Most active commenters
  • SoftTalker(3)

←back to thread

Ban me at the IP level if you don't like me

(boston.conman.org)
597 points classichasclass | 25 comments | 25 Aug 25 04:23 UTC | HN request time: 0s | source | bottom
Show context
bob1029 ◴[25 Aug 25 08:35 UTC] No.45011628[source]
I think a lot of really smart people are letting themselves get taken for a ride by the web scraping thing. Unless the bot activity is legitimately hammering your site and causing issues (not saying this isn't happening in some cases), then this mostly amounts to an ideological game of capture the flag. The difference being that you'll never find their flag. The only thing you win by playing is lost time.

The best way to mitigate the load from diffuse, unidentifiable, grey area participants is to have a fast and well engineered web product. This is good news, because your actual human customers would really enjoy this too.

replies(7): >>45011652 #>>45011830 #>>45011850 #>>45012424 #>>45012462 #>>45015038 #>>45015451 #
phito ◴[25 Aug 25 08:40 UTC] No.45011652[source]
My friend has a small public gitea instance, only use by him a a few friends. He's getting thousounds of requests an hour from bots. I'm sorry but even if it does not impact his service, at the very least it feels like harassment
replies(7): >>45011694 #>>45011816 #>>45011999 #>>45013533 #>>45013955 #>>45014807 #>>45025114 #
1. dmesg ◴[25 Aug 25 08:46 UTC] No.45011694[source]
Yes and it makes reading your logs needlessly harder. Sometimes I find an odd password being probed, search for it on the web and find an interesting story, that a new backdoor was discovered in a commercial appliance.

In that regard reading my logs led me sometimes to interesting articles about cyber security. Also log flooding may result in your journaling service truncating the log and you miss something important.

replies(3): >>45011747 #>>45011811 #>>45012470 #
2. wvbdmp ◴[25 Aug 25 08:53 UTC] No.45011747[source]
You log passwords?
replies(4): >>45013224 #>>45014657 #>>45014868 #>>45018054 #
3. ◴[25 Aug 25 09:04 UTC] No.45011811[source]
4. rollcat ◴[25 Aug 25 10:51 UTC] No.45012470[source]
> Sometimes I find an odd password being probed, search for it on the web and find an interesting story [...].

Yeah, this is beyond irresponsible. You know the moment you're pwned, __you__ become the new interesting story?

For everyone else, use a password manager to pick a random password for everything.

replies(1): >>45012625 #
5. Thorrez ◴[25 Aug 25 11:21 UTC] No.45012625[source]
What is beyond irresponsible? Monitoring logs and researching odd things found there?
replies(2): >>45013099 #>>45013232 #
6. JohnFen ◴[25 Aug 25 12:26 UTC] No.45013099{3}[source]
How are passwords ending up in your logs? Something is very, very wrong there.
replies(2): >>45013284 #>>45014850 #
7. ◴[25 Aug 25 12:43 UTC] No.45013224[source]
8. rollcat ◴[25 Aug 25 12:44 UTC] No.45013232{3}[source]
The way to handle a password:

    plaintextPassword = POST["password"]
    ok = bcryptCompare(hashedPassword, plaintextPassword)
    // (now throw away POST and plaintextPassword)
    if (ok) { ... }
Bonus points: on user lookup, when no user is found, fetch a dummy hashedPassword, compare, and ignore the result. This will partially mitigate username enumeration via timing attacks.
replies(1): >>45014452 #
9. dmesg ◴[25 Aug 25 12:50 UTC] No.45013284{4}[source]
Does an attacking bot know your webserver is not a misconfigured router exposing its web interface to the net? I often am baffled what conclusions people come up with from half reading posts. I had bots attack me with SSH 2.0 login attempts on port 80 and 443. Some people underestimate how bad at computer science some skids are.
replies(3): >>45014297 #>>45015462 #>>45019689 #
10. socksy ◴[25 Aug 25 14:33 UTC] No.45014297{5}[source]
Also baffled that three separate people came to that conclusion. Do they not run web servers on the open web or something? Script kiddies are constantly probing urls, and urls come up in your logs. Sure it would be bad if that was how your app was architected. But it's not how it's architected, it's how the skids hope your app is architected. It's not like if someone sends me a request for /wp-login.php that my rails app suddenly becomes WordPress??
replies(2): >>45014904 #>>45019187 #
11. Sophira ◴[25 Aug 25 14:46 UTC] No.45014452{4}[source]
I believe you may have misinterpreted the comment. They're not talking about logs that were made from a login form on their website. They're talking about generic logs (sometimes not even web server logs) being generated because of bots that are attempting to find vulnerabilities on random pages. Pages that don't even exist or may not even be applicable on this server.
12. zeta0134 ◴[25 Aug 25 15:04 UTC] No.45014657[source]
Just about nobody logs passwords on purpose. But really stupid IoT devices accept credentials as like query strings, or part of the path or something, and it's common to log those. The attacker is sending you passwords meant for a much less secure system.
replies(1): >>45015432 #
13. hvb2 ◴[25 Aug 25 15:22 UTC] No.45014850{4}[source]
If the caller puts it in the query string and you log that? It doesn't have to be valid in your application to make an attacker pass it in.

