EC2s getting harrassed by vulnernability scans from useragent Jorgee

[brionicle]

I run a bunch of microservices on AWS Elastic Beanstalk. I set up alarms for anytime I start returning a large number of status codes and recently, I've been getting emails every 3-10 minutes all hours of the day.

Looking into it, its bulk wordpress/php related 404s from the useragent Mozilla 5.0 Jorgee, about 50-150 at a time. I don't use php so its not a problem, but the alarms are hard to get around. Don't want to cancel them and not know when something actually goes off the rails, but I can't afford to have my email blown up by bullshit.

First thought was just returning 200's but that's bullshit.

Suggestions and similar stories appreciated.

[ajeet_dhaliwal]

I've experienced this and the 404 related emails on Elastic Beanstalk are indeed annoying, and it would be good if there was any easy way to turn them off just for 404s specifically. However based on my experience this will pass, it won't be like this forever so don't worry. And then it will come back, but then go away again. I haven't had a single email related to this for several months now. After it realizes there's no vulnerability (in my case I don't have php admin) then it seems to stop trying but I don't know how long before there will be new requests trying again.

[dyeje]

We ran into this at my shop. What we did is tuck away everything that isn't accessed externally in a VPC. Now they can't be reached by these scanners.

[anthony_franco]

I'd set up fail2ban on those machines to automatically block the requests.

[twunde]

I'm pretty sure you can configure fail2ban to automatically ban based on user-agent or url path. I would suggest banning any of the WordPress or phpadmin url links