My site is getting hit by malicious bot traffic, which I've been trying to stem for the past week. It's showing up in my 'other_vhost_access.log':
www.mywebsite.com:80 217.96.40.85 - - [01/Sep/2017:12:21:08 +0000] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin/ HTTP/1.1" 302 237 "-" "Mozilla/5.0 Jorgee"
and:
www.mywebsite.com:80 173.208.148.218 - - [31/Aug/2017:09:32:10 +0000] "POST /FlashChat/upload.php HTTP/1.1" 302 523 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
www.mywebsite.com:80 173.208.148.218 - - [31/Aug/2017:09:32:11 +0000] "GET /FlashChat/temp/error.php HTTP/1.1" 302 531 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
I had about 4000 such requests yesterday in bursts of 100 per 30 seconds. This is troublesome because when it happens, TTFB shoots up 21 seconds (every time).
I've enabled Apache Server-Status, and as far as I can tell resources aren't being over taxed (cpu stays below 1%, max 4 of 8 workers functioning). But even refreshing the server-status page is queued up.
I'm running an EC2 t2 micro instance with tls certs. I forward the traffic from port 80 to port 443 with two VirtualHost directives (one to the main site, another to a sub-domain, both in the same file).
I have been trying various suggestions on the web however I'm not sure if they are actually working as the attacks continue, followed by the queue times.
For instance, the Jorgee requests I've this in my .conf:
IfModule mod_ssl.c>
FileETag None
TraceEnable off
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
<Location "/">
SetEnvIfNoCase User-Agent "Mozilla/5.0 Jorgee" bad_bot
Deny from env=bad_bot
</Location>
These are the first lines in my .conf. Passed through https://www.hurl.it/ which responds with a 403. I would think it would outright deny a connection, but it doesn't.
I've also tried to restrict the number of connections per IP using the iptables command:
sudo iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 5 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
Running sudo iptables -L displays the following:
ubuntu@ip-172-31-55-158:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5 reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Yet I still receive 100+ requests in under a minute from the same IP.
I'm looking to control these requests using apache and iptables. Thank you.
