Amazon EC2 instance is getting spammed with different PHP filenames

Our server has been attacked recently and looks something like the following in the logs:

[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/ynm.php' not found or unable to stat
[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/71.php' not found or unable to stat
[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/wadre.php' not found or unable to stat
[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/vm.php' not found or unable to stat
[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/test.php' not found or unable to stat
[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/1q.php' not found or unable to stat
[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/1111.php' not found or unable to stat
[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/errors.php' not found or unable to stat
[Mon Feb 18 09:18:46 2019] [IP_ADDRESS] script '/var/www/q.php' not found or unable to stat

These attacks go on for hours sometimes and freezes the server.

How to protect against this? fail2ban?

Have banned the IP's manually but they change every time.

Thanks!


Solution 1:

These are common occurrences. Robots try to find insecure scripts and exploit them. You can't really avoid it, once you've got a web server on the Internet you'll see scans like this.

However since you're running on AWS EC2 you've got a number of options:

  1. Use AWS WAF (Web Application Firewall) to protect your site against malicious attacks.

  2. Use AWS Shield - managed DDoS protection. Free.

  3. Etc...

In any case being scanned like this shouldn't freeze your server. That freezing is likely being caused by something else - maybe a DDoS (hint: use AWS Shield) or some successful exploit of one of your PHP scripts that consumes the instance memory.

Hope that helps :)