TL;DR
Someone’s trying to attack your web server on port 80 (standard HTTP). This guide helps you quickly identify the problem, block the attacker, and improve your security. It covers checking logs, using a firewall, and basic hardening steps.
1. Check Your Web Server Logs
Your web server logs are the first place to look for clues about the attack. They’ll tell you where the attacks are coming from (IP addresses) and what they’re trying to do.
- Apache: The main log is usually at
/var/log/apache2/access.log, and error logs are in/var/log/apache2/error.log. - Nginx: Access logs are typically found at
/var/log/nginx/access.log, and error logs at/var/log/nginx/error.log.
Look for:
- Repeated requests from the same IP address.
- Requests with unusual characters or long strings in the URL.
- Error messages indicating suspicious activity (e.g., 404 errors on non-existent pages, attempts to exploit vulnerabilities).
You can use tools like grep to search for specific patterns:
grep "suspicious pattern" /var/log/apache2/access.log2. Block the Attacker’s IP Address
Once you’ve identified the attacker’s IP address, block it using your firewall.
Using iptables (Linux)
- Block a single IP:
- Example: To block the IP address 192.0.2.1, use:
sudo iptables -A INPUT -s 192.0.2.1 -j DROP - Save the rules (important!): The rules are lost on reboot unless saved.
sudo apt install iptables-persistent # If not already installedsudo netfilter-persistent save
sudo iptables -A INPUT -s -j DROP Using ufw (Linux – simpler)
- Block a single IP:
- Example: To block the IP address 192.0.2.1:
sudo ufw deny from 192.0.2.1 to any port 80 - Enable UFW if it’s not already running:
sudo ufw enable
sudo ufw deny from to any port 80 3. Rate Limiting
Rate limiting restricts the number of requests from a single IP address within a certain time period. This can help mitigate brute-force attacks and slow down attackers.
Using Nginx
Add this to your Nginx configuration file (usually in /etc/nginx/sites-available/default or similar):
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s; # Limit to 5 requests per second
server {
...
location / {
limit_req zone=mylimit burst=20 nodelay;
...Restart Nginx after making changes:
sudo systemctl restart nginx4. Keep Your Software Updated
Outdated software often has known vulnerabilities that attackers can exploit. Regularly update your web server, operating system, and any other related software.
- Ubuntu/Debian:
sudo apt update && sudo apt upgrade - CentOS/RHEL:
sudo yum update
5. Basic Web Server Hardening
- Disable Directory Listing: Prevent attackers from browsing your server’s directories if there’s no index file.
Apache: In your Apache configuration, ensure
Options -Indexesis set.Nginx: Ensure
autoindex off;is set in your Nginx configuration. - Remove Unnecessary Modules: Disable any web server modules you don’t need.