0

I have a production IIS running on WS2012R2 on AWS. I was looking at the C:\Windows\System32\LogFiles\HTTPERR when I noticed some unusual requests in the logs. You can look at some of what they tried to request here. They even checked to see if I was running thinkphp. Now, my question is:

What is the best way to prevent this kind of requests other than writing a custom solution? I noticed they would change their ip daily but the requests that day are from the same ip.

I suppose I can keep track of all the request made to my server and block ones with behaviors that I don't like but hoping there is something simpler.

I did look at some third party solutions that seemed to do what I need but it just doesn't sit well with me.

RisingSun
  • 103
  • 3
  • 1
    1. IMHO Requests for content that’s not there are not harmful in any way (at the worst only a nuisance). 2. Such a system already exists and is typically called an Intrusion Prevention System (IPS) – HBruijn Jun 18 '19 at 22:37
  • @HBruijn thanks for IPS. That is giving me much better results than what I was searching for. They aren't even making enough requests to affect performance at all. My OCD just doesn't want to see then lol – RisingSun Jun 18 '19 at 22:46
  • `I did look at some third party solutions that seemed to do what I need but it just doesn't sit well with me.` - Why is that? IDS/IPS vendors have very specialized solutions to combat this very thing. Why does that not sit well with you? – joeqwerty Jun 19 '19 at 01:24
  • AWS WAF might be able to help, or any other WAF. AWS WAF isn't all that mature compared with more established companies. – Tim Jun 19 '19 at 02:19
  • @joeqwerty before finding out what to search for, i was doing really generic searches and was coming across scripts from unknown sources and unknown authors. It felt off to try and secure my server with something I wasn't sure was secure or legit in the first place. IPS set me on right search path. – RisingSun Jun 19 '19 at 15:35

1 Answers1

2

If the app is intended for public use, you really cannot pick and choose your clients. An IPS might block that million dollar customer who chose to use a VPN (or was forced to work around a government censor).
So continue to do what you're doing now: monitor your logs to confirm your defenses are holding, and be grateful that the world treats you to a new penetration test every day for free!

BobHy
  • 170
  • 6