Jorgee goes on a rampage

In a time-frame of just 10 seconds I got 1200 requests from the Jorgee vulnerability scanner, originating from 15 unique IP addresses. As usual it was just a blind attack probing a /24 subnet.

I deploy a rather aggressive ModSecurity with Fail2ban defense that banned every offending IP address within a few seconds. Still, I must admit that 1200 requests slipping through the cracks was a bit more than expected. I guess my RPi3 can’t really go toe to toe against Digital Ocean and other cloud based hosting providers.

Even if you don’t deploy a web application firewall it’s still easy to block these types of attacks with the Apache mod_rewrite module. Every single request followed the same pattern: - - [01/Apr/..] "HEAD http://109.109..:80/phpMyAdmin/ HTTP/1.1" 403 - "-" "Mozilla/5.0 Jorgee"

User agent:

“Mozilla/5.0 Jorgee” => The attacker is polite and informs us it’s actually Jorgee, well known vulnerability scanner. We can simply block this attack by identifying “Jorgee” from its user agent string:

# Block bad user agents
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} ^.*(jorgee|morfeus|other).* [NC]
RewriteRule ^(.*)$ - [L,R=403]

Host header:

http://IPADDRESS:PORT => A blind scan of IP addresses, at best performed against a block of static IP addresses. We’ll be less vulnerable against these sorts of attacks by not accepting numeric or unknown host headers:

# Block unwanted host headers
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_HOST} !^blog\.paranoidpenguin\.net$ [NC]
RewriteCond %{HTTP_HOST} !^www\.blog\.paranoidpenguin\.net$ [NC]
RewriteRule ^(.*)$ - [L,R=403]
jorgee vulnerability scanner

A Jorgee vulnerability scan in progress.

The list of attacking IP addresses: