Support » Plugin: Wordfence Security - Firewall & Malware Scan » Rule: block .bash_history

  • Resolved swissspaceboy

    (@swissspaceboy)


    Hello,

    I added a rule to block access to hidden file .bash_history as I get these attacks in my access log

    GET /?.bash_history

    But I have the impression the WF is not blocking this file, as I see it coming up in the Live Traffic log.

    What would be the good rule syntax to block this file .bash_history? I did it like this

    
    /?.bash_history

    Should this work?

    Many thanks !

    Didier

Viewing 8 replies - 1 through 8 (of 8 total)
  • Here I have an example of today for another file that I block: .htpasswd

    My HTTP access log:

    85.248.227.164 - - [25/Oct/2020:05:29:45 +0100] "GET /?.htpasswd HTTP/2" 403 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0"

    Entry in LT log:

    /?.htpasswd 10/25/2020 5:29:48 AM 85.248.227.164 tollana.enn.lu 200
    Type: Bot
    Activity Detail
    visited https://www.mydomain.com/?.htpasswd
    10/25/2020 5:29:48 AM (7 hours 23 mins ago)
    IP: 85.248.227.164 Hostname: tollana.enn.lu
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0

    My blocking rule

    /?.htpasswd

    Didier.

    Plugin Support WFAdam

    (@wfadam)

    Hello @swissspaceboy and thanks for reaching out to us!

    It looks like you have the block set up correctly. What response code are you getting for your /?.bash_history hits in Live Traffic?

    Thanks!

    swissspaceboy

    (@swissspaceboy)

    Hi Adam,

    Code 200 as shown here:

    /?.bash_history 10/25/2020 1:03:07 PM 103.253.41.111 103.253.41.111 200

    Type: Bot
    Activity Detail
    visited https://www.mydomain.ch/?.bash_history
    10/25/2020 1:03:07 PM (1 day 5 hours ago)
    IP: 103.253.41.111 Hostname: 103.253.41.111
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0

    Plugin Support WFAdam

    (@wfadam)

    Do you have access to a VPN to test this? Are you getting blocked when you visit the page?

    Let me know!

    Thanks!

    swissspaceboy

    (@swissspaceboy)

    ok. I tried as a test.

    Link

    https://www.mydomain.ch/?.bash_history

    gives me a blank page. When looking in my live traffic now, I do not see an entry in the log.

    My http access log gives a 403:

    62.202.191.130 – – [27/Oct/2020:21:22:33 +0100] “GET /?.bash_history HTTP/1.1” 403 0 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0”

    Strange no? Again some hacking ongoing of course.

    No VPN available to connect.

    Thanks,

    Didier.

    Plugin Support WFAdam

    (@wfadam)

    Well, the 403 would be the correct error but it’s strange that it is not showing in the Live Traffic. Are other hits populating in Live Traffic?

    I just attempted to visit your https://www.mydomain.ch/?.bash_history, did it post?

    Let me know!

    Thanks!

    swissspaceboy

    (@swissspaceboy)

    Yes, all other hits are showing up in the live traffic.

    The URL is a fake one (lol), and visits from the US are redirected to another page.

    Can I send you a log where this blocking rule gets fired by WordFence?

    Is this rule working fine for you?

    Thanks,

    Didier.

    Plugin Support WFAdam

    (@wfadam)

    If its a fake URL, then we could add it to the All Options > Firewall Options > Advanced Firewall Options > Immediately block IPs that access these URLs.

    https://www.wordfence.com/help/firewall/options/#immediately-block-urls here is our docs page about that setting.

    Let me know what you find!

    Thanks!

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.