Erroneous domain request keeps hitting my server

Website, Application, Performance DNS & Network
1

What is the name of the domain?

free-spins-no-deposit.co.uk

What is the issue you’re encountering

Numerous (but not too aggressive) requests to my server IP, using a wrong domain name

What steps have you taken to resolve the issue?

Check nginx logs

What feature, service or problem is this related to?

I don’t know

What are the steps to reproduce the issue?

Many requests such as this one:

113.30.188.212 - - [24/Jul/2024:14:15:19 +0000] "GET https://free-spins-no-deposit.co.uk/wp-cron.php HTTP/2.0" 403 250 0.000 "-" "-"

Hit my machine. Now, they are not too much of a nuisance since the server responds quickly with 403s but still…

One thing that worries me more is that going to my browser and entering: https://free-spins-no-deposit.co.uk/ goes straight to my server (double/triple checked in my logs). Which means something is afoot with the mapping of that domain name to a wrong IP perhaps?

Could anyone shed some light on this issue? anyone encountering similar problems?

Thanks!

2

Just to clarify, free-spins-no-deposit.co.uk is NOT my domain name. It’s the erroneous domain name used to hit my server.

3

That domain is using Cloudflare and the records are proxied, so someone has, either by mistake or for malicious reasons, set your IP address for this domain.
https://cf.sjr.org.uk/tools/check?91358a7626ff4c26b8c38dd627f86ae6#dns

Are you using Cloudflare yourself? If yes, I guess you are restoring visitor IPs? (Otherwise you’d be seeing Cloudflare IP addresses in your log).

Assuming you are, some options are:

  • ensure your web server is configured to return 404/403 for hostnames not configured on it, not your own content
  • use only an IPv6 address to your origin instead of IPv4 which is unlikely for someone to set by accident or otherwise
  • use Authenticated Origin Pull with your own certificate to reject requests from Cloudflare that are not from your account
  • or use a tunnel, so your public IP is not used at all
4

thankyou :slight_smile:

I am indeed a cloudflare user.

the 403 is a result of the requesting IP (113.30.188.212) not being a cloudflare IP - as far as I know. So what happens is if that IP is not from CF, it gets dropped via a 403. Not ideal or super strongs, but light and easy to set up.

If by “restoring visitor IP” you mean doing this:

set_real_ip_from 173.245.48.0/20;
<etc.>

then yes.

As for the rest, I need to look at it more detail!

But assuming the intent is malicious (and I can’t see why not given the nature of the requests: relative paths pointing to well known holes in wordpress and the like, some SQL injection, etc.), does cloudflare enforce some kind of policy around that? IS there anywhere to file some (light_ complaint?

Many thanks!

1 Like
5

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.