Login/Register
AWS WAF ... how to improve results
Asked Answered
nginxbotsspamspam-preventionamazon-waf
S

0

6

I have a website served via AWS CloudFront. I've been getting a ton of entries in my nginx logs that look something like this:

nginx_1         | 103.241.51.144 - - [09/Aug/2020:16:03:08 +0000] "GET /mysql/admin/index.php HTTP/1.1" 200 2311 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" "-"
nginx_1         | 195.54.160.21 - - [09/Aug/2020:16:20:26 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 2311 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-"
nginx_1         | 172.93.99.2 - - [09/Aug/2020:17:23:44 +0000] "POST /boaform/admin/formLogin HTTP/1.1" 405 157 "http://52.xxx.xx.xx:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" "-"
nginx_1         | 172.93.99.2 - - [09/Aug/2020:17:23:44 +0000] "" 400 0 "-" "-" "-"
nginx_1         | 83.97.20.29 - - [09/Aug/2020:17:30:02 +0000] "GET / HTTP/1.0" 400 157 "-" "-" "-"
nginx_1         | 44.225.84.206 - - [09/Aug/2020:20:18:31 +0000] "GET http://[::ffff:a9fe:a9fe]/ HTTP/1.1" 200 2311 "-" "AWS Security Scanner" "-"
nginx_1         | 44.225.84.206 - - [09/Aug/2020:20:18:32 +0000] "CONNECT 52.xxx.xx.xx:80 HTTP/1.0" 400 157 "-" "-" "-"
nginx_1         | 44.225.84.206 - - [09/Aug/2020:20:18:33 +0000] "\x16\x03\x01\x00\xD2\x01\x00\x00\xCE\x03\x03\x14\x02l\xA2\x05\xBF\xBD\xBA7<\x09\x5C\xCAP\x1DM\x93a{\xFC\xC9\xC5\x1FJ\xA4Y\xC7~\x95\xBD\x1D\xC0\x00\x00b\xC00\xC0,\xC0/\xC0+\x00\x9F\x00\x9E\xC02\xC0.\xC01\xC0-\x00\xA5\x00\xA1\x00\xA4\x00\xA0\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-" "-"
nginx_1         | 172.93.99.2 - - [10/Aug/2020:03:57:57 +0000] "POST /boaform/admin/formLogin HTTP/1.1" 405 157 "http://52.xxx.xx.xx:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" "-"

In my effort to stop the bots/hacks, I've implemented an AWS WAF with the following Managed Rules:

  1. AWS-AWSManagedRulesAmazonIpReputationList
  2. AWS-AWSManagedRulesKnownBadInputsRuleSet
  3. AWS-AWSManagedRulesCommonRuleSet
  4. AWS-AWSManagedRulesAnonymousIpList

For the "Default web ACL action for requests that don't match any rules " I have it set to "allow". Combined, these have 975/1500 WCUs but it still doesn't seem to be making an improvement. I've also tried blocking by IP Set but to no avail since the IP addresses keep changing.

Am I doing something wrong? Does anyone have a suggestion to improve this?

Shellback answered 10/8, 2020 at 14:26 Comment(3)
I got the /boaform one too. Did you get around to fixing this?Desdamona
@ufdeveloper...unfortunately, I did not.Shellback
Facing same problems any solution available?Axletree

© 2022 - 2025 — McMap. All rights reserved.