1

I lack the ability to formulate my problem, otherwise I'd probably find the solution.

I notice there are quite a number of pointless requests in my access log

:~/$ cat /var/log/apache2/access.log | grep -P "GET / HTTP/1.1. 403 \d+ .-. .-." | wc -l
23358

That's for like a bunch of hours. It's clearly not an attack of any kind since those are like a walk in the park for just about any server. I'm really curious to understand what might be causing this.

:~/$ cat /var/log/apache2/access.log | grep -P "GET / HTTP/1.1. 403 \d+ .-. .-." | head
x.y.225.125 - - [27/Aug/2020:06:25:06 +0300] "GET / HTTP/1.1" 403 14779 "-" "-"
x.y.225.125 - - [27/Aug/2020:06:25:07 +0300] "GET / HTTP/1.1" 403 14779 "-" "-"
x.y.245.189 - - [27/Aug/2020:06:25:13 +0300] "GET / HTTP/1.1" 403 15081 "-" "-"
x.y.245.189 - - [27/Aug/2020:06:25:13 +0300] "GET / HTTP/1.1" 403 15081 "-" "-"
x.y.245.189 - - [27/Aug/2020:06:25:13 +0300] "GET / HTTP/1.1" 403 15081 "-" "-"
x.y.245.189 - - [27/Aug/2020:06:25:13 +0300] "GET / HTTP/1.1" 403 15081 "-" "-"
x.y.225.125 - - [27/Aug/2020:06:25:19 +0300] "GET / HTTP/1.1" 403 14779 "-" "-"
x.y.225.125 - - [27/Aug/2020:06:25:19 +0300] "GET / HTTP/1.1" 403 14779 "-" "-"
x.y.225.125 - - [27/Aug/2020:06:25:30 +0300] "GET / HTTP/1.1" 403 14779 "-" "-"
x.y.225.125 - - [27/Aug/2020:06:25:30 +0300] "GET / HTTP/1.1" 403 14779 "-" "-"

All of the requests are coming from about 10 IPs in total.

php_nub_qq
  • 379
  • 3
  • 9

2 Answers2

1

Probably a bot checking some public proxies if they are working or not.

ilkhd
  • 66
  • 1
  • Well that's a lot of checking. For yesterday there are like 100k requests. It seems unlikely to me that a dozen of bots would have picked exactly my website to test on. – php_nub_qq Aug 27 '20 at 14:15
  • What you need then, is a small investigation about the hosts that are trying to access your site. Check what is the country they are located in, check whois records for the ip addresses, and try to contact the admins. – ilkhd Aug 27 '20 at 14:31
1

The 403 return code means the requested resource access is forbidden.

So it seems that something is trying to check is the access is back, on a regular basis.

Déjà vu
  • 5,546
  • 9
  • 36
  • 55
  • Well it is a service that requires login, so the home page will never be back. Doesn't make very much sense I think. I mean a bot would never know, but checking a couple times a minute is a little over the limit for such bots, no? – php_nub_qq Aug 27 '20 at 14:19
  • Oh you know, the scripts that try to access a page are pretty stubborn, and they try and try again ... – Déjà vu Aug 27 '20 at 14:20
  • No doubt, but it's pretty weird some of those addresses come from my ISP's network. It could be some hacked PCs but still it doesn't make sense to me. – php_nub_qq Aug 27 '20 at 14:20
  • Did you use one of the many sites that offer to check what an IP is, who/where? Try also (on Linux) `host IP` that does a reverse DNS query, and the domain name (if defined) might give you a hint... If it's not indiscreet, give us **one** IP? – Déjà vu Aug 27 '20 at 14:22
  • Yep, I even contacted my ISP, for the IPs I asked they told me they use to mask users' IPs, but that's not all from the list. – php_nub_qq Aug 27 '20 at 14:23