Bots scanning your site and handling unauthorized admin requests

This thread has two topics. One is about the constant bot scanning that occurs on domains, and the other is what do you display for unauthorized users trying to access your admin page.

Bot scanning

I have separated my 404 errors from the other errors, so I can be more alert of the actual errors that I need to care about. With this I am noticing that differing IPs keep scanning my site for vulnerabilities, like old Wordpress sites, login pages etc.

Is that something I should take notice of? Sure, I don’t actually have any of those sites, but do you guys block those IPs or anything else? Surely just banning IPs is useless as they keep changing. Is this just something one has to live with?

Unauthenticated users trying to access your admin pages

I have a website with a user interface and an admin interface, like many other sites. On this site, you have to be a logged in user to do anything on the site. Thus, you are faced with a login form from the get-go if you are not logged in.

I’m curious how you guys handle unauthorized requests to your admin interface. If they try to access a non-existant route in your admin prefix (admin/non-existing-controller/index), surely you give them a 404 error. What if it’s an actual route on your site, do you give them an “Access denied” kind of error page if they are logged in and a redirect if they are not, or do you just give them the same 404 error, as a way to conceal your actual admin routes? Or even conceal that you in fact have an admin interface at all. This links in with the other topic in this thread, about bots trying to find vulnerabilities on your site. If they see that /admin is an actual route, they have found “something”.

I am doing the latter. All unauthorized requests receive a 404 error. This gives me a dilemma when an admin receives an email with a link to a route in the admin interface, but is not logged in. The admin is then faced with a 404 error, making it appear as though the email is giving out a non-working link. If I redirect them to the login form, they will then log in and be redirected back to the link from the email. But then my admin routes are “visible” from the outside.

A workaround could be to append something in the query params in the link when sending an email, letting me know this is an actual admin trying to access the site, and have them redirected to the login form. I just want to hear from you guys what you do on your own projects.

I see your point but IMHO security thru hidden urls isn’t the best strategy… If system functionality is locked down if not authenticated/authorized, it shouldn’t matter whether someone guesses your url’s.
Having said that, /admin is a wordpress standard, which is why bots scan for it. Change the url to something less expected.
An additional approach is to always forward URL’s while unauthenticated to the login screen. If a user then logs in correctly, they can be forwarded to their original url. If that url isn’t valid, then serve a 404 or something.

With a public facing server, not much you can do to completely stop the nonsense. However, there are some basic things I do to keep my (and my client’s) sites safe. Think layers. Make sure the coding is solid and does not allow any injection or any other holes. Require strong passwords. Finally, I use an IPS. You didn’t mention your OS platform but I’m using Fail2Ban on Linux. You can tune it to be very aggressive with the attack profiles.

Whatever is on prefix /admin first I force them to login (throw 401), and then if logged in show 404.

You can search how to use a WAF (web application firewall), some try to detect this.

Or limit logins like 7 consecutive tries per hours, limit by PHP or with fail2ban (works with log files)

I also for public forms I tend to use google captcha