Comment by fareesh

7 months ago

Is there a list of popular attack vector urls located somewhere? I want to just auto-ban anyone sniffing for .env or ../../../../ etc.

Rather not write it myself

5 comments

fareesh

efilife 6 months ago

check out the lists in this repo

https://github.com/danielmiessler/SecLists/blob/master/Disco...

I combined a few of the most interesting lists from here into one and never miss an attack now

kqr 7 months ago

It would be a fairly short Perl script to read the access logs and curl a HEAD request to all URLs accessed, printing only those with 200 OK responses.

Here's a start hacked together and tested on my phone:

    perl -lnE 'if (/GET ([^ ]+)/ and $p=$1) {
        $s=qx(curl -sI https://BASE_URL/$p | head -n 1);
        unless ($s =~ /200|302/) {
            say $p
        }
    }'

vander_elst 7 months ago

Also interested in this. For now I've left a server up for a couple of weeks, went through the logs and set up fail2ban for the most common offenders. Once a month or so I keep checking for offenders but the first iteration already blocked many of them.

BehindTheMath 7 months ago

Check out Modsecurity WAF and CoreRuleSet.