Unknow ip trying a get / post on my nginx

Hello

Today, i’ve got a 500 error nginx from wan to my server. I tried to investigate, and everything gone back to the normal, i don’t know why.

In my log/nginx/domaine.com-access i found this two lines :

193.106.30.99 - - [03/Jul/2018:02:32:24 +0200] “POST /config.php HTTP/1.1” 302 154 “-” “Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0”

193.106.30.99 - - [03/Jul/2018:02:32:40 +0200] “GET /yunohost/sso/?r=aHR0cHM6Ly9yYXB0aHVyLnNwYWNlL2NvbmZpZy5waHA= HTTP/1.1” 200 986 “-” “Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0”

It seems that it’s just some ukranian server trying something at me, but i can’t understand what it means.

Someone to help me ?
Thanks guys.

Hello,

Beetween wan and your server, what is the configuration ? IS there a box? Configuration box is ok with routing IP from wan to lan? Port configuration is enable and right?

@++

martoni

This looks like some typical automatic/bot attacks. People run bots on the whole internet trying to find “typical” exposed stuff, such as a configuration panel in php named config.php that someone would have left unprotected and might allow to perform an intrusion. (Or other more “common” things like old wordpress instances or phpmyadmin instances…)

This might sound scary but it’s also very “normal” … or at least it’s not unexpected. Basically as long as you don’t run stuff like old/unupdated wordpress or phpmyadmin which are software quite known for their vulnerabilities or potential for intrusion, there’s not much to worry about. If you do run this kind of software, then you should be extra careful to keep them up to date, and in the case of worpress, not install thousand of random and old plugins.

If you want to have a bit of “fun”, you can increase the protection mechanism against those kind of bot by enabling a jail in fail2ban that will identify this kind of attack. The jail is called something like “nginx-common” and you may enable it by editing / adding it /etc/fail2ban/jail.d/yunohost.conf (something like this …). Though be careful that if you modify this file manually, it won’t be managed by yunohost anymore :confused: (Or maybe you can create a new file in jail.d to enable custom jail)

1 Like

Thx for the replys.

I have a modem and a routeur. And yes i closed all ports, and open only these i need ( amil, ssh, etc) and redirect them on my server.

That i understood , it’s that these requests are some bot trying to access the server. 302 response is for redirection, certainly on the login page of yunohost.

Ok Thx, i will dig in this way. I’m not familiar with web request, i will try to learn more about security, and how to jail these kind of request :slight_smile: