nativeInstalleropenfire

Deny connections from bots/attackers

Before running the commands shown on this page, you should load the Bitnami stack environment by executing the installdir/use_APPNAME script (Linux and MacOS) or by clicking the shortcut in the Start Menu under “Start -> Bitnami APPNAME Stack -> Application console” (Windows). On OS X VMs, the installation directory is /opt/bitnami and OS X VM users can click the “Open Terminal” button to run commands. Learn more about the Bitnami stack environment and about OS X VMs.

NOTE: We are in the process of modifying the file structure and configuration for many Bitnami stacks. On account of these changes, the file paths stated in this guide may change depending on whether your Bitnami stack uses native Linux system packages (Approach A), or if it is a self-contained installation (Approach B). To identify your Bitnami installation type and what approach to follow, run the command below:

 $ test ! -f "installdir/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."

The output of the command indicates which approach (A or B) is used by the installation, and will allow you to identify the paths, configuration and commands to use in this guide. Refer to the FAQ for more information on these changes.

Sometimes, if you are experiencing poor performance, it is because you are being attacked by Internet bots. The reason for these attacks is that they are trying to find a security bug in your application code or in the software itself.

An example of a bot attack is attempting to check if the php.cgi binary is disabled. As this is disabled by default, attackers won’t be able to exploit your system, but you will have hundreds or even thousands of connections from the same IP address (or even different IP addresses) trying to “check” every few hours if those binaries or scripts are available.

Our stacks and cloud images come with the latest versions of their components but, even though you are safe from those attacks, your server could experience poor performance because of the traffic they generate.

To know if you are being attacked, run the command below:

$ cd installdir/apache2/logs/
$ tail -n 10000 access_log | awk '{print $1}'| sort| uniq -c| sort -nr| head -n 10

This will show you the number of times that an IP address connected to your Web server. If you see that some IP addresses have many more connections than others, run the following command (remember to modify ATTACKER_IP with the correct IP):

$ cd installdir/apache2/logs/
$ grep "ATTACKER_IP" access_log

If you see that the IP address is always attempting to connect to the same location, if it is a URL that you don’t know, or if it is trying to run binaries or scripts directly, it is likely that IP address is a bot.

Examples of log messages for this scenario are:

[Mon Dec 08 07:01:52 2014] [error] [client 143.107.202.68] script not found or unable to stat: installdir/apache2/cgi-bin/php-cgi
[Mon Dec 08 07:01:52 2014] [error] [client 143.107.202.68] script not found or unable to stat: installdir/apache2/cgi-bin/php.cgi
[Mon Dec 08 07:01:53 2014] [error] [client 143.107.202.68] script not found or unable to stat: installdir/apache2/cgi-bin/php4
[Mon Dec 08 19:01:51 2014] [error] [client 143.107.202.68] script not found or unable to stat: installdir/apache2/cgi-bin/php
[Mon Dec 08 19:01:51 2014] [error] [client 143.107.202.68] script not found or unable to stat: installdir/apache2/cgi-bin/php5
[Mon Dec 08 19:01:52 2014] [error] [client 143.107.202.68] script not found or unable to stat: installdir/apache2/cgi-bin/php-cgi
[Mon Dec 08 19:01:52 2014] [error] [client 143.107.202.68] script not found or unable to stat: installdir/apache2/cgi-bin/php.cgi
[Mon Dec 08 19:01:52 2014] [error] [client 143.107.202.68] script not found or unable to stat: installdir/apache2/cgi-bin/php4

This shows that an attacker with IP address 143.107.202.68 is trying to find the PHP CGI scripts, and all these connections are taking place within the same second.

To deny connections to these attackers, the easiest way is with your Apache configuration file. As an example, follow the steps below to reject any connections from the 1.2.3.4 IP address in WordPress:

  • Modify the Apache configuration for your application, to reject the 1.2.3.4 IP address. Depending on your installation type, follow the steps below:

    • Approach A (Bitnami installations using system packages):

      • Edit the installdir/apache2/conf/vhosts/wordpress-vhost.conf and installdir/apache2/conf/vhosts/wordpress-https-vhost.conf files:

        <Directory installdir/wordpress>
        deny from 1.2.3.4
        ...
        </Directory>
        
      • To deny access to more than one IP, use the example below:

        <Directory installdir/wordpress>
        deny from 1.2.3.4
        deny from 5.6.7.8
        deny from 9.10.11.12
        ...
        </Directory>
        
    • Approach B (Self-contained Bitnami installations):

      • Edit the file at installdir/apps/APPNAME/conf/httpd-app.conf:

        <Directory installdir/apps/wordpress/htdocs>
        deny from 1.2.3.4
        ...
        </Directory>
        
      • To deny access to more than one IP, use the example below:

        <Directory installdir/apps/wordpress/htdocs>
        deny from 1.2.3.4
        deny from 5.6.7.8
        deny from 9.10.11.12
        ...
        </Directory>
        
  • Check if your changes are okay by executing the following command:

    $ apachectl -t
    
  • Restart the Apache web server:

    $ sudo installdir/ctlscript.sh restart apache
    
Last modification June 9, 2020