Related

Problem installing wordpress on subdomain (nginx / ubuntu) Question Question
cpu from 13% to 100% in one minute Question Question

Question

Digital Ocean Firewall overriding iptables?

Posted July 19, 2018 1.7k views
ApacheSecurityDigitalOceanFirewallUbuntu 16.04DigitalOcean Cloud Firewalls

Hi,
We are currently trying to tackle some suspicious behavior on our digital ocean droplet that is causing the web server to crash every so often.

Here is the log: 

181.176.75.66 - - [19/Jul/2018:14:53:09 +0000] "GET http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962&old_url=http://recargas.bitel.com.pe/?isdn=51927413962 HTTP/1.1" 200 1567 "-" "Apache-HttpClient/UNAVAILABLE (java 1.4)"

From what I can tell Its a Bot that has latched onto our IP. (The IP seems to be changing daily) but the logs are always the same.

I tried using IP tables to ban the IP address both incoming and outgoing to no avail. I also tried using UFW such as 

Note the IP Address Originated from same 181.176.xx.xx 
Anywhere                   DENY        181.176.83.62
Anywhere on eth0           DENY        181.176.83.62

I can’t understand why these commands aren’t working and I have a feeling something is either wrong with my server setup or it’s being superseded by something

It appears that the only way to prevent it reaching the server is by the use of Digital Oceans Cloud Firewall which is not ideal as we’re using Cloudflare CDN who’s IP Addresses change too often for me to manually keep the DOCF updated.

Any advice is greatly appreciated

Add a comment
robatjam
By:
robatjam

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
jarland July 19, 2018

Hello friend!

Sorry to hear about the trouble this is giving you. I’m happy to offer the best advice that I can. Is that IP hitting you directly or are you reading the forwarded IP from CloudFlare’s headers and writing it to the log that way? This is going to be relevant as it means that neither firewall should function for blocking that IP as the traffic would actually be coming in through CloudFlare. If that is the case, you may actually be able to block the IP with CloudFlare themselves.

Kind Regards,
Jarland
Platform Support Lead

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help