2

We're currently running a PHP API (all URL's get rewritten to index.php for route-handeling) on an Apache Debian server.

Edit: (I think I might have landed on the wrong StackExchange for this question, so my apologies for that, came here from another question.)

The last few weeks, the amount of "web attacks" have increased quite a bit.

This contains for example sessions with 1000+ requests in a two-three minutes to endpoints like:

  • /old/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /plus/e7xue.php
  • /wp-includes/fonts/wp-login.php
  • /?XDEBUG_SESSION_START=phpstorm
  • /cgi-bin/mainfunction.cgi
  • 400+ random .php files with a payload of <?=die(@md5(Apri1));?>
  • ..

I've enabled the Apache mod_evasive module, but this results in a lot of false positives because (what I think the reason is) the normal API routes are being rewritten to the index.php file and the evasive module flags this as "same website/page" requests (?).

Security wise, I'm not 'that' worried, all our services are up-to-date, running latests patches, the API has a security wall,.. but because of the route-handeling, all these requests "spin-up" the API which puts unnecessary load/stress on the server.

I've searched through forums and stuff like that, but I couldn't really find a "solution". (or it was Wordpress related with a plugin etc)

Now, coming to the actual question: What can be done about this in an efficient way?

I was thinking about putting custom-handeling within the API that checks for requests to "unmapped endpoints (which results in a 404)", logging the IP address and if the threshold is passed for the amount of requests, add that IP address to the .htaccess to block it with a 'deny from' (because I don't want to enable command execution from PHP to add the IP address to the iptables for example). But this seems like inefficient and all this could be handled a layer higher?

I know web attacks are happening everywhere, every day and you can't really stop it, but I just want to keep the amount of those type request to a minimum, because, as the "server manager", these kind or requests are stressing me out.

Bert Maurau
  • 121
  • 2
  • 2
    What you are looking for is [fail2ban](https://www.fail2ban.org/) – digijay Jun 18 '20 at 13:57
  • 1
    @digijay Thanks, yeah, we're running fail2ban (for the SSH and authentication side), but since the url's are being rewritten, our error.log stays "clean" so I skipped fail2ban because it didn't get triggered for those requests. Thanks to your comment (because apparently I've missed some config then), looked into it and I just found an article from 2012 that just says 'point it to your access.log and add a conf with aregex to filter on 'bad urls'".. The simplest things sometimes.. :D Thank you! – Bert Maurau Jun 18 '20 at 21:52
  • @digijay, your comment should really be an answer. :) – Rouben Jun 19 '20 at 03:42

0 Answers0