Internal 404 vs External

  • Resolved Tony G

    (@starbuck)


    3 years, 10 months ago

    I have been using another plugin that bans excessive 404’s but I found it doesn’t distinguish between local / same-orgin traffic and external requests. A 404 from a local misconfiguration is as likely to ban a visitor as it is to ban a scriptkiddie who is looking for vulnerabilities. I haven’t used Redirection for a long time but because of this I’d like to come back.

    I know the plugin checks the Referer field but I’m not sure exactly what’s done with it. Does the plugin detect a same origin referer, so that we can do a different 302 redirect that we would use for an external request?

    And, again it’s been a while so please forgive what may be a FAQ : Is there a recommended way to feed the 404 log from specific requests/groups into a common banning solution? For example, of course we would not want to ban visitors for our own local misconfiguration, but we’ll gladly use Fail2Ban or another mechanism to ban the scriptkiddies.

    RTFM with link is welcome. ??

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author John Godley

    (@johnny5)

    Referrer information is unreliable and easily changed by any script so I wouldn’t use that to determine anything.

    Personally it seems a bit excessive to ban a client based on excessive 404s, but sure I guess. It probably is something best left to Fail2ban though, and you wouldn’t need to use any plugin – just configure Fail2ban with your access log.

    Redirection has a support site here: https://redirection.me/support/

    Thread Starter Tony G

    (@starbuck)

    Consider the common scenario where a bad actor is probing for vulnerable plugins, using URLs that only a specific plugin would respond to. So if there are 50 such plugins, a site will see 50 requests for specific query strings, .css, and .js files. That’s 50 404’s from a single IP, or at least IPs that would typically be in the same block. Everyone has a different tolerance for abuse, but I prefer to be strict and tune down to 5 404s in 1 hour to trigger an IP ban when only a few of these come in.

    Sure, we can get Fail2Ban to monitor the Redirection log. But I come back to the challenge where we don’t know if a 404 is due to a direct external query, or if a 404 is resulting from some temporary anomaly, like a request for an image that was accidentally deleted. Did we give the browser a link that forced it to do another query that resulted in a 404? If so we certainly don’t want to penalize the visitor.

    So, can you think of how Redirection might be able to help in that determination, given the unreliability of the Referer header?

    Thanks!!

    Plugin Author John Godley

    (@johnny5)

    Redirection is designed to redirect URLs. It doesn’t maintain a log file, and doesn’t check the referrer. If you configure it to so it will record 404s into a database table, but performs no analysis of that data.

    Fail2ban has access to the same information (including referrer) via your access log. Additionally it can monitor JS and CSS files which may not be available to WordPress.

    Five 404s in 1 hour seems a *very* strict set of rules.

    Thread Starter Tony G

    (@starbuck)

    Sincere thanks for your time and notes! I’m flagging this as Resolved.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Internal 404 vs External’ is closed to new replies.