Pages

Friday 5 August 2016

Hackers? Not really.

You hear stories about "We get millions of attempted hacks each day". Not true, of course. The "attempted hacks" are "accesses for no particular reason".

I was looking at the logs for a couple of my servers, and I noticed that I was getting a lot of accesses from 192.243.55.129 to 192.243.55.138, and a lot of those accesses were attempts to access non-existent files, or password-protected files.

Here's the thing. On many pages, I put links to files that don't exist. If you read the source HTML of the page, you can see these links, but if you use a browser, there's nothing to see, you can't see those links. And all those links have a certain pattern to the file name. So if I search my logs for that pattern, I can see who is trying to access non-existent files.
And no normal user would even know about those links; only a web spider would see them. And web spiders should only access text files.

You can also see what IP addresses have tried without success, to access password protected files.

I did a traceroute to those addresses, and it went via the USA. So I used http://en.utrace.de (one of many such web sites) to see where that IP address was located. Dominica. Oh, really? Well.

So I went to my firewall, and with a quick

conduit deny tcp any 192.243.55.128 255.255.255.240

I told the firewall to block everything from there.

Then I got interested - are there any others like that? And yes, there were. So I firewalled off half a dozen more - the others weren't as prolific, but they were trying to access the servers without success, and by blocking them off at the firewall, I 1) reduce the load on my servers and 2) tell whoever is controlling these accesses that they're wasting their time and should go bother someone else.


2 comments:

  1. cassandra@mail.postmanllc.net

    ReplyDelete
  2. Some of them were the google spider, so I changed my robots.txt to tell it not to bother with the ones that aren't there.

    ReplyDelete