What is the simplest way to stop HTTP requests attempting to exploit/expose private business information?

Question

Every day, multiple servers of my company receive automated network requests that are clearly trying to break into our system or expose vulnerability: Requests like

- GET /.env
- GET /boaform/admin/formLogin?username=user&psd=user
- GET /ab2g

etc.

I would like to start auto-banning any IP address that sends a malicious request like that, especially obvious ones like GET /.env, or alternatively, block those requests and soft-ban users for 48 hours to prevent automated attacks from public IPs like VPNs but I'm not sure what the easiest, most reliable way to do this is?

One of my coworkers was worried if we auto-ban IPs that one of our customers might end up having one of those IPs assigned to them one day, so I came up with the limited ban idea, but what is the industry standard here?

Thanks!

Answer

Hello,

When I am looking to make dynamic firewall rules that are based on what the host is actually receiving, I generally don't go any further then fail2ban.  From their main page:

"Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc)."

Once of the best features is that it allows you to set the ban time for the IP's that it bans so nothing need be permanent.  Set it for any value that makes sense to you, maybe between 8-24 hours.

Main page: https://www.fail2ban.org/wiki/index.php/Main_Page
docs: https://www.fail2ban.org/wiki/index.php/MANUAL_0_8

Best
Craig

What is the simplest way to stop HTTP requests attempting to exploit/expose private business information?

Relevant content