Just a few recent examples that came in direct to my server's IP to so I can drive home the security risks: 106.4.199.210 - - [11/Feb/2019:04:09:27 -0500] "CONNECT www.baidu.com HTTP/1.1" 400 0 "-" "-" This is from a ChinaNet IP looking to proxy my server to www.baidu.com using a script that provides no user agent. I have CONNECT, OPTIONS, and PROPFIND methods all blocked, as well as anything attempting WebDAV access (another thing they like to exploit). 125.76.61.225 - - [11/Feb/2019:04:09:27 -0500] "GET http://api.ipify.org/ HTTP/1.1" 403 7187 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36Mozilla/5.01732016 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 This is from another ChinaNet IP looking to proxy using GET instead of CONNECT using a badly faked Chrome user agent, or Firefox, can't tell because they mangled it so bad. I have others where the UA actually starts with "User-Agent:", which is mildly humorous. I'll save you the log listing, but there's one clear script kiddie from an Alibaba Cloud IP (also China) that starts at 05:16:56 and continues until 05:20:09 with about 300 GETs and POSTs probing for specific php-based vulnerabilities, all with accurate but faked user agents. There's another one later between 15:28:03 and 15:44:11 from Tencent Cloud Computing in Beijing, amongst others such as Baidu and Huawei. An that's not even the scary stuff, because I can easily block those with a finely honed htaccess file for the ones coming in direct via IP, and using Cloudflare for those coming in by name server. The scary stuff are the botnets that are designed to hijack IoT devices and modems: 46.17.47.173 - - [05/Feb/2019:11:45:50 -0500] "\x16\x03\x01" 400 0 "-" "-" 185.222.211.0 - - [10/Feb/2019:17:15:35 -0500] "\x03" 400 0 "-" "-" That first one is from a Baxet server in Russia, the second from Outsource Grid in the UK, both are executing binary code. There are others that contain inline textual code that are designed to download and replace firmware on your device (security cameras, modems, routers, etc. - anything externally addressable) so it can take control of it. I just don't have any examples atm, because they've been lying low with me lately. The other scary ones are those that attempt rapid-fire/overload brute force logins of a Wordpress, Drupal, or other hosted blog site so they can implant malware within the hosted database and reroute visitors to get infected. Those are the ones that keep me up at night, because if they get in it's real difficult to override what they did before any real damage is already done. So, that's my "frightened stiff" speech wrt the risks.
... View more