ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Excessive GET HTTP requests -- any way to block?

https://mail.forum.configserver.com/viewtopic.php?t=6381

Page 1 of 1

Excessive GET HTTP requests -- any way to block?

Posted: 14 Mar 2013, 10:40
by sneader
Seems that certain WordPress sites on our server are under some type of attack. Even password protecting the /wp-admin directory has no effect in their efforts. Here is a log snippet for just 3 seconds of activity:

74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:14 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:14 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:14 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:15 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:15 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
74.50.26.15 - - [14/Mar/2013:05:37:15 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

I've tried using PORTFLOOD and CONNLIMIT, but they are not helping. Any ideas?

- Scott

Re: Excessive GET HTTP requests -- any way to block?

Posted: 14 Mar 2013, 10:55
by ForumAdmin
As it seems to be a search engine bot, maybe a robots.txt would suffice:
http://www.robotstxt.org/robotstxt.html

Re: Excessive GET HTTP requests -- any way to block?

Posted: 14 Mar 2013, 11:05
by sneader
Hi Jonathan. Unfortunately, it's not a real robot, they are faking it. The reverse DNS for this IP maps to a Lunar Pages hosting server, not Microsoft. I highly doubt they will respect the robots.txt. Any other ideas appreciated.

- Scott

Re: Excessive GET HTTP requests -- any way to block?

Posted: 14 Mar 2013, 11:14
by ForumAdmin
A ModSecurity rule of some sort that triggers csf LF_MODSEC is probably the only way to stop this type of attack

Re: Excessive GET HTTP requests -- any way to block?

Posted: 14 Mar 2013, 11:39
by sneader
Darn, I was hoping that either PORTFLOOD or CONNLIMIT would be useful here, and that I was just doing it wrong.

- Scott
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited