Port 80 Attack: Quick Fixes

G5 Cyber Security

1 week ago

TL;DR

Someone’s trying to attack your web server on port 80 (standard HTTP). This guide helps you quickly identify the problem, block the attacker, and improve your security. It covers checking logs, using a firewall, and basic hardening steps.

1. Check Your Web Server Logs

Your web server logs are the first place to look for clues about the attack. They’ll tell you where the attacks are coming from (IP addresses) and what they’re trying to do.

Apache: The main log is usually at /var/log/apache2/access.log, and error logs are in /var/log/apache2/error.log.
Nginx: Access logs are typically found at /var/log/nginx/access.log, and error logs at /var/log/nginx/error.log.

Look for:

Repeated requests from the same IP address.
Requests with unusual characters or long strings in the URL.
Error messages indicating suspicious activity (e.g., 404 errors on non-existent pages, attempts to exploit vulnerabilities).

You can use tools like grep to search for specific patterns:

grep "suspicious pattern" /var/log/apache2/access.log

2. Block the Attacker’s IP Address

Once you’ve identified the attacker’s IP address, block it using your firewall.

Using `iptables` (Linux)

Block a single IP:

sudo iptables -A INPUT -s  -j DROP

Example: To block the IP address 192.0.2.1, use:
```
sudo iptables -A INPUT -s 192.0.2.1 -j DROP
```

Save the rules (important!): The rules are lost on reboot unless saved.

sudo apt install iptables-persistent # If not already installed

sudo netfilter-persistent save

Using `ufw` (Linux – simpler)

Block a single IP:

sudo ufw deny from  to any port 80

Example: To block the IP address 192.0.2.1:

sudo ufw deny from 192.0.2.1 to any port 80

Enable UFW if it’s not already running:
```
sudo ufw enable
```

3. Rate Limiting

Rate limiting restricts the number of requests from a single IP address within a certain time period. This can help mitigate brute-force attacks and slow down attackers.

Using Nginx

Add this to your Nginx configuration file (usually in /etc/nginx/sites-available/default or similar):

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s; # Limit to 5 requests per second
server {
  ...
  location / {
    limit_req zone=mylimit burst=20 nodelay;
    ...

Restart Nginx after making changes:

sudo systemctl restart nginx

4. Keep Your Software Updated

Outdated software often has known vulnerabilities that attackers can exploit. Regularly update your web server, operating system, and any other related software.

Ubuntu/Debian:
```
sudo apt update && sudo apt upgrade
```
CentOS/RHEL:
```
sudo yum update
```

5. Basic Web Server Hardening

Disable Directory Listing: Prevent attackers from browsing your server’s directories if there’s no index file.
Apache: In your Apache configuration, ensure Options -Indexes is set.

Nginx: Ensure autoindex off; is set in your Nginx configuration.
Remove Unnecessary Modules: Disable any web server modules you don’t need.