How to Make Abusive Accesses Denied with IP Addresses and URL Paths
# Are Abused IP Addresses Deniable?
One of the most surprising I've ever had sinse 2006, when I started working as a web engineer, is the significant increase in malicious accesses to web servers. Of course there used to be a lot of unwanted accesses before, however, nowadays some of these attacks are from IP Addresses maintained by cloud services such as AWS or Google Cloud, in which attackers can easily change IP addresses they use for their activity and these IP addresses may be reattached to other users' servers after abused. As a result, you should be careful for denying these attacks by IP addresses. In my case, I usually look up the host name from IP addresses and judge whether the IP addresses should be denied, but actually it is difficult to prevent invalid attacks just by denying IP addresses.
# Deny URLs Not Expected
Because it is difficult to avoid evil accesses just with rejection of IP addresses, prohibition rule on URL paths is also necessary and actually effective.
# URLs used in WordPress
Web attackers often target well-known vulnerabilities. For example, they often request paths including wp-includes, which is used in WordPress. WordPress is a well-known open source application and is often considered to be used by many novice programmers who are not very serious about security and tend not to upgrade their applications to the latest versions. If your applications don't need to let these paths accessable, I would recommend to forbid to access these paths.
I usually make all the paths related to WordPress unaccessable for servers on which any WordPress sites aren't located. Specifically paths matching the following patterns are forbidden. If you are using WordPress, however, basically you need to make these paths accessable. However, even in this case, you should forbid to access wp-config.php and, if not used, xmlrpc.php.
/wp-content//wp-includes//wp-admin/wp-*xmlrpc.phpwlwmanifest.xml
# Unused File Extensions
As far as I inspect the access logs in my servers, php, cgi, asp, aspx are among the most targeted file extensions. If accesses to these extensions are not necessary, you should configure to prevent these accesses.
# Dot files
Dot files, such as .git or .htaccess, are also likely to be seeked. I usually forbid .git,.htaccess,.htpasswd,.env,.svn,.aws.
# Other Paths Often Targeted.
I usually modify my server configurations with checking access logs on my servers, and, for example, the following paths are also forbidden.
fapibapiawsapi/v(like api/v1/...)phpmyadminmysqlshelladmin
# Security Resistant Application
I think one of the most effective countermeasures of server security is eventually security resistant design of your own applications. Whatever applications you use, these applications should be upgraded to the latest version, and in any cases, including even when you don't use any third-party applications or frameworks, you need to have basic knowledge of server securities and common attacks. I feel most of attacks are based on common and traditional ways, such as SQL Injections,OS Command Injections, Password Attacks, or so on, so if you know what kind of attacks are common and what measurements are appropriate, it is more possible to avoid most of attacks.