Excessive GET HTTP requests -- any way to block?

sneader · Post by **sneader** » 14 Mar 2013, 10:40

Seems that certain WordPress sites on our server are under some type of attack. Even password protecting the /wp-admin directory has no effect in their efforts. Here is a log snippet for just 3 seconds of activity:

74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:14 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:14 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:14 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:15 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:15 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:15 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

I've tried using PORTFLOOD and CONNLIMIT, but they are not helping. Any ideas?

- Scott

Post by **ForumAdmin** » 14 Mar 2013, 10:55

As it seems to be a search engine bot, maybe a robots.txt would suffice:
http://www.robotstxt.org/robotstxt.html

sneader · Post by **sneader** » 14 Mar 2013, 11:05

Hi Jonathan. Unfortunately, it's not a real robot, they are faking it. The reverse DNS for this IP maps to a Lunar Pages hosting server, not Microsoft. I highly doubt they will respect the robots.txt. Any other ideas appreciated.

- Scott

Post by **ForumAdmin** » 14 Mar 2013, 11:14

A ModSecurity rule of some sort that triggers csf LF_MODSEC is probably the only way to stop this type of attack

sneader · Post by **sneader** » 14 Mar 2013, 11:39

Darn, I was hoping that either PORTFLOOD or CONNLIMIT would be useful here, and that I was just doing it wrong.

- Scott

ConfigServer Community Forum

Excessive GET HTTP requests -- any way to block?

Excessive GET HTTP requests -- any way to block?

Re: Excessive GET HTTP requests -- any way to block?

Re: Excessive GET HTTP requests -- any way to block?

Re: Excessive GET HTTP requests -- any way to block?

Re: Excessive GET HTTP requests -- any way to block?