DaveInUK
Posts: 25
Joined: Sat Dec 21, 2019 11:07 am
Location: Near Bath in the UK.

is this a DoS attack?

Fri May 15, 2020 12:02 pm

I have a website which is totally password protected with .htaccess.

I assume that due to the password protection I attract a great deal of random searches/attacks.

The code below, shows part of a listing in "apache2/access.log" of one attack, which lasted for 101 attempts (thankfully all unsuccessful).

I have two questions:-
  • Why do they use the SAME search for all 101 attempts, is this a DoS?
  • I have searched Apache codes and cannot find the significance the second code "737" and therefore I don't understand why it changes to "736" and then finally, to "701" , all for the same search?

Code: Select all

217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 737 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 737 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 737 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 737 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 737 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 736 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 736 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 736 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 736 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 736 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 736 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 736 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 736 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 736 
217.247.112.55 - - [15/May/2020:11:40:35 +0100] 	GET /phpmyadmin/ HTTP/1.1	 401 701 
Cheers,
Dave
Cheers,
Dave

I'm feeling optimistic, but I'm sure something with go wrong :!:

User avatar
DougieLawson
Posts: 39613
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: is this a DoS attack?

Fri May 15, 2020 3:21 pm

Not a DDos attack, just a script kiddie with a bug in their probing script.

Install fail2ban (with IIRC default settings or a small tweak to activate the "no-kiddies" jail) and you can knock those off your system in an instant.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

User avatar
B.Goode
Posts: 10439
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: is this a DoS attack?

Fri May 15, 2020 3:43 pm

DaveInUK wrote:
Fri May 15, 2020 12:02 pm

I assume that due to the password protection I attract a great deal of random searches/attacks.


I think you have the logic of that backwards.

ANY system exposed to the global Internet will attract "a great deal of random searches/attacks"

It is your password protection that prevents those probing connection attempts from progressing to being full scale compromise or exploitation of your system.


I wouldn't categorise this as a DoS attack - just some unsolicited rattling of door handles. Harmless in itself, but who knows what the intent is should one of those doors prove to be unsecured... ? That's when participation in a DDos attack might take place.

Heater
Posts: 16334
Joined: Tue Jul 17, 2012 3:02 pm

Re: is this a DoS attack?

Fri May 15, 2020 3:56 pm

Nothing to do with your password protection or how attractive you are. And why would anyone want to DDOS you? Just a normal day on the internet.
Memory in C++ is a leaky abstraction .

DaveInUK
Posts: 25
Joined: Sat Dec 21, 2019 11:07 am
Location: Near Bath in the UK.

Re: is this a DoS attack?

Sat May 16, 2020 1:08 pm

DougieLawson wrote:
Fri May 15, 2020 3:21 pm
Not a DDos attack, just a script kiddie with a bug in their probing script.

Install fail2ban (with IIRC default settings or a small tweak to activate the "no-kiddies" jail) and you can knock those off your system in an instant.
Thanks for the suggestion, I'm still working my way through learning how to optimize the fail2ban filters. I'm sure I'll be back soon asking more questions.

Thanks also to the others who have responded. At least I'm reassured that it's "normal" :twisted:
Cheers,
Dave

I'm feeling optimistic, but I'm sure something with go wrong :!:

User avatar
DougieLawson
Posts: 39613
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: is this a DoS attack?

Sat May 16, 2020 4:00 pm

All you need to do is update /etc/fail2ban/jail.d/active-jails.conf

Code: Select all

[apache-auth]
enabled = true

[apache-badbots]
enabled = true

[apache-noscript]
enabled = true

[apache-overflows]
enabled = true

[apache-nohome]
enabled = true

[apache-botsearch]
enabled = true

[apache-fakegooglebot]
enabled = true

[apache-modsecurity]
enabled = true

[apache-shellshock]
enabled = true
and it will "just work".
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

DaveInUK
Posts: 25
Joined: Sat Dec 21, 2019 11:07 am
Location: Near Bath in the UK.

Re: is this a DoS attack?

Sun May 24, 2020 1:32 pm

DougieLawson wrote:
Sat May 16, 2020 4:00 pm
All you need to do is update /etc/fail2ban/jail.d/active-jails.conf


[/code] and it will "just work".
Thanks for the tips.
Cheers,
Dave

I'm feeling optimistic, but I'm sure something with go wrong :!:

bls
Posts: 729
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA
Contact: Twitter

Re: is this a DoS attack?

Sun May 24, 2020 2:34 pm

DougieLawson wrote:
Sat May 16, 2020 4:00 pm
All you need to do is update /etc/fail2ban/jail.d/active-jails.conf

Code: Select all

[apache-auth]
enabled = true

[apache-badbots]
enabled = true

[apache-noscript]
enabled = true

[apache-overflows]
enabled = true

[apache-nohome]
enabled = true

[apache-botsearch]
enabled = true

[apache-fakegooglebot]
enabled = true

[apache-modsecurity]
enabled = true

[apache-shellshock]
enabled = true
and it will "just work".
Is this a "Dougie file"? I don't have active-jails.conf in my fail2ban configuration. Easy enough to make the changes in /etc/fail2ban/jail.local
Pi tools:
Free your network from your router's DHCP/DNS and run it on a Pi:https://github.com/gitbls/ndm
Quickly and easily build customized-just-for-you SD Cards: https://github.com/gitbls/sdm
Easy strongSwan VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

User avatar
DougieLawson
Posts: 39613
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: is this a DoS attack?

Sun May 24, 2020 7:17 pm

bls wrote:
Sun May 24, 2020 2:34 pm

Is this a "Dougie file"? I don't have active-jails.conf in my fail2ban configuration. Easy enough to make the changes in /etc/fail2ban/jail.local
Ah you have the newer version with the .local stuff.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Return to “Networking and servers”