2

We get bombarded with random POSTs and GETs, mostly they 500 b/c of invalid authenticity token (the POSTs):

Started POST "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" for 45.146.165.123 at 2021-06-29 04:15:39 -0400
I, [2021-06-29T04:15:39.769996 #2050]  INFO -- : [be4241b9-0494-4fb5-b434-2d11038017f1] Processing by HomeController#index as
I, [2021-06-29T04:15:39.770109 #2050]  INFO -- : [be4241b9-0494-4fb5-b434-2d11038017f1]   Parameters: {"<?"=>"md5(\"phpunit\")?>", "path"=>"vendor/phpunit/phpunit/src/Util/PHP/eval-stdin"}
W, [2021-06-29T04:15:39.790171 #2050]  WARN -- : [be4241b9-0494-4fb5-b434-2d11038017f1] Can't verify CSRF token authenticity.
I, [2021-06-29T04:15:39.833066 #2050]  INFO -- : [be4241b9-0494-4fb5-b434-2d11038017f1] Completed 422 Unprocessable Entity in 53ms (MongoDB: 0.0ms)
F, [2021-06-29T04:15:39.916526 #2050] FATAL -- : [be4241b9-0494-4fb5-b434-2d11038017f1]
F, [2021-06-29T04:15:39.916666 #2050] FATAL -- : [be4241b9-0494-4fb5-b434-2d11038017f1] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

If we implement this solution:

Intermittent Rails 5 ActionController::InvalidAuthenticityToken

Then we let the bot know that we are redirecting. Is this bad? If so, is there a better way to keep them at bay without flooding our prod logs with 500s?

Thanks, Kevin

user1130176
  • 1,772
  • 1
  • 23
  • 33
  • 4
    You could filter some of those before rails. In your nginx, for example. If path ends with `.php`, then render your canned response and don't proxy this request to rails. – Sergio Tulentsev Jun 29 '21 at 13:11
  • If you can't handle it on the web server layer (which is still the best solution performance wise) you can use [Rack::Attack](https://github.com/rack/rack-attack) to filter out the requests before they reach your rails apps. – max Jun 29 '21 at 22:32
  • Also if you're curious this attacker is trying to exploit [CVE-2017-9841](https://nvd.nist.gov/vuln/detail/CVE-2017-9841). – max Jun 29 '21 at 22:37

0 Answers0