Weird nginx auth logs and how to block specific IP

Support
,
1

My YunoHost server

Hardware: VPS bought online
YunoHost version: latest version (4.3.6)
I have access to my server : only through SSH
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain: I disable the yunohost api to acces to the webadmin.

Description of my issue

Hi there,
First of all, congratulations for such amazing project! I consider myself a newbie/rookie but using YNH is just fantastic to learn and pretty easy!

Regarding my issue, lately I’ve been found some weird logs in Nginx. Doing a search of the IP I was worried I can see that is from Russia (maybe a bot?) but the strange thing is that they are trying weird things links to acces the server and I’m starting to worry a little bit. I know that I can find some weird logs and this is pretty common, but this logs are just somewhat weird to me. I want to know, in the case this logs are something to be worried, how can I block this particular IP using your tools!

Find attached the logs here, the IP that is worrying me is 45.146.165.37:

/var/log/nginx/access.log: 
  - 198.54.135.45 - - [09/Feb/2022:14:15:04 +0100] "GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1" 302 154 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
  - 198.54.135.45 - - [09/Feb/2022:14:15:14 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
  - 198.54.135.45 - - [09/Feb/2022:14:15:39 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
  - 198.54.135.45 - - [09/Feb/2022:14:16:20 +0100] "GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1" 302 154 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
  - 198.54.135.45 - - [09/Feb/2022:14:16:33 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
  - 198.54.135.45 - - [09/Feb/2022:14:17:07 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
  - 198.54.135.45 - - [09/Feb/2022:14:18:01 +0100] "GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1" 302 154 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
  - 45.146.165.37 - - [09/Feb/2022:15:09:29 +0100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 154 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - 193.46.254.155 - - [09/Feb/2022:15:12:33 +0100] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36"
  - 2.183.82.204 - - [09/Feb/2022:15:20:44 +0100] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
  - 45.146.165.37 - - [09/Feb/2022:15:40:31 +0100] "GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 154 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - 45.61.188.162 - - [09/Feb/2022:15:54:14 +0100] "GET /static_new6/img/login_bg.png HTTP/1.1" 302 154 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"
  - 176.57.189.179 - - [09/Feb/2022:16:08:55 +0100] "HEAD / HTTP/1.1" 302 0 "-" "python-requests/2.21.0"
  - 85.202.169.250 - - [09/Feb/2022:16:19:42 +0100] "GET /.env HTTP/1.1" 302 154 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0"
  - 85.202.169.250 - - [09/Feb/2022:16:19:42 +0100] "POST / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0"
  - 167.94.145.60 - - [09/Feb/2022:16:44:16 +0100] "GET / HTTP/1.1" 302 154 "-" "-"
  - 167.94.145.60 - - [09/Feb/2022:16:44:16 +0100] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
  - 167.94.145.60 - - [09/Feb/2022:16:44:16 +0100] "PRI * HTTP/2.0" 400 166 "-" "-"
  - 167.94.145.60 - - [09/Feb/2022:16:44:16 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
  - 167.94.145.60 - - [09/Feb/2022:16:44:16 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
  - 192.241.208.172 - - [09/Feb/2022:16:46:22 +0100] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 zgrab/0.x"
  - 85.202.169.250 - - [09/Feb/2022:16:51:09 +0100] "GET /_profiler/phpinfo HTTP/1.1" 302 154 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:10 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:10 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:10 +0100] "GET /phpinfo.php HTTP/1.1" 302 154 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:12 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:12 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:13 +0100] "GET /phpinfo HTTP/1.1" 302 154 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:14 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:15 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:15 +0100] "GET /aws.yml HTTP/1.1" 302 154 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:16 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:17 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:17 +0100] "GET /.env.bak HTTP/1.1" 302 154 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:18 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:18 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:19 +0100] "GET /info.php HTTP/1.1" 302 154 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:19 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:19 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:20 +0100] "GET /.aws/credentials HTTP/1.1" 302 154 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:20 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:21 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:21 +0100] "GET /config/aws.yml HTTP/1.1" 302 154 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:22 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:22 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 85.202.169.250 - - [09/Feb/2022:16:51:23 +0100] "GET / HTTP/1.1" 302 154 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
  - 45.146.165.37 - - [09/Feb/2022:16:56:44 +0100] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 154 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - 45.146.165.37 - - [09/Feb/2022:16:56:46 +0100] "GET /yunohost/admin HTTP/1.1" 301 178 "https://176.57.189.179:443/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - 45.146.165.37 - - [09/Feb/2022:16:56:49 +0100] "GET /yunohost/admin/ HTTP/1.1" 200 9010 "https://176.57.189.179:443/yunohost/admin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
  - 71.6.232.4 - - [09/Feb/2022:17:09:47 +0100] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"

Thank you in advance!

2

I wouldn’t be too worried about it … this looks like usual dumb automatic attacks from bot scanning for stupid vulnerabilities or freely exposed admin interfaces (such as phpmyadmin etc)

Many people are quite spooked about that kind of stuff because they’re like “emaged i’m being hacked!!1!§1!§” but when running on a server it’s very much expected to see bots attempting stupid stuff such as what you see in the nginx log, or similar stuff happening in the ssh log with bot testing stupid credentials like “admin/admin”, or “test/test” etc.

There’s not much to worry about as long as you didn’t yoloinstalled some publicly-exposed admin password (as in “not protected by any password”) and as long as you’re using decent passwords. Yunohost already includes a bunch of counter measures and sane security practices to prevent automatic bot attacks to be any useful for the attacker.

1 Like
3

Thank you for the quick response Aleks.

I am totally conscious that this could happen and if you have a server and you’re online, bots will be trying and do this kind of things. I have applied all possible security measures (strong passwords, ssh authentication with key, modified port, etc) so your response helped me a lot.

Thank you so much!

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.