For the first time in a number of years, I'm semi-responsible for helping out with the server administration of a PHP web application (served out using Apache).
We're seeing a number of requests for invalid URLs, which I assume are malware/exploit related probes. Things like
r/www/cache/static/home/img/logos/nuomi_ade5465d.png
cgi-bin/test.sh
cgi-sys/entropysearch.cgi
etc.
I'd like to block these requests, both the stick it to the bad actors, but more importantly clear out my logs. To that end, I have a few questions
-
Will, in general, blocking by IP address work? I know it's been a long time since "IP Address == unique device on Internet", but I'm wondering if these sort of probes generally come from the sort of networks where it'd be safe for me to just block them outright
-
If I can't block by IP address, does anyone maintain a list of URLs that bad actors generally probe for so I can block by URL?
-
Re: #2 — If I was going to handle this blocking at the server level, which apache module is right for this sort of thing? (
MOD_REWRITE,MOD_SECURITY) -
Is there a better way to block these requests other than by IP or URL?
-
Also, the system is hosted on EC2 — does amazon offer any help with this sort of thing?
Best Answer
Blocking IP adresses will be a race you can't possibly win. These request usually come from botnets or hacked systems. I would suggest blocking IP just as a temporary solution to a concrete incident where the requests cause problems on you side.
I'm not aware of such a list
Both will work. But I assume (not tested) that just ignoring the requests will actually be less CPU intense
Use a reverse proxy (e.g. varnish or even mod_cache) to cache negative hits (404). So that requests to the same (non existing) URLs can be handled very fast and dont require checking the filesystem everytime.
Unaware