Block HTTP scanbots - penguinpowernz/scanban GitHub Wiki

This allows to block scan bots that try to exploit your HTTP endpoints. You could copy this code and paste it into /etc/scanban.d/http.toml. Note that you could

files = [
  "/var/log/nginx/access.log",
  "/var/log/apache/access.log",
  #"docker://myrailsapp"
]

# ban clear secret file access
[rules](/penguinpowernz/scanban/wiki/rules)
threshold = 0 # immediate ban
bantime = 24
patterns = [
  "/autodiscover/autodiscover.json\\?@zdi/Powershell",
  "XDEBUG_SESSION_START=phpstorm",
  "/\\.git/",
  "/\\.env",
  "/aaa9",
  "/aab9",
]

# ban bots scanning for open admin systems
[rules](/penguinpowernz/scanban/wiki/rules)
threshold = 0
bantime = 24
patterns = [
  "/\\+CSCOE\\+/",
  "/remote/login",
  "/kube-system/daemonsets/",
  "/api/sonicos/auth",
  "/Portal/",
  "/RDWeb/",
  "/dana-na/",
  "/geoserver/",
  "/phpMyAdmin/",
  "/webfig/",
  "/boaform/",
  "/kube-system/daemonsets/",
  "/owa/",
]

# ban specific file extensions if you don't serve those
[rules](/penguinpowernz/scanban/wiki/rules)
threshold = 0
bantime = 24
patterns = [
  "\\.php",
  "\\.pl",
  "\\.aspx",
  "\\.cgi",
  "/cgi-bin/",
  "/\\?=PHP",
]

# ban attempts to access wordpress if you don't use wordpress
[rules](/penguinpowernz/scanban/wiki/rules)
threshold = 0
bantime = 24
patterns = [
  "/wp-admin/",
  "/wp-includes/",
  "/wordpress",
]

# ban scanners that would dox you
[rules](/penguinpowernz/scanban/wiki/rules)
threshold = 0
bantime = 24
patterns = [
  "CensysInspect",
  "Expanse, a Palo Alto Networks company",
]

Nginx access logs

Look at these guys trying to access non-existent PHP files:

79.124.58.198 - - [22/Jun/2025:18:44:06 +0000] "GET /users/sign_in HTTP/1.1" 200 1563 "https://xx.xx.xx.xx:443/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
159.89.170.59 - - [22/Jun/2025:22:16:53 +0000] "GET /systembc/password.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
159.89.170.59 - - [22/Jun/2025:22:16:53 +0000] "GET /password.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
159.89.170.59 - - [22/Jun/2025:22:16:55 +0000] "GET /upl.php HTTP/1.1" 301 194 "-" "Mozilla/5.0"
159.89.170.59 - - [22/Jun/2025:22:16:55 +0000] "GET /1.php HTTP/1.1" 301 194 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
52.169.143.120 - - [22/Jun/2025:22:30:25 +0000] "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 301 194 "-" "-"
52.169.143.120 - - [22/Jun/2025:22:30:25 +0000] "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 404 738 "-" "-"
52.169.143.120 - - [22/Jun/2025:22:30:26 +0000] "GET /wp-content/languages/index.php HTTP/1.1" 301 194 "-" "-"
52.169.143.120 - - [22/Jun/2025:22:30:26 +0000] "GET /wp-content/languages/index.php HTTP/1.1" 404 738 "-" "-"
52.169.143.120 - - [22/Jun/2025:22:30:26 +0000] "GET /wp-admin/index.php HTTP/1.1" 301 194 "-" "-"
52.169.143.120 - - [22/Jun/2025:22:30:27 +0000] "GET /wp-admin/index.php HTTP/1.1" 404 738 "-" "-"
52.169.143.120 - - [22/Jun/2025:22:30:27 +0000] "GET /autoload_classmap.php?p= HTTP/1.1" 301 194 "-" "-"

Rails logs

In the rails logs too, eating up my server resources.