So unless you're not logging your request path/query string you're doing something very very wrong by your own logic :). I can't imagine diagnosing issues with web requests and not be given the path + query string. You can diagnose without but you're sure not making things easier

14. stronglikedan ◴[25 Aug 25 15:24 UTC] No.45014868[source]
Sure, why not. Log every secret you come across (or that comes across you). Just don't log your own secrets. Like OP said, it lead down some interesting trails.
15. JohnFen ◴[25 Aug 25 15:27 UTC] No.45014904{6}[source]
> Do they not run web servers on the open web or something?

Until AI crawlers chased me off of the web, I ran a couple of fairly popular websites. I just so rarely see anybody including passwords in the URLs anymore that I didn't really consider that as what the commenter was talking about.

replies(1): >>45018636 #
16. SoftTalker ◴[25 Aug 25 16:12 UTC] No.45015432{3}[source]
You probably shouldn't log usernames then, or really any form fields, as users might accidentally enter a password into one of them. Kind of defeats the point of web forms, but safety is important!
replies(2): >>45018570 #>>45019660 #
17. SoftTalker ◴[25 Aug 25 16:15 UTC] No.45015462{5}[source]
Running ssh on 80 or 443 is a way to get around boneheaded firewalls that allow http(s) but block ssh, so it's not completely insane to see probes for it.
18. dpkirchner ◴[25 Aug 25 19:39 UTC] No.45018054[source]
I remember back before ssh was a thing folks would log login attempts -- it was easy to get some people's passwords because it was common for them to accidentally use them as the username (which are always safe to log, amirite?). All you had to do was watch for a failed login followed by a successful login from the same IP.
19. Dylan16807 ◴[25 Aug 25 20:25 UTC] No.45018570{4}[source]
Are you using a very weird definition of "logging" to make a joke? Web forms don't need any logging to work.
replies(1): >>45034446 #
20. viridian ◴[25 Aug 25 20:32 UTC] No.45018636{7}[source]
Just about every crawler that tries probing for wordpress vulnerabilities does this, or includes them in the naked headers as a part of their deluge of requests.
21. maxbond ◴[25 Aug 25 21:22 UTC] No.45019187{6}[source]
> It's not like if someone sends me a request for /wp-login.php that my rails app suddenly becomes WordPress??

You're absolutely right. That's my mistake — you are requesting a specific version of WordPress, but I had written a Rails app. I've rewritten the app as a WordPress plugin and deployed it. Let me know if there's anything else I can do for you.

22. hinkley ◴[25 Aug 25 22:04 UTC] No.45019660{4}[source]
So no access logs at all then? That sounds effective.
23. hinkley ◴[25 Aug 25 22:07 UTC] No.45019689{5}[source]
I recall finding weird URLs in my access logs way back when where someone was trying to hit my machine with the CodeRed worm, a full decade after it was new. That was surreal.
24. SoftTalker ◴[27 Aug 25 01:32 UTC] No.45034446{5}[source]
You save them in a database. Probably in clear text. Six of one, half-dozen of the other.
replies(1): >>45035077 #
25. Dylan16807 ◴[27 Aug 25 03:13 UTC] No.45035077{6}[source]
A password being put into a normal text field in a properly submitted form is a lot less likely than getting into some query or path. And a database is more likely to be handled properly than some random log file.

Six of one, .008 of a dozen of the other.