How to protect hidden service from such scan?

"GET /test/
"GET /status
"GET /stats/
"GET /sql.tgz
"GET /sql.zip
"GET /sql.tar.gz
"GET /site/
"GET /site.zip
"GET /site.tgz
"GET /site.tar.gz
"GET /shell.php
"GET /settings.php
"GET /server-status
"GET /server-info
"GET /secret/
"GET /register.php
"GET /register
"GET /private_key
"GET /private/
"GET /priv/
"GET /pma/
"GET /phpmyadmin/
"GET /phpinfo.php
"GET /phpinfo
"GET /phpbb/
"GET /old/
"GET /new/
"GET /mysql.zip
"GET /mysql.tgz
"GET /mysql.tar.gz
"GET /logs/
"GET /login/
"GET /login.php
"GET /log/
"GET /install/
"GET /install.php
"GET /includes/
"GET /include/
"GET /inc/
"GET /home.php
"GET /home/
"GET /hidden/
"GET /fr/
"GET /forums/
"GET /forum/
"GET /foro/
"GET /files/
"GET /file/
"GET /FCKeditor/
"GET /file.php
"GET /etc/
"GET /es/
"GET /en/
"GET /dump.zip
"GET /dump.tgz
"GET /dump.tar.gz
"GET /dump.sql.zip
"GET /dump.sql.gz
"GET /dump.sql.bz2
"GET /dump.sql
"GET /dump.gz
"GET /downloads/
"GET /download.php
"GET /demo/
"GET /de/
"GET /db.sql
"GET /data/
"GET /cpanel/
"GET /controlpanel/
"GET /content/
"GET /config.php
"GET /config/
"GET /conf/
"GET /c99.php
"GET /board/
"GET /bitcoin.php
"GET /backups/
"GET /backup/
"GET /backup.zip
"GET /backup.tgz
"GET /backup.tar.gz
"GET /ar/
"GET /administrator/
"GET /admin/
"GET /admin.php
"GET /adm/
"GET /accounts/
"GET /account/
"GET /.svn/
"GET /.ssh/
"GET /.htaccess
"GET /.git/index
"GET /.bash_history
"GET /files/

depends what server you run, and what (on that server).
let's say you run a static site with /$webroot/index.html as the only document, you could either forbid everything else or you could redirect everything else (every request which is not index.html) to index.html.
directory listing must be turned off, of course. it is possible to replace the 404 with the 403 error message (or vice versa). this way, it is not revealed if the requested does not exist or is just forbidden.
if you have several documents (like usual), you can extend the scheme. how you implement the rights is depending on the server system you run, i think on apache you could use htaccess for this. if you have something dynamic (like a forum or a blog), you could limit or redirect all requests to the application (the cgi or php script, or whatever you use).
if you have a script, you could also do something more sophisticated and try to check the requests for such scans and then react somehow (shutting down the connection for one minute or displaying a (possibly misleading) error page, writing to a log, trying to dos the scanner...).
and of course, you could also construct a spider/bottrap with endless redirects or something else funny (malicious files like zip bombs, obscure error messages or just some random garbage).

hope this helps

Posted on def4

On 2019-02-26 22:28, you wrote:

depends what server you run, and what (on that server).

I run static site with sthttpd. sthttpd seem does not support ".htaccess" file
- he ignore every string there.

let's say you run a static site with /$webroot/index.html as the only
document, you could either forbid everything else or you could redirect
everything else (every request which is not index.html) to index.html.
directory listing must be turned off, of course. it is possible to replace
the 404 with the 403 error message (or vice versa). this way, it is not
revealed if the requested does not exist or is just forbidden.
if you have several documents (like usual), you can extend the scheme. how
you implement the rights is depending on the server system you run, i think
on apache you could use htaccess for this. if you have something dynamic
(like a forum or a blog), you could limit or redirect all requests to the
application (the cgi or php script, or whatever you use).
if you have a script, you could also do something more sophisticated and try
to check the requests for such scans and then react somehow (shutting down
the connection for one minute or displaying a (possibly misleading) error
page, writing to a log, trying to dos the scanner...).
and of course, you could also construct a spider/bottrap with endless
redirects or something else funny (malicious files like zip bombs, obscure
error messages or just some random garbage).

John Doe wrote:

On 2019-02-26 22:28, you wrote:

depends what server you run, and what (on that server).

I run static site with sthttpd. sthttpd seem does not support ".htaccess"

file

- he ignore every string there.

Previous post covers a good amount of good ideas. I haven't used sthttpd, looks interesting https://blogs.gentoo.org/blueness/2014/10/03/sthttpd-a-very-tiny-and-very-fast-http-server-with-a-mature-codebase/

Maybe mess with the throttling feature and refuse connections instead of just throttle them for predicted locations
http://www.acme.com/software/thttpd/thttpd_man.html#THROTTLING

--
Posted on Rocksolid Light.

