←back to thread

Ban me at the IP level if you don't like me

(boston.conman.org)
597 points classichasclass | 9 comments | 25 Aug 25 04:23 UTC | HN request time: 0.001s | source | bottom
Show context
bob1029 ◴[25 Aug 25 08:35 UTC] No.45011628[source]
I think a lot of really smart people are letting themselves get taken for a ride by the web scraping thing. Unless the bot activity is legitimately hammering your site and causing issues (not saying this isn't happening in some cases), then this mostly amounts to an ideological game of capture the flag. The difference being that you'll never find their flag. The only thing you win by playing is lost time.

The best way to mitigate the load from diffuse, unidentifiable, grey area participants is to have a fast and well engineered web product. This is good news, because your actual human customers would really enjoy this too.

replies(7): >>45011652 #>>45011830 #>>45011850 #>>45012424 #>>45012462 #>>45015038 #>>45015451 #
phito ◴[25 Aug 25 08:40 UTC] No.45011652[source]
My friend has a small public gitea instance, only use by him a a few friends. He's getting thousounds of requests an hour from bots. I'm sorry but even if it does not impact his service, at the very least it feels like harassment
replies(7): >>45011694 #>>45011816 #>>45011999 #>>45013533 #>>45013955 #>>45014807 #>>45025114 #
dmesg ◴[25 Aug 25 08:46 UTC] No.45011694[source]
Yes and it makes reading your logs needlessly harder. Sometimes I find an odd password being probed, search for it on the web and find an interesting story, that a new backdoor was discovered in a commercial appliance.

In that regard reading my logs led me sometimes to interesting articles about cyber security. Also log flooding may result in your journaling service truncating the log and you miss something important.

replies(3): >>45011747 #>>45011811 #>>45012470 #
rollcat ◴[25 Aug 25 10:51 UTC] No.45012470[source]
> Sometimes I find an odd password being probed, search for it on the web and find an interesting story [...].

Yeah, this is beyond irresponsible. You know the moment you're pwned, __you__ become the new interesting story?

For everyone else, use a password manager to pick a random password for everything.

replies(1): >>45012625 #
Thorrez ◴[25 Aug 25 11:21 UTC] No.45012625[source]
What is beyond irresponsible? Monitoring logs and researching odd things found there?
replies(2): >>45013099 #>>45013232 #
1. JohnFen ◴[25 Aug 25 12:26 UTC] No.45013099[source]
How are passwords ending up in your logs? Something is very, very wrong there.
replies(2): >>45013284 #>>45014850 #
2. dmesg ◴[25 Aug 25 12:50 UTC] No.45013284[source]
Does an attacking bot know your webserver is not a misconfigured router exposing its web interface to the net? I often am baffled what conclusions people come up with from half reading posts. I had bots attack me with SSH 2.0 login attempts on port 80 and 443. Some people underestimate how bad at computer science some skids are.
replies(3): >>45014297 #>>45015462 #>>45019689 #
3. socksy ◴[25 Aug 25 14:33 UTC] No.45014297[source]
Also baffled that three separate people came to that conclusion. Do they not run web servers on the open web or something? Script kiddies are constantly probing urls, and urls come up in your logs. Sure it would be bad if that was how your app was architected. But it's not how it's architected, it's how the skids hope your app is architected. It's not like if someone sends me a request for /wp-login.php that my rails app suddenly becomes WordPress??
replies(2): >>45014904 #>>45019187 #
4. hvb2 ◴[25 Aug 25 15:22 UTC] No.45014850[source]
If the caller puts it in the query string and you log that? It doesn't have to be valid in your application to make an attacker pass it in.

So unless you're not logging your request path/query string you're doing something very very wrong by your own logic :). I can't imagine diagnosing issues with web requests and not be given the path + query string. You can diagnose without but you're sure not making things easier

5. JohnFen ◴[25 Aug 25 15:27 UTC] No.45014904{3}[source]
> Do they not run web servers on the open web or something?

Until AI crawlers chased me off of the web, I ran a couple of fairly popular websites. I just so rarely see anybody including passwords in the URLs anymore that I didn't really consider that as what the commenter was talking about.

replies(1): >>45018636 #
6. SoftTalker ◴[25 Aug 25 16:15 UTC] No.45015462[source]
Running ssh on 80 or 443 is a way to get around boneheaded firewalls that allow http(s) but block ssh, so it's not completely insane to see probes for it.
7. viridian ◴[25 Aug 25 20:32 UTC] No.45018636{4}[source]
Just about every crawler that tries probing for wordpress vulnerabilities does this, or includes them in the naked headers as a part of their deluge of requests.
8. maxbond ◴[25 Aug 25 21:22 UTC] No.45019187{3}[source]
> It's not like if someone sends me a request for /wp-login.php that my rails app suddenly becomes WordPress??

You're absolutely right. That's my mistake — you are requesting a specific version of WordPress, but I had written a Rails app. I've rewritten the app as a WordPress plugin and deployed it. Let me know if there's anything else I can do for you.

9. hinkley ◴[25 Aug 25 22:07 UTC] No.45019689[source]
I recall finding weird URLs in my access logs way back when where someone was trying to hit my machine with the CodeRed worm, a full decade after it was new. That was surreal.