How to block mysterious remote requests?












12















My CentOS server is experiencing huge (millions a day) requests looking like this:



Srv PID Acc M   CPU SS  Req Conn    Child   Slot    Client  Protocol    VHost   Request

62-1    -   0/0/335 .   0.00    1947    204049  0.0 0.00    0.85    104.248.57.218  http/1.1    www.myrealdomain.co.uk:80   GET http://218.22.14.198/index HTTP/1.1


The request looks like my server is spending time serving or getting other pages content. I tried blocking the IPs, which only makes the source scramble up new IPs (both for the client and the request IP) and with no success.



I even have Cloudflare on high safety including their web app firewall, yet these requests still come in droves.



Can anyone explain why these are requested, and more importantly, how to prevent it altogether.



The server is running around 50 sites all basic configuration of WordPress, and it is a dedicated server.






firewall bad-request







share|improve this question























  • Given faker's answer, perhaps it can be beneficial to share more details, such as relevant configuration files. What software are you using, which services are you running, etc?

    – Tommiie
    Dec 23 '18 at 19:11











  • Have you checked out the traffic graphs/logs to see when the increase in traffic happened? This may point you at a date when it was misconfigured/breached.

    – Criggie
    Dec 23 '18 at 21:04











  • Use fail2ban which blocks them automatically for a given period of time.

    – Chloe
    Dec 24 '18 at 3:53











  • fail2ban will fight the symptom not the cause. If I'm right, it wouldn't even block anything.

    – faker
    Dec 25 '18 at 22:19
















12















My CentOS server is experiencing huge (millions a day) requests looking like this:



Srv PID Acc M   CPU SS  Req Conn    Child   Slot    Client  Protocol    VHost   Request

62-1    -   0/0/335 .   0.00    1947    204049  0.0 0.00    0.85    104.248.57.218  http/1.1    www.myrealdomain.co.uk:80   GET http://218.22.14.198/index HTTP/1.1


The request looks like my server is spending time serving or getting other pages content. I tried blocking the IPs, which only makes the source scramble up new IPs (both for the client and the request IP) and with no success.



I even have Cloudflare on high safety including their web app firewall, yet these requests still come in droves.



Can anyone explain why these are requested, and more importantly, how to prevent it altogether.



The server is running around 50 sites all basic configuration of WordPress, and it is a dedicated server.






firewall bad-request







share|improve this question























  • Given faker's answer, perhaps it can be beneficial to share more details, such as relevant configuration files. What software are you using, which services are you running, etc?

    – Tommiie
    Dec 23 '18 at 19:11











  • Have you checked out the traffic graphs/logs to see when the increase in traffic happened? This may point you at a date when it was misconfigured/breached.

    – Criggie
    Dec 23 '18 at 21:04











  • Use fail2ban which blocks them automatically for a given period of time.

    – Chloe
    Dec 24 '18 at 3:53











  • fail2ban will fight the symptom not the cause. If I'm right, it wouldn't even block anything.

    – faker
    Dec 25 '18 at 22:19














12












12








12


2






My CentOS server is experiencing huge (millions a day) requests looking like this:



Srv PID Acc M   CPU SS  Req Conn    Child   Slot    Client  Protocol    VHost   Request

62-1    -   0/0/335 .   0.00    1947    204049  0.0 0.00    0.85    104.248.57.218  http/1.1    www.myrealdomain.co.uk:80   GET http://218.22.14.198/index HTTP/1.1


The request looks like my server is spending time serving or getting other pages content. I tried blocking the IPs, which only makes the source scramble up new IPs (both for the client and the request IP) and with no success.



I even have Cloudflare on high safety including their web app firewall, yet these requests still come in droves.



Can anyone explain why these are requested, and more importantly, how to prevent it altogether.



