Menu
Community /Pin to ProfileBookmark
@NogDogAug 05.2019 — #My main concern would be false positives: banning IPs that in fact would restrict valid, desired users from accessing your site, either due to over-aggressive "bad request" detection on your part, or malicious users spoofing their IP or using IPs that valid users might use (Starbucks in the town of your choice, for instance).
If it's just the usual script-kiddie robot trying known Wordpress holes and such, but not resulting in denial-of-service floods of requests, I probably wouldn't worry much about it myself. 
@PeterPan_321Aug 06.2019 — #@NogDog#1607227 That's the way I'm leaning too. And I supposes that since mine is a shared hosting account, if there were disruptive amounts of requests flooding in, the techies at the hosting company would let me know. In a sense, NOT logging those failures means even less impact on the server.@PeterPan_321Aug 07.2019 — #@tracknut#1607255 Even though there are a few things my scrip does that wouldn't normally require a cookie or other authorization, I added a bit more dependence on cookies for everything. That enabled me to fail (if i wanted to) based on a visitor cookie not being found, even for those "free" services. Since the site detects and warns visitors that nothing will work right if they have block cookies on the page, I felt that was fair. Thats when i realized that 99% of my logged failures were happening because the required cookies were not found. That plus a dozen or more failed requests in 2 seconds pretty much proved the attacks were "bots". Interestingly, the hackers often took the time to analyzed the javascript on my page, and try to send parameters to mimic some of my simpler "get" request. Of course these fail as well, so they are wasting their time. So now I'm just doing an immediate exit and not logging. Its just disturbing.
This is partially my hosting company's fault. Its "Hostmonster" who apparently have been written up many times as an easy target for hackers. I really need to move, but after being there 10 years its a chore and might have to wait a little.
Whether to ignore or battle with hackers banging on my PHP scripts?
Recently I completed a complex scheme to allow page visitors to download free music, or alternately play (or download) music they’ve paid for. My implementation involves a stand-alone html file, which communicates with a PHP script using javascript and links, to complete or authorize all activities. Every action is logged. Now this is all my original music and I’m no super star, so I was hugely surprised to see my logs filled with people trying to hack my PHP script. Now to be fair, a great deal of my logs showing failed actions may be due to the visitor disabling cookies. Fine… visitors are explicitly warned that the page features won’t work if cookies are found disabled. I do this to screen out anyone setting up a robot or hacking script designed to keep trying, and the page needs encrypted cookies anyway to authorize song permissions. Multiple logged failures with timestamps less than a second apart further prove its not being caused by visitors clicking randomly.
Well the logs do show me the visitors IP, so up till now, I’ve been watching the logs for repeat offenders. Those IPs often trace to Romainia or other locations with doubtful “legitimate” interest in my site. So I then manually deny access to my whole site from those IPs by editing my .HTACCESS file. Now I’ve been thinking of going further by automating that process… recording obvious hack attempts in a database and automatically adding repeat offenders to my growing list of HTACCESS denials.
But now I’m thinking that maybe I’m wasting my time? Maybe I should simply start ignoring the obvious hack attempts, and not even log them. The site and the music authorization scheme have been working perfectly for months now, and if anyone has hacked into my protected directories to gain unauthorized access to files, its obvious they are **not
So what is the general consensus about what to do in cases like this? Should I allow hack attempts to continue unabated, and stop logging them at all? Or should I actively go to battle, by implementing automatic denial additions to my HTACCESS file as I described? The battle seems like a good idea because I’m not crazy about letting hackers waste bandwidth I’m paying for. But on the other hand, I know these things are like a nuclear arms race, and I’ve got a pile of other projects and pages to get to. So maybe as long as the script is blocking them all successfully, I should stop logging them all and ignore the nefarious activity?
Sign in
to post a comment5 Comments(s) ↴
0
@NogDogAug 05.2019 — #If it's just the usual script-kiddie robot trying known Wordpress holes and such, but not resulting in denial-of-service floods of requests, I probably wouldn't worry much about it myself.
0
@PeterPan_321Aug 06.2019 — #0
@PeterPan_321Aug 07.2019 — #This is partially my hosting company's fault. Its "Hostmonster" who apparently have been written up many times as an easy target for hackers. I really need to move, but after being there 10 years its a chore and might have to wait a little.