You hear stories about "We get millions of attempted hacks each day". Not true, of course. The "attempted hacks" are "accesses for no particular reason".
I was looking at the logs for a couple of my servers, and I noticed that I was getting a lot of accesses from 192.243.55.129 to 192.243.55.138, and a lot of those accesses were attempts to access non-existent files, or password-protected files.
Here's the thing. On many pages, I put links to files that don't exist. If you read the source HTML of the page, you can see these links, but if you use a browser, there's nothing to see, you can't see those links. And all those links have a certain pattern to the file name. So if I search my logs for that pattern, I can see who is trying to access non-existent files.
And no normal user would even know about those links; only a web spider would see them. And web spiders should only access text files.
You can also see what IP addresses have tried without success, to access password protected files.
I did a traceroute to those addresses, and it went via the USA. So I used http://en.utrace.de (one of many such web sites) to see where that IP address was located. Dominica. Oh, really? Well.
So I went to my firewall, and with a quick
conduit deny tcp any 192.243.55.128 255.255.255.240
I told the firewall to block everything from there.
Then I got interested - are there any others like that? And yes, there were. So I firewalled off half a dozen more - the others weren't as prolific, but they were trying to access the servers without success, and by blocking them off at the firewall, I 1) reduce the load on my servers and 2) tell whoever is controlling these accesses that they're wasting their time and should go bother someone else.
cassandra@mail.postmanllc.net
ReplyDeleteSome of them were the google spider, so I changed my robots.txt to tell it not to bother with the ones that aren't there.
ReplyDelete