# POST /%70%68%70%70%61%74%...2D%6E HTTP/1.1" 200 12806



## c00kie (Feb 8, 2014)

hi

I have an un-managed VPS running FreeBSD. I get very limited support, but I do get a little. I have an FAMP stack or web server set-up with a couple of trivial websites. Upon checking httpd-access.log recently I came across entries like:


```
222.178.10.246 - - [01/Feb/2014:15:31:03 -0500] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 200 12806
```

I do have a firewall in place but it looks like some clever people can by-pass that successfully. I ask my host to clarify and they said it's likely that a Chinese IP address successfully wrote to you're server. I've since added it to my httpd.conf file:


```
<Directory /var/public_html >
 Order allow, deny
 deny from 222.178.10.246
 ...
</Directory>
```

I'm just wondering how potentially can this disrupt my service? And from a system admin standpoint. Do system admins (or even myself) have to constantly go through error logs looking for suspicious items - then adding these IPs to a blacklist? There must be a simpler way of combating this.


----------



## c00kie (Feb 8, 2014)

I'm thinking about blocking IP address in blocks. http://www.okean.com/antispam/cnkr_htaccess.txt


----------



## SirDice (Feb 8, 2014)

c00kie said:
			
		

> I do have a firewall in place but it looks like some clever people can by-pass that successfully.


You punched a hole in your firewall to let web traffic in, attackers do not need to bypass your firewall. 



> I'm just wondering how potentially can this disrupt my service?


By successfully exploiting bugs in the server software or, more commonly, in the web application itself.



> And from a system admin standpoint. Do system admins (or even myself) have to constantly go through error logs looking for suspicious items - then adding these IPs to a blacklist? There must be a simpler way of combating this.


Yes, that's part of the job.


----------



## c00kie (Feb 8, 2014)

Thanks SirDice

Whilst my measures above block 'web content' from being accessed from selected IP addresses. Could you recommend any tutorials that show me how to 





> Tell Apache not to respond (on port 80) to requests coming from Chinese addresses


 or whatever malicious addresses appear in my logs?


----------



## SirDice (Feb 8, 2014)

It's rather futile and an administrative nightmare. It's better to take a long hard look at the web application and make sure it's not vulnerable to attacks. The problem is that the minute you block all Chinese IP addresses (and believe me, there are a lot) the attacks will come from somewhere else. 

What kind of web application are you running?


----------



## c00kie (Feb 8, 2014)

SirDice said:
			
		

> What kind of web application are you running?



Yes, I thought as much. I'm running a Wordpress blog and an Opencart store as a virtual host. Opencart is for testing only - there's no real products on it as such.


----------



## SirDice (Feb 8, 2014)

Make sure both are fully up to date. Especially Wordpress is known to have some big holes every now and then.


----------



## c00kie (Feb 8, 2014)

SirDice said:
			
		

> Make sure both are fully up to date. Especially Wordpress is known to have some big holes every now and then.



Good advice, thanks. I do keep a close eye on that for sure.


----------

