How to Block Spammers and Scanners

It is increasingly common for spammers to crawl your site. This often results in high load on your Hypernode and a slow site for real visitors.

It can be hard to trace down these abusers. Here are some strategies for finding and blocking them.

Step 1: Identify Culprits

A common use case is that spammers or scanners fill up all your PHPFPM slots when they scan or brute-force your site. We’ve developed the tool, hypernode-fpm-status, to grant you more insight into what is going on in your PHPFPM workers. Try this:

app@abcdef-example-magweb-cmbl:~$ hypernode-fpm-status
GONE 90.3266 108.61.122.72 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)
GONE 92.5596 108.61.122.72 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)
GONE 74.7021+8 46.28.203.130 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)
GONE 86.3169+2 108.61.122.72 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)
GONE 74.7289+8 46.28.203.130 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)
GONE 84.7464+2 46.28.203.130 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)
GONE 83.9709+2 108.61.122.72 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)
GONE 77.5164+6 46.28.203.130 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)
GONE 84.0770+2 46.28.203.130 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)
GONE 82.5902+3 46.28.203.130 POST my.hypernode.io/downloader/index.php?A=loggedin (Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5)

Step 2: Add IPs to Blacklist

You’ll immediately notice two IPs that are trying to download files from your server. You’ve found your scanners!

Now log in to your Hypernode using SSH and edit /data/web/nginx/server.blacklist

editor /data/web/nginx/server.blacklist

Add the IPs to the file:

## Block these IP's from using your site. They should have proper CIDR notation.
## It is not possible to include host/domainnames here.

# deny 62.195.123.45;
# deny 87.211.184.188;
# deny 213.186.119.0/24;
# deny 213.186.120.0/24;

deny 108.61.122.72; # look out! always close with semi-colon ;
deny 46.28.203.130;

If you make a mistake, the shell will warn you:

app@abcdef-example-magweb-cmbl:~$
Your Nginx configuration contains errors, please check
/data/web/nginx/nginx_error_output to see them.
app@abcdef-example-magweb-cmbl:~$

Step 3: Check to See That All Is Well

Now you’ll see that the client is banned from the server:

{
    "time":"2014-11-21T09:39:31+00:00",
    "remote_addr":"108.61.122.72",
    "remote_user":"-",
    "host":"example.hypernode.io",
    "request":"POST /downloader/index.php?A=loggedin HTTP/1.1",
    "status":"403",
    "body_bytes_sent":"162",
    "referer":"-",
    "user_agent":"Mozilla/5.0 (Windows; U; Windows NT 6.0) Gecko/20091201 Firefox/3.5.6 GTB5",
    "request_time":"0.000",
    "handler":"",
    "country":"US",
    "android_dupe_bug":"",
    "ssl_cipher":"-",
    "ssl_protocol":"-"
}