" "-"
176.9.64.220 - BYPASS [23/Oct/2015:07:29:23 +0700] dautu365.com "GET /wp-content/uploads/_wp_cache.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 403 162 "-" "-"
176.9.64.220 - BYPASS [23/Oct/2015:07:29:24 +0700] dautu365.com "GET /wp-includes/ms-default-base.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 162 "-" "-"
176.9.64.220 - BYPASS [23/Oct/2015:07:29:25 +0700] dautu365.com "GET /wp-content/uploads/_tmp_cache.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 403 162 "-" "-"
176.9.64.220 - BYPASS [23/Oct/2015:07:29:25 +0700] dautu365.com "GET /wp-includes/wp-xml.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 162 "-" "-"
176.9.64.220 - BYPASS [23/Oct/2015:07:29:26 +0700] dautu365.com "GET /wp-includes/wp-css.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 404 162 "-" "-"
176.9.64.220 - BYPASS [23/Oct/2015:07:29:31 +0700] dautu365.com "GET /wp-content/uploads/407.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 403 162 "-" "-"

    https://www.ads-software.com/plugins/ninjafirewall/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    It can block it, but only if the file exists. See this discussion for more details.

    Thread Starter gagomap

    (@gagomap)

    Thanks,
    But NF don’t blockk ahref bot, i still see it in nginx log (HIT)

    Plugin Author nintechnet

    (@nintechnet)

    That is strange, because it blocks it too, with rule 531.
    Here is a sample of NinjaFirewall’s log:

    17/Oct/15 12:48:12  #5711715  medium 531 188.165.15.xx GET /blog/index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +https://ahrefs.com/robot/)]

    Note that even if the firewall blocks it, you will still see it in your HTTP logs. The return code should be the one sent by NinjaFirewall (‘403 Forbidden’ by default, unless you changed it), not a ‘200 OK’.

    Thread Starter gagomap

    (@gagomap)

    No, i don’t see anything like that sample in NF’s log.

    This is my nginx’s log
    188.165.15.41 - HIT [22/Oct/2015:15:42:30 +0700] dautu365.com "GET /robots.txt HTTP/1.1" 200 66 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.0; +https://ahrefs.com/robot/)"

    Plugin Author nintechnet

    (@nintechnet)

    That’s normal, it is calling a .txt file. NinjaFirewall works with PHP, hence it won’t filter or block a request sent to your robots.txt.

    Why don’t you block it with Nginx?
    Open your /etc/nginx/nginx.conf and add the following:

    # Reject useless bots:
map $http_user_agent $block_ua {
   default      0;
   ~*AhrefsBot/ 1;
   ~*MJ12bot/   1;
}

    And inside your vhost configuration file:

    if ($block_ua) {
   return 444;
}

    Then reload Nginx.

    Thread Starter gagomap

    (@gagomap)

    Thanks,
    I will check all my nginx blacklist. May be i forget to add it.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Ninja Firewall don't stop this attack’ is closed to new replies.