Ping a Specific Port

Question

me_yy

Asked: 2020-03-31 09:34:11 +0800 CST2020-03-31 09:34:11 +0800 CST 2020-03-31 09:34:11 +0800 CST

Is this real google bot or attack? How do I deal with it?

772

So basically my site was unaccessible and I went to logs folder to see what's wrong and noticed a lot of weird requests from various IPs:

155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
162.247.74.206 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
162.247.74.206 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
162.247.74.206 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
162.247.74.206 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
162.247.74.206 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
209.141.45.189 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
162.247.74.206 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
162.247.74.206 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
209.141.45.189 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:45 +0300] "GET / HTTP/1.0" 200 6189 "-" "Google Bot"
185.220.100.252 - - [30/Mar/2020:20:23:56 +0300] "GET / HTTP/1.0" 200 6344 "-" "Google Bot"
209.141.45.189 - - [30/Mar/2020:20:23:56 +0300] "GET / HTTP/1.0" 200 6344 "-" "Google Bot"
162.247.74.206 - - [30/Mar/2020:20:23:56 +0300] "GET / HTTP/1.0" 200 6344 "-" "Google Bot"
155.4.117.13 - - [30/Mar/2020:20:23:56 +0300] "GET / HTTP/1.0" 200 6344 "-" "Google Bot"

I wonder if it's some kind of attack.

Did some whois lookup, for example this ip 185.220.100.252 is from Germany, "tor-exit-1.zbau.f3netze.de"

How can I protect server from such attacks?

They do like thousand of requests per minute and I can't access my own site.

Error.log says: AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

(I'm not a webmaster, I host a small site for my needs and have no idea how to react.)

1 Answers

Voted

mayersdesign · Answer 1 · 2020-03-31T10:12:51+08:00

Best Answer

mayersdesign

2020-03-31T10:12:51+08:002020-03-31T10:12:51+08:00

This is exactly the scenario that fail2ban was invented to cover. I suggest you look into that here: https://www.fail2ban.org/wiki/index.php/Main_Page

Likely the "badbots" jail would take care of this immediately, and if not it wouldn't be difficult to code a custom jail/filter set to take care of it.

For now, seeing how they IP's seem to be limited, I suggest banning those IP's via iptables:

iptables -I INPUT -s 185.220.100.252 -j DROP

This is what fail2ban does of course (adds IP's to iptables), but fail2ban does it automatically. It would have protected you from this attack without your even noticing.

5

Is this real google bot or attack? How do I deal with it?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?