Random attacks on public endpoint

Hi! I see a several random URL attacks/probes in my public endpoint’s log, e.g.:

2020-10-09T10:48:03.636Z c476bb08 fra [info] GET /muieblackcat Not acceptable
2020-10-09T10:48:03.652Z c476bb08 fra [info] GET //phpMyAdmin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.660Z c476bb08 fra [info] GET //phpmyadmin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.669Z c476bb08 fra [info] GET //pma/scripts/setup.php Not acceptable
2020-10-09T10:48:03.679Z c476bb08 fra [info] GET //myadmin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.690Z c476bb08 fra [info] GET //MyAdmin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.699Z c476bb08 fra [info] GET //Admin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.713Z c476bb08 fra [info] GET //mysql/scripts/setup.php/db/scripts/setup.php/typo3/phpmyadmin/scripts/setup.php/web/phpMyAdmin/scripts/setup.php/web/scripts/setup.php/phpmyadmin2/scripts/setup.php/admin/scripts/setup.php/admin/phpmyadmin/scripts/setup.php/phpmyadmin1/scripts/setup.php/xampp/phpmyadmin/scripts/setup.php/php-my-admin/scripts/setup.php Not acceptable

I’m handling these from code by responding with 406 but it takes resources and costs money.
Is there a way to avoid this by IP filtering, whitelisting, private networking or with any other technic?
I guess I’m not the only one experiencing this. Thanks!

This is a side effect of each app having a dedicated IP address. Automated scanners just cycle through IPs with these kinds of requests.

You can mostly ignore these, but we do have a feature coming that will block them.

Some people run nginx with modsecurity to handle this type of thing: https://github.com/SpiderLabs/ModSecurity-nginx

We should probably do an example guide for that. :slight_smile:

I’m in for that new feature, hoping something at the transport layer.
Maybe not too much for ngnix but will definitely check modsecurity, thanks!