Hi! I see a several random URL attacks/probes in my public endpoint’s log, e.g.:
2020-10-09T10:48:03.636Z c476bb08 fra [info] GET /muieblackcat Not acceptable
2020-10-09T10:48:03.652Z c476bb08 fra [info] GET //phpMyAdmin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.660Z c476bb08 fra [info] GET //phpmyadmin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.669Z c476bb08 fra [info] GET //pma/scripts/setup.php Not acceptable
2020-10-09T10:48:03.679Z c476bb08 fra [info] GET //myadmin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.690Z c476bb08 fra [info] GET //MyAdmin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.699Z c476bb08 fra [info] GET //Admin/scripts/setup.php Not acceptable
2020-10-09T10:48:03.713Z c476bb08 fra [info] GET //mysql/scripts/setup.php/db/scripts/setup.php/typo3/phpmyadmin/scripts/setup.php/web/phpMyAdmin/scripts/setup.php/web/scripts/setup.php/phpmyadmin2/scripts/setup.php/admin/scripts/setup.php/admin/phpmyadmin/scripts/setup.php/phpmyadmin1/scripts/setup.php/xampp/phpmyadmin/scripts/setup.php/php-my-admin/scripts/setup.php Not acceptable
I’m handling these from code by responding with 406 but it takes resources and costs money.
Is there a way to avoid this by IP filtering, whitelisting, private networking or with any other technic?
I guess I’m not the only one experiencing this. Thanks!
(I’m getting hit by spam signups that are hurting my email sending reputation, and I don’t want to retreat behind Cloudflare WAF if there’s another way.)
You could use Arcjetsignup form protection which combines the bot detection, rate limiting, and email validation primitives in a recommended configuration for forms (or just use them individually).
