rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: Ranger on October 22, 2011, 02:17:26 PM

Title: Spammed "Requested HEAD /"
Post by: Ranger on October 22, 2011, 02:17:26 PM
Recently I've been getting a lot of Requested HEAD spam in my log file from various IP addresses.
Other then banning, is there anything I can do to curtail this from happening?
Title: Re: Spammed "Requested HEAD /"
Post by: raybob on October 22, 2011, 04:40:08 PM
That's happening from bots such as Google.  You don't really need to block it.
Title: Re: Spammed "Requested HEAD /"
Post by: Ranger on October 22, 2011, 05:44:51 PM
Yea I figured as much, only concern was because some of the IP's are tracing to China/Japan, etc.
Title: Re: Spammed "Requested HEAD /"
Post by: rejetto on October 23, 2011, 11:35:14 AM
if you use a non-standard port, let's say 8980, you will dramatically reduce the bothering
Title: Re: Spammed "Requested HEAD /"
Post by: Ranger on October 24, 2011, 02:44:16 AM
Yea, I think I will change the port soon.
Title: Re: Spammed "Requested HEAD /"
Post by: chthonic on October 24, 2011, 12:21:22 PM
well.. I have been prompted by this issue to  enough to  stick my head out of my cave.... this activity has been going on for hte past 7 days and its being used abusively given the number of attempts. the one address I just trace scanned back appears to be an HFS login in Isreal.. so I wouldnt dismiss this out of hand.. I think someone is port scanning for open HFS access..

the login prompt I got  looks like its from an old HFS template... that is the main reason I am posting here. If this was google, then a port scan block "should" kill the  notifications except that it doesnt. The absolute frequency of the  requests makes me suspicious.

this IP: 212.143.170.116 was traced back to that site.. it uses a login prompt that as I said appears to be from an old HFS template and the site is using a self signed certificates for HTTPS.

this is NOT legitimate behavior...

10/21/2011 10:48:04 PM 123.125.17.15:15408 Requested HEAD /
10/21/2011 11:03:09 PM Check update: no new version
10/22/2011 12:53:08 AM 66.151.235.55:36162 Requested HEAD /
10/22/2011 1:03:03 AM 50.16.36.129:47587 Requested HEAD /
10/22/2011 1:07:09 AM 91.194.137.16:28913 Requested HEAD /
10/22/2011 3:56:46 AM 123.100.2.157:40735 Requested HEAD /
10/22/2011 4:03:10 AM 125.88.125.166:64372 Requested HEAD /
10/22/2011 4:24:30 AM 61.130.247.168:5827 Requested HEAD /
10/22/2011 6:15:26 AM 212.143.170.116:33717 Requested HEAD /
10/22/2011 6:57:43 AM 200.183.87.169:41449 Requested HEAD /
10/22/2011 7:03:23 AM Check update: no new version
10/22/2011 2:27:35 PM 200.242.91.152:57665 Requested HEAD /
10/22/2011 2:34:24 PM 112.213.94.49:43739 Requested HEAD /
10/22/2011 3:03:34 PM Check update: no new version
10/22/2011 3:09:35 PM 67.23.17.252:50216 Requested HEAD /
10/22/2011 3:15:08 PM 82.117.42.166:46571 Requested HEAD /
10/22/2011 4:25:05 PM 121.28.161.165:25362 Requested HEAD /
10/22/2011 5:44:02 PM 211.147.212.2:41974 Requested HEAD /
10/22/2011 6:20:55 PM 202.111.137.4:47356 Requested HEAD /
10/22/2011 6:22:19 PM 83.170.89.56:18236 Requested HEAD /
10/22/2011 11:03:44 PM Check update: no new version
10/23/2011 1:05:51 AM 80.241.32.39:59454 Requested HEAD /
10/23/2011 2:05:20 AM 180.92.170.78:39551 Requested HEAD /
10/23/2011 2:36:26 AM 218.208.102.15:56161 Requested HEAD /
10/23/2011 5:07:17 AM 59.160.229.123:48763 Requested HEAD
10/23/2011 6:10:37 PM 124.160.91.15:23427 Requested HEAD /
10/23/2011 8:18:24 PM 50.17.33.19:18526 Requested HEAD /
10/23/2011 9:13:17 PM 38.101.132.104:32099 Requested HEAD /
10/23/2011 9:48:40 PM 206.16.163.38:37504 Requested HEAD /
10/23/2011 11:04:24 PM Check update: no new version
10/23/2011 11:56:02 PM 212.192.128.23:47991 Requested HEAD /
10/24/2011 4:05:42 AM 212.143.170.116:29787 Requested HEAD /

none of these IP addresses trace back to any legitimate service.
******
update: one of these traces back to a university in Russia.. the interesting thing is that Universities should not be port scanning private computers.
Title: Re: Spammed "Requested HEAD /"
Post by: rejetto on October 27, 2011, 08:24:57 PM
i checked 212.143.170.116 over the forum, and it is not bound to any account and to any post
Title: Re: Spammed "Requested HEAD /"
Post by: chthonic on October 27, 2011, 08:29:26 PM
I am using Visual IP trace pro
Title: Re: Spammed "Requested HEAD /"
Post by: jannuh on October 15, 2012, 09:21:26 AM
Info about req head-get-post etc.:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

In general coming from bots, if same IP is req. you can always ban this IP.