Someone trying to get into my server?

Question

I hosted my Rails application last week. Today I was going through our log file and noticed lots of request like this.

I, [2016-03-14T00:42:18.501703 #21223]  INFO -- : Started GET "/testproxy.php" for 185.49.14.190 at 2016-03-14 00:42:18 -0400
F, [2016-03-14T00:42:18.510616 #21223] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/testproxy.php"):

Someone is trying to go to testproxy.php from different ip address. Some ip are from poland and others from hongkong. Am I getting attacked by someone. What are my options to protect myself.

Here are other outputs from log file:

I, [2016-03-14T03:09:24.945467 #15399]  INFO -- : Started GET "/clientaccesspolicy.xml" for 107.22.223.242 at 2016-03-14 03:09:24 -0400
F, [2016-03-14T03:09:24.949328 #15399] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/clientaccesspolicy.xml"):

Different ip address:

I, [2016-03-14T16:03:47.793731 #15399]  INFO -- : Started GET "/testproxy.php" for 178.216.200.48 at 2016-03-14 16:03:47 -0400
F, [2016-03-14T16:03:47.818519 #15399] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/testproxy.php"):

search.php

I, [2016-03-14T19:41:14.261843 #15399]  INFO -- : Started GET "/forum/search.php" for 164.132.161.67 at 2016-03-14 19:41:14 -0400
F, [2016-03-14T19:41:14.266563 #15399] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/forum/search.php"):

forum/index.php

I, [2016-03-15T10:54:55.254785 #26469]  INFO -- : Started GET "/forum/index.php" for 164.132.161.56 at 2016-03-15 10:54:55 -0400
F, [2016-03-15T10:54:55.266456 #26469] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/forum/index.php"):

phpmyadim/scripts/setup.php

I, [2016-03-15T13:21:36.862918 #26469]  INFO -- : Started GET "/phpMyAdmin/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:36 -0400
F, [2016-03-15T13:21:36.867050 #26469] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/phpMyAdmin/scripts/setup.php"):

another setup.php

I, [2016-03-15T13:21:37.452097 #26469]  INFO -- : Started GET "/pma/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:37 -0400
F, [2016-03-15T13:21:37.453647 #26469] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/pma/scripts/setup.php"):

myadmin/scripts/setup.php

I, [2016-03-15T13:21:38.034283 #26469]  INFO -- : Started GET "/myadmin/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:38 -0400
F, [2016-03-15T13:21:38.041563 #26469] FATAL -- : 
ActionController::RoutingError (No route matches [GET] "/myadmin/scripts/setup.php"):

and lots of other stuff. Please tell me how can I protect myself from those attacks.

Answer 1

This is commonplace when you are running a public server. Here is an excerpt of my home server's auth.log:

Mar 14 19:22:36 hotdog sshd[65937]: Received disconnect from 181.214.92.11:  11: Bye Bye [preauth]
Mar 14 19:22:37 hotdog sshd[65939]: Invalid user ubnt from 181.214.92.11
Mar 14 19:22:37 hotdog sshd[65939]: input_userauth_request: invalid user ubnt [preauth]
Mar 14 19:22:37 hotdog sshd[65939]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:38 hotdog sshd[65941]: Invalid user support from 181.214.92.11
Mar 14 19:22:38 hotdog sshd[65941]: input_userauth_request: invalid user support [preauth]
Mar 14 19:22:38 hotdog sshd[65941]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:39 hotdog sshd[65943]: Invalid user oracle from 181.214.92.11
Mar 14 19:22:39 hotdog sshd[65943]: input_userauth_request: invalid user oracle [preauth]
Mar 14 19:22:39 hotdog sshd[65943]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:40 hotdog sshd[65945]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:24:04 hotdog sshd[65947]: fatal: Read from socket failed: Operation timed out [preauth]
Mar 14 20:01:19 hotdog sshd[66032]: Received disconnect from 183.3.202.102: 11:  [preauth]
Mar 14 20:40:17 hotdog sshd[66092]: Invalid user cacti from 199.217.117.71
Mar 14 20:40:17 hotdog sshd[66092]: input_userauth_request: invalid user cacti [preauth]
Mar 14 20:40:17 hotdog sshd[66092]: Connection closed by 199.217.117.71 [preauth]
Mar 14 21:32:09 hotdog sshd[66188]: Received disconnect from 183.3.202.102: 11:  [preauth]
Mar 14 22:01:59 hotdog sshd[66256]: Invalid user user1 from 199.217.117.71
Mar 14 22:01:59 hotdog sshd[66256]: input_userauth_request: invalid user user1 [preauth]
Mar 14 22:02:00 hotdog sshd[66256]: Connection closed by 199.217.117.71 [preauth]
Mar 14 22:17:57 hotdog sshd[66280]: Did not receive identification string from 14.182.117.161

As you can see people are constantly trying to break into my server, by guessing a username. Since the server only accepts publickey login, not password, I believe myself to be fairly secure from these particular attacks.

The same applies to your PHP files. They are trying to find a php endpoint which they can run some canned exploit on. You can use tools like fail2ban which help with rate-limiting. But really these attacks will always be present on a public server. The only way is to ensure your software can resist attacks.

Some general common-sense tips:

• Don't run more services than you need, as any one service could open your server to attack. Check which ports you have open with nmap.
• Check that your apache/nginx config doesn't allow execute of more (PHP) files than necessary.
• Update your software continuously. Most of these attacks are automated and thus rely on published exploits in common packages.