I detected someone probing my site for weaknesses, what can I do about it?

Clash Royale CLAN TAG#URR8PPP

up vote
2
down vote

favorite

2

My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.

Is there anything I can do about it at this point?

web-application attacks attack-prevention defense incident-response

share|improve this question

asked 1 hour ago

Jad S

1134

add a comment | 

up vote
2
down vote

favorite

2

My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.

Is there anything I can do about it at this point?

web-application attacks attack-prevention defense incident-response

share|improve this question

asked 1 hour ago

Jad S

1134

add a comment | 

up vote
2
down vote

favorite

2

up vote
2
down vote

favorite

2

2

My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.

Is there anything I can do about it at this point?

web-application attacks attack-prevention defense incident-response

share|improve this question

asked 1 hour ago

Jad S

1134

My site has been getting probed by a bunch of IPs from Morroco (trying to submit forms, trying out potential URLs, trying to execute scripts etc..), I have a strong suspicion it's the same person after observing the pattern of how they behave. Looking at the logs they don't seem to have found any vulnerabilities. I'm not sure what I should do about this other than keep observing. Blocking the IP doesn't seem useful since it seems to change.

Is there anything I can do about it at this point?

web-application attacks attack-prevention defense incident-response

web-application attacks attack-prevention defense incident-response

share|improve this question

asked 1 hour ago

Jad S

1134

share|improve this question

asked 1 hour ago

Jad S

1134

share|improve this question

share|improve this question

asked 1 hour ago

Jad S

1134

asked 1 hour ago

Jad S

1134

asked 1 hour ago

Jad S

1134

1134

add a comment | 

add a comment | 

3 Answers
3

active

oldest

votes

up vote
5
down vote

Welcome to the internet! This is the normal situation, business as usual.

You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."

Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.

Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.

share|improve this answer

answered 1 hour ago

ThoriumBR

18.9k44666

add a comment | 

up vote
1
down vote

1. Block the whole country




2. Check ASN and it’s allocated IP range, and block that IP range.




3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.

Last but not least, secure your site and monitor attacks regularly.

share|improve this answer

answered 1 hour ago

Moonsik Park

44216

add a comment | 

up vote
0
down vote

The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?

First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.

Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.

Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.

The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog

share|improve this answer

answered 13 mins ago

NASAhorse

665

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197038%2fi-detected-someone-probing-my-site-for-weaknesses-what-can-i-do-about-it%23new-answer', 'question_page');

);

Post as a guest

Name Email

3 Answers
3

active

oldest

votes

3 Answers
3

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
5
down vote

Welcome to the internet! This is the normal situation, business as usual.

You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."

Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.

Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.

share|improve this answer

answered 1 hour ago

ThoriumBR

18.9k44666

add a comment | 

up vote
5
down vote

Welcome to the internet! This is the normal situation, business as usual.

You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."

Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.

Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.

share|improve this answer

answered 1 hour ago

ThoriumBR

18.9k44666

add a comment | 

up vote
5
down vote

up vote
5
down vote

Welcome to the internet! This is the normal situation, business as usual.

You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."

Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.

Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.

share|improve this answer

answered 1 hour ago

ThoriumBR

18.9k44666

Welcome to the internet! This is the normal situation, business as usual.

You don't have to do anything, but to harden your website. Probes like that occurs all the time, on every site, day and night. Some people call that "voluntary pen testing."

Depending on your site, there are some tools that you can use to help you keep those kinds of probes out of the site. Wordpress sites have a couple plugins (you can search for Security plugins on the plugins directory), and I believe the other popular platforms out there will have equivalent plugins.

Other tool I usually employ is fail2ban. It can parse your webserver log files, and react accordingly.

share|improve this answer

answered 1 hour ago

ThoriumBR

18.9k44666

share|improve this answer

share|improve this answer

answered 1 hour ago

ThoriumBR

18.9k44666

answered 1 hour ago

ThoriumBR

18.9k44666

answered 1 hour ago

ThoriumBR

18.9k44666

18.9k44666

add a comment | 

add a comment | 

up vote
1
down vote

1. Block the whole country




2. Check ASN and it’s allocated IP range, and block that IP range.




3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.

Last but not least, secure your site and monitor attacks regularly.

share|improve this answer

answered 1 hour ago

Moonsik Park

44216

add a comment | 

up vote
1
down vote

1. Block the whole country




2. Check ASN and it’s allocated IP range, and block that IP range.




3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.

Last but not least, secure your site and monitor attacks regularly.

share|improve this answer

answered 1 hour ago

Moonsik Park

44216

add a comment | 

up vote
1
down vote

up vote
1
down vote

1. Block the whole country




2. Check ASN and it’s allocated IP range, and block that IP range.




3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.

Last but not least, secure your site and monitor attacks regularly.

share|improve this answer

answered 1 hour ago

Moonsik Park

44216

1. Block the whole country




2. Check ASN and it’s allocated IP range, and block that IP range.




3. Fingerprint the attacker using a user agent or a JavaScript library and attach a strong captcha when the fingerprint is detected.

Last but not least, secure your site and monitor attacks regularly.

share|improve this answer

answered 1 hour ago

Moonsik Park

44216

share|improve this answer

share|improve this answer

answered 1 hour ago

Moonsik Park

44216

answered 1 hour ago

Moonsik Park

44216

answered 1 hour ago

Moonsik Park

44216

44216

add a comment | 

add a comment | 

up vote
0
down vote

The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?

First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.

Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.

Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.

The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog

share|improve this answer

answered 13 mins ago

NASAhorse

665

add a comment | 

up vote
0
down vote

The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?

First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.

Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.

Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.

The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog

share|improve this answer

answered 13 mins ago

NASAhorse

665

add a comment | 

up vote
0
down vote

up vote
0
down vote

The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?

First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.

Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.

Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.

The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog

share|improve this answer

answered 13 mins ago

NASAhorse

665

The first step outside of immediately looking to a solution is to conduct a pentest of your own site and be actually aware of what weaknesses there are in your site. If you don't know what you are protecting, then how will you know to protect it?

First, look at the infrastructure such as CMS. For example, if you are using Wordpress, then there are pentesting tools for Wordpress available both as apps and cmd tools. ie Wordfence , and I've used WPscan also.

Second option is to look at tools like OWASP zaproxy and do an attack scan of your network and gain a list of vulnerabilities. Just a note that some of these could be false positives.

Your findings may mirror what has already been found but I think knowing what the vulnerabilities are in your own site is useful.

The next step is how you are finding out about these probes. If it was a manual check, you can also consider setting up some log collection system like NXLog

share|improve this answer

answered 13 mins ago

NASAhorse

665

share|improve this answer

share|improve this answer

answered 13 mins ago

NASAhorse

665

answered 13 mins ago

NASAhorse

665

answered 13 mins ago

NASAhorse

665

665

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197038%2fi-detected-someone-probing-my-site-for-weaknesses-what-can-i-do-about-it%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email