The server is running around 50 sites all basic configuration of WordPress, and it is a dedicated server.






firewall bad-request







share|improve this question














My CentOS server is experiencing huge (millions a day) requests looking like this:



Srv PID Acc M   CPU SS  Req Conn    Child   Slot    Client  Protocol    VHost   Request

62-1    -   0/0/335 .   0.00    1947    204049  0.0 0.00    0.85    104.248.57.218  http/1.1    www.myrealdomain.co.uk:80   GET http://218.22.14.198/index HTTP/1.1


The request looks like my server is spending time serving or getting other pages content. I tried blocking the IPs, which only makes the source scramble up new IPs (both for the client and the request IP) and with no success.



I even have Cloudflare on high safety including their web app firewall, yet these requests still come in droves.



Can anyone explain why these are requested, and more importantly, how to prevent it altogether.



The server is running around 50 sites all basic configuration of WordPress, and it is a dedicated server.






firewall bad-request




firewall bad-request






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 23 '18 at 12:02









Nils MunchNils Munch

1667




1667













  • Given faker's answer, perhaps it can be beneficial to share more details, such as relevant configuration files. What software are you using, which services are you running, etc?

    – Tommiie
    Dec 23 '18 at 19:11











  • Have you checked out the traffic graphs/logs to see when the increase in traffic happened? This may point you at a date when it was misconfigured/breached.

    – Criggie
    Dec 23 '18 at 21:04











  • Use fail2ban which blocks them automatically for a given period of time.

    – Chloe
    Dec 24 '18 at 3:53











  • fail2ban will fight the symptom not the cause. If I'm right, it wouldn't even block anything.

    – faker
    Dec 25 '18 at 22:19



















  • Given faker's answer, perhaps it can be beneficial to share more details, such as relevant configuration files. What software are you using, which services are you running, etc?

    – Tommiie
    Dec 23 '18 at 19:11











  • Have you checked out the traffic graphs/logs to see when the increase in traffic happened? This may point you at a date when it was misconfigured/breached.

    – Criggie
    Dec 23 '18 at 21:04











  • Use fail2ban which blocks them automatically for a given period of time.

    – Chloe
    Dec 24 '18 at 3:53











  • fail2ban will fight the symptom not the cause. If I'm right, it wouldn't even block anything.

    – faker
    Dec 25 '18 at 22:19

















Given faker's answer, perhaps it can be beneficial to share more details, such as relevant configuration files. What software are you using, which services are you running, etc?

– Tommiie
Dec 23 '18 at 19:11





Given faker's answer, perhaps it can be beneficial to share more details, such as relevant configuration files. What software are you using, which services are you running, etc?

– Tommiie
Dec 23 '18 at 19:11













Have you checked out the traffic graphs/logs to see when the increase in traffic happened? This may point you at a date when it was misconfigured/breached.

– Criggie
Dec 23 '18 at 21:04





Have you checked out the traffic graphs/logs to see when the increase in traffic happened? This may point you at a date when it was misconfigured/breached.

– Criggie
Dec 23 '18 at 21:04













Use fail2ban which blocks them automatically for a given period of time.

– Chloe
Dec 24 '18 at 3:53





Use fail2ban which blocks them automatically for a given period of time.

– Chloe
Dec 24 '18 at 3:53













fail2ban will fight the symptom not the cause. If I'm right, it wouldn't even block anything.

– faker
Dec 25 '18 at 22:19





fail2ban will fight the symptom not the cause. If I'm right, it wouldn't even block anything.

– faker
Dec 25 '18 at 22:19










1 Answer
1






active

oldest

votes


















23














It is hard to say what exactly is going on here. However you state:




The request looks like my server is spending time serving or getting other pages content.




This together with the "GET http://218.22.14.198/index" sounds like you have misconfigured your system and are accidentally running a open proxy which is getting abused.

Basically other systems are now using your system as a proxy, usually to hide their IP address and not exactly doing things you want to be associated with.

You should as soon as possible investigate if this is the case.