I, [2025-06-22T22:30:34.224334 #282]  INFO -- : [ba1d1196-ddb1-412f-88c4-db052ae2c4fc] Started GET "/default.php" for 52.169.143.120 at 2025-06-22 22:30:34 +0000
I, [2025-06-22T22:30:34.869578 #215]  INFO -- : [419f90eb-6daa-4f70-a713-2692a613cb43] Started GET "/wp-includes/assets/index.php" for 52.169.143.120 at 2025-06-22 22:30:34 +0000
I, [2025-06-22T22:30:35.514046 #168]  INFO -- : [e9a2ecac-584b-4ed3-8753-706bc984a632] Started GET "/classwithtostring.php" for 52.169.143.120 at 2025-06-22 22:30:35 +0000
I, [2025-06-22T22:30:36.154574 #215]  INFO -- : [ab409a1f-3395-441e-aa9d-103550266272] Started GET "/about.php" for 52.169.143.120 at 2025-06-22 22:30:36 +0000
I, [2025-06-22T22:30:36.797085 #168]  INFO -- : [c2ae28a9-848f-4970-9cec-6423d79561f8] Started GET "/about/function.php" for 52.169.143.120 at 2025-06-22 22:30:36 +0000
I, [2025-06-22T22:30:37.447919 #215]  INFO -- : [fb85aa01-b710-48d9-b5a6-23efbc727ad8] Started GET "/dropdown.php?p=?p=" for 52.169.143.120 at 2025-06-22 22:30:37 +0000
I, [2025-06-22T22:30:38.102555 #215]  INFO -- : [3d68e85d-b271-4c79-98c3-120396b6d8d2] Started GET "/fm.php" for 52.169.143.120 at 2025-06-22 22:30:38 +0000

Apache logs

148.153.56.58 - - [22/Jun/2025:17:12:32 +0000] "GET /XTLd HTTP/1.1" 404 8333 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
148.153.56.58 - - [22/Jun/2025:17:12:34 +0000] "GET /4x9x HTTP/1.1" 404 8333 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
148.153.56.58 - - [22/Jun/2025:17:12:35 +0000] "GET /aab8 HTTP/1.1" 404 8333 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
148.153.56.58 - - [22/Jun/2025:17:12:35 +0000] "GET /aab9 HTTP/1.1" 404 8333 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
185.190.24.24 - - [21/Jun/2025:08:46:04 +0000] "GET /remote/login HTTP/1.1" 404 8517 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203"
185.190.24.24 - - [21/Jun/2025:08:46:05 +0000] "GET /login HTTP/1.1" 404 718 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203"
5.181.86.95 - - [21/Jun/2025:10:30:16 +0000] "GET /+CSCOE+/logon.html HTTP/1.1" 404 8522 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203"
5.181.86.95 - - [21/Jun/2025:14:18:30 +0000] "POST /global-protect/login.esp HTTP/1.1" 404 8526 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203"
5.181.86.95 - - [21/Jun/2025:19:58:10 +0000] "GET /vpn/index.html HTTP/1.1" 404 8517 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /HNAP1 HTTP/1.1" 404 8728 "-" "curl/7.54.0"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /pools/default/buckets HTTP/1.1" 404 8744 "-" "curl/7.54.0"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /favicon.ico HTTP/1.1" 404 8728 "-" "curl/7.54.0"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /server-status HTTP/1.1" 403 8743 "-" "curl/7.54.0"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /login.php HTTP/1.1" 404 8728 "-" "curl/7.54.0"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /owa/ HTTP/1.1" 404 8728 "-" "curl/7.54.0"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /pools HTTP/1.1" 404 8728 "-" "curl/7.54.0"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /dniapi/userInfos HTTP/1.1" 404 8744 "-" "curl/7.54.0"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /owa/ HTTP/1.1" 404 8728 "-" "curl/7.54.0"
104.156.155.31 - - [21/Jun/2025:20:58:54 +0000] "GET /api/v2/about HTTP/1.1" 404 8728 "-" "curl/7.54.0"