Dealing with hacking attempts in my SaaS

SteveMcLeod · September 13, 2018, 10:08am

Here’s a snippet of our access logs today:

172.31.17.65 - - [13/Sep/2018:09:26:45 +0000] "GET /java.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:26:46 +0000] "GET /db_cts.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:26:47 +0000] "GET /logon.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:26:48 +0000] "GET /license.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:26:49 +0000] "GET /hell.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:26:50 +0000] "GET /x.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:03 +0000] "GET /lala.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:10 +0000] "GET /muhstik.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:11 +0000] "GET /muhstiks.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:12 +0000] "GET /lol.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:14 +0000] "GET /uploader.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:15 +0000] "GET /cmx.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:16 +0000] "GET /cmdd.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:19 +0000] "GET /knal.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:19 +0000] "GET /cmd.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"
172.31.17.65 - - [13/Sep/2018:09:27:19 +0000] "GET /shell.php HTTP/1.1" 404 1446 "-" "Mozilla/5.0" "132.232.147.108"

(I’ve truncated the list - it is much longer).

A lot of different php paths are accessed in a short period. I guess someone is running a penetration testing tool on our site.

This happens quite often.

it doesn’t seem to be doing any real harm, as far as I can tell. However, I still wonder if there is a best practice for handling this type of traffic?

Temporarily blacklisting the IP address is one approach I considered.

jitbit · September 13, 2018, 10:40am

Someone’s just probing for known vulnerabilities.

Get behind a WAF (web application firewall) that will filter suspicious requests if this bothers you. A CDN provider like CloudFlare or AWS (also have a WAF offering) have this.
If you want to build something yourself rather than paying for a cloud offering - having a load-balancer/reverse-proxy in front of your webserver is a good alternative (so hackers will hack this front-server, not the actual production machine). A $3.5/month amazon “lightsail” sever with nginx reverse proxy will do. But i’d stick with the option 1.

Luis · September 13, 2018, 11:06am

The source ip belongs to the private 20 bit block as described on rfc1918 so it’s useless to block that ip address imho. Are you already behind a balancer or proxy? You can setup your webserver to log using the “X-Forwarded-For” header that should contain the correct ip address of the remote user. (assuming a correctly configured proxy). Alternatively you’ll have to check the real ip on the proxy’s logs.

As for the main issue, I also deal with stuff like this on a semi regular basis. I use CSF firewall which you can setup to do some automatic ip banning and also has a deny file where I regularly add these kind of ips which in turn completely blocks access for that ip.
Other than that, I don’t think there’s much you can do to stop these completely. The best thing to do is make sure you have a well built and secured app and that you thoroughly sanitize all inputs. Also +1 on @jitbit 's recommendations.

SteveMcLeod · September 13, 2018, 1:48pm

Thanks, that’s some good advice.

I took a quick look at AWS WAF and it seems to be exactly what I need to deal with the problem.

Virgil · September 14, 2018, 2:57am

I get this daily. I even got a user that signed up and tried lots of SQL injections and XSS attacks. As far as I know, those are hacker bots, once they get your website added to their list will keep trying everything they know.

crispinheneise · September 14, 2018, 2:18pm

What tech stack are you using? Most web frameworks have some good libraries for locking down apps from common attacks.

For example, Rails has built-in CSRF, SQL injection, CSP, and more. There are also good third-party libraries like Brakeman that can help scan your app for common vulnerabilities.

mcasas · September 15, 2018, 7:28am

Hello,

I’m not sure, but maybe Fail2Ban can help you blocking all these attempts? Here you can read how to block Apache2 and nginx requests using Fail2Ban: https://nichteinschalten.de/apache-nginx-404-fail2ban-regex/

P.S.: Where are you hosting your SaaS? A VPS, or something managed like Heroku?

SteveMcLeod · September 15, 2018, 7:45am

Thanks all.

I’m hosting on AWS. I’m using the Java Spark framework.

My biggest issue with this traffic is that it pollutes the logs with thousands of 404s that have nothing to do with our app. This makes it hard for us to spot the 404s that are a result of our programming errors.