• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue 600 requests in one second: How to prevent this attack

A

ahoi

Basic Pleskian
Hello everybody,

one of my servers is facing recurring "attacks" like this:


Bash: 
/var/log/nginx/access.log
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /backup HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /newsite HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET / HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /old HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /test HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /wordpress HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /wp HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /cms HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /main HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /blog HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /new HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /dev HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /cms HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /new HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /blog HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /backup HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /dev HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /dev HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /main HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /newsite HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /cms HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /backup HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET / HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /wp HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET /old HTTP/1.1" 301 162 "-" "-"
46.xx.138.xx - - [19/Aug/2021:02:49:16 +0200] "GET / HTTP/1.1" 301 162 "-" "-"

I truncated the full logs, but altogether there are more than 1000 requests made in one or two seconds.

I am thinking about some rate-limiting using iptables, but maybe Plesk is already providing something built-in which I did not found out yet?

Love to get some advice :)
 
You must log in or register to reply here.

Similar threads

M
Question Has my site been attacked?
Replies
8
Views
2K
Peter Debik
P
T
Question Fail2ban trying to setup a rule to ban ai bots
Replies
4
Views
931
Bitpalast
Bitpalast
V
HTTP/2 – Does it improve site performance?
Replies
0
Views
2K
viktor
V
A
Issue Server shut down randomly
Replies
12
Views
8K
adijeff
A
J
How to start your online store with WooCommerce
Replies
0
Views
3K
joerg
J
Back
Top