How to Spot and Prevent Fingerprinting Attacks on Your Website
As your website grows and attracts more traffic, it also becomes a potential target for malicious activities. One such activity is fingerprinting, where an attacker scans your site to identify potential vulnerabilities. They might not launch a full attack immediately, but they're collecting information that could lead to one later.
For examples on my Apache web server error logs there are entries like these.
[Sun Oct 13 02:43:01.043069 2024] [php:error] [pid 1223521:tid 1223521] [client xxx.xxx.xxx.xxx:62815] script '/var/www/html/frontend_dev.php' not found or unable to stat
[Sun Oct 13 02:43:51.511184 2024] [php:error] [pid 1223505:tid 1223505] [client xxx.xxx.xxx.xxx:51922] script '/var/www/html/info.php' not found or unable to stat
[Sun Oct 13 02:44:08.470687 2024] [php:error] [pid 1222003:tid 1222003] [client xxx.xxx.xxx.xxx:54523] script '/var/www/html/phpinfo.php' not found or unable to stat
These logs show that someone is trying to access specific scripts on your site that don't exist, such as frontend_dev.php
, info.php
, and phpinfo.php
. These are common filenames that attackers probe for because they often contain sensitive information in poorly configured environments.
Those three only simple example. I have someone trying to hit my server and try to exploit WordPress platform (based on URL target). Even I don't use WordPress.
What Is Fingerprinting?
Fingerprinting is a method attackers use to gather information about your website, such as the underlying software, versions, and configurations. By scanning for specific files, they hope to find development or information pages that could expose details about your server.
In your case, they're likely checking if your server exposes files that could give them clues about its setup, PHP version, or even debugging information. For instance, the phpinfo.php
file can display detailed information about your PHP environment if it exists and is accessible.
Why Are These Requests Dangerous?
Requests for files like frontend_dev.php
and phpinfo.php
signal that someone is checking for misconfigurations or forgotten development files. If these files are found, they could reveal sensitive data that helps the attacker launch a more targeted attack.
While the missing files in your logs mean you're currently safe from this specific attempt, the frequency of these requests suggests that your website is being probed. This is a clear sign that you need to ensure your security is up to date.
Steps to Protect Your Website
- Regularly Review Your Logs
As seen in your logs, frequent probing for non-existent files could indicate someone is trying to exploit potential vulnerabilities. Keep an eye on these patterns in your server logs. If you notice repeated attempts from the same IP address or suspicious file requests, it may be worth blocking these IPs or tightening your security rules. - Disable Sensitive Files in Production
Files likephpinfo.php
should never be accessible on production servers. If such files are needed during development, ensure they are removed or protected before going live. It's also a good practice to configure your web server to deny access to development or debug files. - Hide PHP Version Information
PHP can be configured to hide version information in the headers it sends back to users. An attacker who knows your exact PHP version can tailor their attacks to exploit known vulnerabilities in that version. To hide this, setexpose_php = Off
in yourphp.ini
file. This makes it harder for attackers to fingerprint your setup. - Secure Your Web Application Firewall (WAF)
A WAF can help block common fingerprinting attempts by analyzing incoming traffic patterns and stopping malicious requests before they reach your server. It acts as a shield, filtering out suspicious activity based on pre-configured rules. Configuring your WAF correctly can significantly reduce the chances of a successful fingerprinting attempt. - Keep Software Updated
Keeping your web server, PHP, and all other related software updated is critical. Security patches are released frequently to fix vulnerabilities, and running outdated software makes you an easier target. Regular updates are one of the most important defenses against fingerprinting and other forms of attack. - Remove Unused Files and Scripts
During development, it's common to leave behind old files that aren't used anymore. These files can become entry points for attackers if left on the server. Make a habit of cleaning up after every deployment by removing old scripts, configurations, and logs that are no longer needed.
Additional Measures You Might Be Missing
- Restrict Access to Admin Pages: If you have admin or control panel pages (e.g.,
/admin
), consider restricting access based on IP or requiring two-factor authentication (2FA). These pages are often the first target of attackers. - Rate-Limit Requests: Implement rate limiting to prevent attackers from making too many requests in a short period. This makes it harder for them to scan your site without being detected.
- Monitor for Unusual Activity: Implement monitoring tools that alert you when there is an unusual spike in traffic or error logs. Being aware of attacks early allows you to take preventive action.
- Use HTTPS Everywhere: Ensure all pages on your site are served over HTTPS. This protects the data exchanged between your server and users, making it harder for attackers to intercept traffic or launch certain attacks like man-in-the-middle (MITM).
Finally
Fingerprinting is often the first step in a larger attack. While the logs you’ve shared show that no damage has been done yet, it’s important to treat these probes seriously. Strengthening your defenses now—through secure configurations, software updates, and access controls—will make it harder for attackers to gather useful information and, ultimately, exploit any vulnerabilities.
Staying vigilant is key. Regularly audit your server and codebase, check for outdated or unnecessary files, and monitor for unusual activity. These small but essential steps can keep your website safer in the long run.