John Doe <invalid@invalid.invalid> wrote:

How to protect hidden service from such scan?

"GET /test/
"GET /status
"GET /stats/
"GET /sql.tgz
"GET /sql.zip
"GET /sql.tar.gz
"GET /site/
"GET /site.zip
"GET /site.tgz
"GET /site.tar.gz
"GET /shell.php
"GET /settings.php
"GET /server-status
"GET /server-info
"GET /secret/
"GET /register.php
"GET /register
"GET /private_key
"GET /private/
"GET /priv/
"GET /pma/
"GET /phpmyadmin/
"GET /phpinfo.php
"GET /phpinfo
"GET /phpbb/
"GET /old/
"GET /new/
"GET /mysql.zip
"GET /mysql.tgz
"GET /mysql.tar.gz
"GET /logs/
"GET /login/
"GET /login.php
"GET /log/
"GET /install/
"GET /install.php
"GET /includes/
"GET /include/
"GET /inc/
"GET /home.php
"GET /home/
"GET /hidden/
"GET /fr/
"GET /forums/
"GET /forum/
"GET /foro/
"GET /files/
"GET /file/
"GET /FCKeditor/
"GET /file.php
"GET /etc/
"GET /es/
"GET /en/
"GET /dump.zip
"GET /dump.tgz
"GET /dump.tar.gz
"GET /dump.sql.zip
"GET /dump.sql.gz
"GET /dump.sql.bz2
"GET /dump.sql
"GET /dump.gz
"GET /downloads/
"GET /download.php
"GET /demo/
"GET /de/
"GET /db.sql
"GET /data/
"GET /cpanel/
"GET /controlpanel/
"GET /content/
"GET /config.php
"GET /config/
"GET /conf/
"GET /c99.php
"GET /board/
"GET /bitcoin.php
"GET /backups/
"GET /backup/
"GET /backup.zip
"GET /backup.tgz
"GET /backup.tar.gz
"GET /ar/
"GET /administrator/
"GET /admin/
"GET /admin.php
"GET /adm/
"GET /accounts/
"GET /account/
"GET /.svn/
"GET /.ssh/
"GET /.htaccess
"GET /.git/index
"GET /.bash_history
"GET /files/

I, personally, just ignore it.

--
Neodome

sthttpd - a fork of thttpd, a tiny/turbo/throttling HTTP server
version 2.27.0 Oct 3, 2014 sthttpd is a fork of Jef Poskanzer's
popular thttpd server. This fork aims to simply maintain the
original codebase as bugs or security issues are found.

oh yeah, thttpd is back, how cool is that ? i think for minimalistic sites it is just the best server there is.




Posted on def4

On 2019-02-28 16:06, you wrote:

John Doe <invalid@invalid.invalid> wrote:

How to protect hidden service from such scan?

"GET /sql.tgz
"GET /sql.zip
"GET /sql.tar.gz
"GET /db.sql
"GET /backup.zip

I, personally, just ignore it.

He overload low bandwidth tor/i2p tunnel.

On 2019-02-28 18:06, you wrote:

sthttpd - a fork of thttpd, a tiny/turbo/throttling HTTP server
version 2.27.0 Oct 3, 2014 sthttpd is a fork of Jef Poskanzer's
popular thttpd server. This fork aims to simply maintain the
original codebase as bugs or security issues are found.

oh yeah, thttpd is back, how cool is that ? i think for minimalistic sites it
is just the best server there is.

it is fast and secure. best choice for static site.

He overload low bandwidth tor/i2p tunnel.

on tor, you are on your own. but on i2p, you can avoid such attacks pretty easily by finetuning the tunnels properties.
has worked like a charm for def3, which was subject to heavy spider and inproxy traffic.

cheers

trw
Posted on: def3.i2p

On 2019-03-01 05:12, you wrote:

He overload low bandwidth tor/i2p tunnel.

on tor, you are on your own. but on i2p, you can avoid such attacks pretty
easily by finetuning the tunnels properties.

which one properties exactly?

has worked like a charm for def3, which was subject to heavy spider and
inproxy traffic.

which one properties exactly?

The headline is "Server throttling", then edit the points "Inbound connection limits" and "Max concurrent connections". In "Inbound connection limits" you can set max values per client.

Posted on def4

On 2019-03-03 11:10, you wrote:

which one properties exactly?

The headline is "Server throttling", then edit the points "Inbound connection
limits" and "Max concurrent connections". In "Inbound connection limits" you
can set max values per client.

This is i2p option I guess. I have use i2pd. Most relevant option there is
"inbound.quantity". But I'm not sure.
https://i2pd.readthedocs.io/en/latest/user-guide/tunnels/

https://i2pd.readthedocs.io/en/latest/user-guide/tunnels/

according to this link "inbound.quantity" is the number of inbound tunnels. seems like i2pd does not offer that option.

Posted on def4