Mitigating attacks on proxy-subdomains-vhost.localhost
I'm getting a DSKA (Distributed Script Kiddie Attack) on proxy-subdomains-vhost.localhost, mostly probing for Wordpress vulnerabilities, PHP shells, and exposed credentials. At 100+ per second that's swamping my little VPS. Unfortunately, the logs just show the request, not the domain that the request is being posted to.
I'm wondering if there's a good way to mitigate these attacks. So far the best strategy I've come up with is a daemon to scan the logs, then extract and block IP addresses from there.
-
Hey there! If you're getting traffic at the 100 connections per second level, that will be too much for any software firewall to handle. You'd need to look into external solutions such as a hardware firewall or something like Cloudflare to absorb that traffic, as nothing on the server side will be able to deal with that level of traffic.
0 -
Hi Rex,
Actually, I have a pretty aggressive custom WAF that connects to CSF. There's usually only a handful of source IPs, often from things like Tor exit nodes and when they misbehave I block the whole subnet. I've also got a long list of bad actor ASNs (hello Bytedance) that get blocked on sight. On my sites, the WAF runs before every request gets to the site and it's been pretty effective. Unfortunately, I can't do that with these requests. I can probably write some ModSecurity rules and have LFD pick the attack up, but there's a lot of latency there, and the attacks go away shortly after the server is slammed. LFD will also take several iterations before it takes the subnet out; I want to do that as soon as I see the issue.
I'm thinking something LFD-like that reads the Apache logs for the proxies, looks for badness (wp-.*\.php would do it), and then tosses the originating subnets into the naughty room for a couple of hours. But I'd like to avoid something that's polling if at all possible. I can throttle it if the load factor is under a normal operating level so it isn't adding much background load but that's still not my preferred approach.
Right now my WAF uses PHP's auto_prepend_file, which is a little limiting. I'm working on making it callable as a service so I can access it from non-PHP (and ancient PHP) applications, but that's going to take some time.
0 -
This is my exact problem. Just to clarify, even on a server that hosts numerous WordPress sites, there's no reason whatsoever a valid request to proxy-subdomains-vhost.localhost would refer to /wp-content or /wp-includes or whatever, as that file is *solely* for service subdomains (which don't use WordPress)?
It's safe to block all such traffic?
0 -
Sure - like you said, there's really no reason that would ever be legitimate traffic so feel free to block that!
0 -
Any suggestions on how we'd block those requests? In the Apache configuration, I guess. Or is there a better alternative?
0 -
Is it *always* the service subdomains? If so, could you disable those if your users aren't using those? They can be disabled through WHM >> Tweak Settings.
0
Please sign in to leave a comment.
Comments
6 comments