Friday 5 August 2016

Hackers? Not really.

You hear stories about "We get millions of attempted hacks each day". Not true, of course. The "attempted hacks" are "accesses for no particular reason".

I was looking at the logs for a couple of my servers, and I noticed that I was getting a lot of accesses from to, and a lot of those accesses were attempts to access non-existent files, or password-protected files.

Here's the thing. On many pages, I put links to files that don't exist. If you read the source HTML of the page, you can see these links, but if you use a browser, there's nothing to see, you can't see those links. And all those links have a certain pattern to the file name. So if I search my logs for that pattern, I can see who is trying to access non-existent files.
And no normal user would even know about those links; only a web spider would see them. And web spiders should only access text files.

You can also see what IP addresses have tried without success, to access password protected files.

I did a traceroute to those addresses, and it went via the USA. So I used (one of many such web sites) to see where that IP address was located. Dominica. Oh, really? Well.

So I went to my firewall, and with a quick

conduit deny tcp any

I told the firewall to block everything from there.

Then I got interested - are there any others like that? And yes, there were. So I firewalled off half a dozen more - the others weren't as prolific, but they were trying to access the servers without success, and by blocking them off at the firewall, I 1) reduce the load on my servers and 2) tell whoever is controlling these accesses that they're wasting their time and should go bother someone else.



  2. Some of them were the google spider, so I changed my robots.txt to tell it not to bother with the ones that aren't there.