awslamp

Deny connections from bots/attackers using Varnish(TM)

IMPORTANT: The steps below assume that Varnish(TM) is enabled. Check Varnish(TM) status and enable it.

Sometimes, if you are experiencing poor performance, it is because you are being attacked by Internet bots. The reason for these attacks is that they are trying to find a security bug in your application code or in the software itself.

An example of a bot attack is attempting to check if the php.cgi binary is disabled. As this is disabled by default, attackers won’t be able to exploit your system, but you will have hundreds or even thousands of connections from the same IP address (or even different IP addresses) trying to “check” every few hours if those binaries or scripts are available.

Our stacks and cloud images come with the latest versions of their components but, even though you are safe from those attacks, your server could experience poor performance because of the traffic they generate.

To know if you are being attacked, run the commands below, depending on your Web server:

For Apache:

$ cd /opt/bitnami/apache/logs/
$ tail -n 10000 access_log | awk '{print $1}'| sort| uniq -c| sort -nr| head -n 10

For NGINX:

$ cd /opt/bitnami/nginx/logs/
$ tail -n 10000 access.log | awk '{print $1}'| sort| uniq -c| sort -nr| head -n 10

This will show you the number of times that an IP address connected to your Web server. If you see that some IP addresses have many more connections than others, run the following commands (remember to modify ATTACKER_IP with the correct IP).

For Apache:

$ cd /opt/bitnami/apache/logs/
$ grep "ATTACKER_IP" access_log

For NGINX:

$ cd /opt/bitnami/nginx/logs/
$ grep "ATTACKER_IP" access.log

If you see that the IP address is always attempting to connect to the same location, if it is a URL that you don’t know, or if it is trying to run binaries or scripts directly, it is likely that IP address is a bot.

To deny connections to these attackers, the easiest way is with your Varnish (TM) configuration file. Follow these steps:

  • Edit the file at /opt/bitnami/varnish/etc/varnish/default.vcl and add the IP addresses to the access control list (ACL). The example below shows how to reject the 1.2.3.4 IP address:

      acl forbidden {
            "1.2.3.4"/24;
      }
    

    You can block multiple IP addresses by adding each on a separate line following the format shown above.

  • Add the following to the vcl_recv routine:

      sub vcl_recv {
      ...
        if (client.ip ~ forbidden) {
          return(synth(403, "Forbidden"));
        }
      ...
      }
    
  • Restart Varnish (TM):

      $ sudo /opt/bitnami/ctlscript.sh restart varnish
    
  • Restart the web server.

    For Apache:

      $ sudo /opt/bitnami/ctlscript.sh restart apache
    

    For NGINX:

      $ sudo /opt/bitnami/ctlscript.sh restart nginx
    

Varnish is a registered trademark of Varnish Software AB and its affiliates.

Last modification December 21, 2022