A firewall rule here is just a bandaid and not the real solution.



If this is the case - and with the information provided it is impossible to tell - you need to reconfigure your system to stop being a open proxy. It depends on your specific webserver configuration how to do that.



More information for example for Apache httpd:
https://wiki.apache.org/httpd/ProxyAbuse






share|improve this answer



















  • 2





    Looks like you are spot on with proxy abuse, that is the road I am going down now investigating.

    – Nils Munch
    Dec 23 '18 at 13:12











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f946427%2fhow-to-block-mysterious-remote-requests%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









23














It is hard to say what exactly is going on here. However you state:




The request looks like my server is spending time serving or getting other pages content.




This together with the "GET http://218.22.14.198/index" sounds like you have misconfigured your system and are accidentally running a open proxy which is getting abused.

Basically other systems are now using your system as a proxy, usually to hide their IP address and not exactly doing things you want to be associated with.

You should as soon as possible investigate if this is the case.

A firewall rule here is just a bandaid and not the real solution.



If this is the case - and with the information provided it is impossible to tell - you need to reconfigure your system to stop being a open proxy. It depends on your specific webserver configuration how to do that.



More information for example for Apache httpd:
https://wiki.apache.org/httpd/ProxyAbuse






share|improve this answer



















  • 2





    Looks like you are spot on with proxy abuse, that is the road I am going down now investigating.

    – Nils Munch
    Dec 23 '18 at 13:12
















23














It is hard to say what exactly is going on here. However you state:




The request looks like my server is spending time serving or getting other pages content.




This together with the "GET http://218.22.14.198/index" sounds like you have misconfigured your system and are accidentally running a open proxy which is getting abused.

Basically other systems are now using your system as a proxy, usually to hide their IP address and not exactly doing things you want to be associated with.

You should as soon as possible investigate if this is the case.

A firewall rule here is just a bandaid and not the real solution.



If this is the case - and with the information provided it is impossible to tell - you need to reconfigure your system to stop being a open proxy. It depends on your specific webserver configuration how to do that.



More information for example for Apache httpd:
https://wiki.apache.org/httpd/ProxyAbuse






share|improve this answer



















  • 2





    Looks like you are spot on with proxy abuse, that is the road I am going down now investigating.

    – Nils Munch
    Dec 23 '18 at 13:12














23












23








23







It is hard to say what exactly is going on here. However you state:




The request looks like my server is spending time serving or getting other pages content.




This together with the "GET http://218.22.14.198/index" sounds like you have misconfigured your system and are accidentally running a open proxy which is getting abused.

Basically other systems are now using your system as a proxy, usually to hide their IP address and not exactly doing things you want to be associated with.

You should as soon as possible investigate if this is the case.

A firewall rule here is just a bandaid and not the real solution.



If this is the case - and with the information provided it is impossible to tell - you need to reconfigure your system to stop being a open proxy. It depends on your specific webserver configuration how to do that.



More information for example for Apache httpd:
https://wiki.apache.org/httpd/ProxyAbuse






share|improve this answer













It is hard to say what exactly is going on here. However you state:




The request looks like my server is spending time serving or getting other pages content.




This together with the "GET http://218.22.14.198/index" sounds like you have misconfigured your system and are accidentally running a open proxy which is getting abused.

Basically other systems are now using your system as a proxy, usually to hide their IP address and not exactly doing things you want to be associated with.

You should as soon as possible investigate if this is the case.

A firewall rule here is just a bandaid and not the real solution.



If this is the case - and with the information provided it is impossible to tell - you need to reconfigure your system to stop being a open proxy. It depends on your specific webserver configuration how to do that.



More information for example for Apache httpd:
https://wiki.apache.org/httpd/ProxyAbuse







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 23 '18 at 12:36









fakerfaker

16k24661




16k24661








  • 2





    Looks like you are spot on with proxy abuse, that is the road I am going down now investigating.

