How do I handle this scan attack?

I’m pretty much a newbie at this so hoping I can get some help.

While randomly looking through my swag/nginx access log, I saw this, on a handful of my subdomains:

10.0.0.2 [27/Feb/2022:02:23:05 -0600]"GET /shell4.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:23:11 -0600]"GET /ups.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:23:19 -0600]"GET /ru.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:24 -0600]"GET /if.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:24 -0600]"GET /vuln.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:24 -0600]"GET /fw.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:23:26 -0600]"GET /skipper.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:23:26 -0600]"GET /skippershell.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:23:36 -0600]"GET /tttt.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:23:41 -0600]"GET /tshop.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:57 -0600]"GET /alfa.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:58 -0600]"GET /shell.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:58 -0600]"GET /inje3ctor.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:01 -0600]"GET /saudi.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:18 -0600]"GET /wso.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:20 -0600]"GET /alfashell.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:22 -0600]"GET /my_alfa.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:37 -0600]"GET /uploader.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:44 -0600]"GET /up.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:58 -0600]"GET /hacked.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:59 -0600]"GET /c99.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001" "0.010"
10.0.0.2 [27/Feb/2022:02:25:05 -0600]"GET /priv8.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:06 -0600]"GET /Navir.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:16 -0600]"GET /cmd13.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:25:18 -0600]"GET /inc20k1.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:19 -0600]"GET /1index.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:23 -0600]"GET /404.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:25 -0600]"GET /swm.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:29 -0600]"GET /wp.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:25:39 -0600]"GET /doc.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:25:41 -0600]"GET /shx.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001" "0.010"
10.0.0.2 [27/Feb/2022:02:25:47 -0600]"GET /ws.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:25:48 -0600]"GET /m.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:55 -0600]"GET /edit-form.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:57 -0600]"GET /LEAF.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:57 -0600]"GET /leafmailer.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:26:01 -0600]"GET /mailer.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:26:13 -0600]"GET /leafmailer2.8.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:26:25 -0600]"GET /Leaf.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:26:34 -0600]"GET /leaf.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:26:43 -0600]"GET /priv8.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:26:59 -0600]"GET /owl.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:27:16 -0600]"GET /1.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.003"

It appears they’re using some sort of scan bot to see if any known vulnerable pages exist on the server. Fortunately, they all ended in 404.

How can I prevent this? My uneducated guess is to use the fail2ban feature, but I really have NO idea what to enter into it to stop this specific type of attack?

And also, being inside a container, would it work anyway, since it shows the IP as all coming from one of the IP’s of my docker network?

Can anyone help?

you are right! this is the perfect job for fail2ban, which as you know is installed in the SWAG container.
you do not have to come up with a regex for those lines, since you are a newbie, but a simple web search suggests possible filters. e.g.:

once you get the filter saved to a file, I strongly encourage you to test it out using the fail2ban-regex command to verify that everything goes according to plan, depending on your threat model and.
if you are the only user in your system you can easily unban yourself if the regex triggers too often, but if you have many users you should really test this out before deploying the new jail.

then, follow the tutorial and teach your fail2ban daemon to patrol the NGINX access.log logfile for repeated 404 errors.
remember to restart your service and test such changes from an IP which is not whitelisted.

good luck! cheers.

EDIT: with respect to the source IP, I’m not sure I understand… in my SWAG container I get real source IPs, not a private 10.x.x.x IP over and over again. maybe someone else can comment on that.

@piramiday TYVM for the help. I got it installed, but haven’t tested it yet. The IP thing is what again, is making me wonder if it’ll work.

every single IP in my nginx accesslog is the same one, which is an IP given to the container by docker. I have the same IP issue when using something like Pi Hole or Ad Guard; they can only show me stats by which container names connected, rather than any individual actual external IP. It’s been pretty frustrating. I don’t know how to fix that.

I’ve added another post (here) if it helps?

Hi there,
i know this is a very old thread, but i recently got into the same situation that i couldn’t figure out why in the nextcloud.log i would only see the IP from the docker instance rather than the public IP as i was using X_Forwarded-host $host as well as X-Real-IP $remote_address in my proxy.conf of my swag container.

I want also to mention that i am not using bridge network but macvlan (i know, old school to absolutely want IP addresses for everything) and that might be the reason of the issue.

I noticed in the nginx/site-confs/default.conf file of the nextcloud container these 2 lines :

set_real_ip_from 172.17.0.0/12;
real_ip_header X-Forwarded-For;

as mentioned in this thread as well : remoteaddr-logged-as-swag-containers-ip-with-swag-fail2ban-nextcloud-setup
What worked for me (not sure if it is best practice) is to remove the docker network address in the default.conf file of the nginx instance of the nextcloud container and replaced it with the IP address of my swag docker and it worked for me.
Since then i could make my fail2ban working fine reading the nextcloud.log and seeing now public IP addresses instead of the one from swag all the time. Thanks and hope this will be helpful for someone else.

Nginx by default does not trust another proxy or device when it says the connection is actually coming from another IP. If it did, an attacker could easily spoof another device by simply passing that header.

You need to tell nginx to explicitly trust another proxy that you control. set_real_ip_from does just that. It tells nginx to trust any proxy that has an IP that matches it.

We set it to 172.17.0.0/12; in nextcloud, which is often the range docker uses for other containers in the local docker network (which means an attacker would need to be running in a container in order to spoof, but if an attacker is already in a container in your local network, it’s game over already and they likely do not even need to spoof).

You need to figure out what IP nextcloud sees your proxy as, and set that directive to match (or contain in range) that IP so Nextcloud’s nginx will trust it and use its X-Forwarded-For to determine the source IP.

Thanks for the fast feedback. Indeed, i understood it that way, thanks for that, however i am surprised that not much hint came out of such research, unless very few people uses dockers like i do or keep the default docker subnet configured.
I think it would be worth mentioning this hint in the documentation :
“If you plan to use our nextcloud docker together with Swag, pay attention if you don’t use default docker subnet configuration to trust swag nginx in the nextcloud nginx instance if you plan to use fail2ban reading the nextcloud logfiles. This will ensure that the nextcloud nginx will trust the swag nginx to write the public IP address that comes in which is necessary to do a proper ban if required”.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.