    – Nils Munch
    Dec 23 '18 at 13:12














  • 2





    Looks like you are spot on with proxy abuse, that is the road I am going down now investigating.

    – Nils Munch
    Dec 23 '18 at 13:12








2




2





Looks like you are spot on with proxy abuse, that is the road I am going down now investigating.

– Nils Munch
Dec 23 '18 at 13:12





Looks like you are spot on with proxy abuse, that is the road I am going down now investigating.

– Nils Munch
Dec 23 '18 at 13:12


















draft saved

draft discarded




















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f946427%2fhow-to-block-mysterious-remote-requests%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Måne

Image
För jordens måne, se Månen. Några månar i solsystemet i skala till vår måne En måne , naturlig satellit eller drabant är en himlakropp som kretsar kring en planet eller en asteroid i ett solsystem. Ordet i bestämd form – månen – avser planeten jordens måne. Det finns inte i något fall belagt att någon måne har egna månar. De flesta stora månar i solsystemet är bundna i synkron rotation med en och samma sida vänd mot planeten. Ett exempel på en måne som inte beter sig på detta vis, är Hyperion som kaotiskt roterar kring Saturnus. En asteroidmåne är en måne som kretsar kring en asteroid. En måne kan ha bildats samtidigt som moderplaneten eller senare infångats av planetens gravitationskraft. I vårt eget solsystem känner vi i nuläget till 173 månar runt sex av de åtta planeterna [ 1 ] : Jorden – månen Mars – Phobos och Deimos Jupiter – Ganymedes (som är solsystemets största måne), Io, Europa, Callisto och 59 andra kända månar Saturnus – Titan (den enda måne...
Read more

Storängen

Image
För stadsdelen i Mariehamn, se Storängen, Åland. För ett naturreservat i Norrtälje kommun, se Storängens naturreservat. Storängen från luften i september 1967, vy mot väst. Till vänster syns Järlasjön och Saltsjöbanans spår. Till höger löper Värmdövägen och längst ut till höger syns anläggningsarbetena för Värmdöleden. Storängen är ett villaområde i centrala Nacka i Stockholms län. Området är beläget strax sydost om Nacka Forum vid Saltsjöbanan mellan Lillängen och Saltsjö-Duvnäs. Storängens villasamhälle grundades 1904 av "Tjänstemännens Egnahemsförening vid Storängen" och de första villorna började byggas samma år. Redan 1909 var 107 tomter bebyggda av totalt runt 160. [ 1 ] År 2013 fanns drygt 150 villor med lika många familjer i området. Egnahemsföreningen existerar fortfarande och fungerar idag som intresseförening för de boende i Storängen. Storängen anses vara ett av Sveriges bäst bevarade villasamhällen från 1900-talets början, tack vare sina tidstypis...
Read more

VLT Carioca

Image
VLT Carioca Informações Proprietário Prefeitura do Rio de Janeiro Local [[Rio de Janeiro, RJ]] País {{country data Brasil| country flag2| name = Brasil| variant = | size = }} Tipo de transporte Bonde (Veículo leve sobre trilhos) Número de linhas 2 (+1 em construção) Número de estações 26 (+3 em construção) Tráfego 80 mil passageiros/dia [ 1 ] (dezembro/2018) Website www.vltrio.com.br Funcionamento Início de funcionamento 5 de junho de 2016 (2 anos) Operadora(s) Concessionária do VLT Carioca S.A. Número de veículos 32 Alstom Citadis Comprimento dos veículos 44 m (144 ft) Dados técnicos Extensão do sistema 28 km (17,4 mi) [ 2 ] Frequência 5–10 minutos Bitola Bitola padrão/internacional 1 435 mm (4,71 ft) Eletrificação APS, 750V DC Velocidade média 15 km/h (9,32 mph) [ 2 ] Velocidade máxima 50 km/h (31,1 mph) ...
Read more