My website came under attack today. Two IP addresses in Austria were making a determined attempt to do what looked like an sql injection (or a javascript injection, which would have to be based on some known vulnerability...) using both my contact form, and the credit-card order form. I receive an email for each of these, so I was receiving thousands of emails.
I ssh'ed into the account, and altered my .htaccess files to block them, but it didn't work. I'm not sure why; maybe I got the wrong .htaccess file or maybe it didn't work due to an already established connection. Or maybe some other reason.
So, I tried to set an iptables rule. Oops, no root access and a shared hosting environment.
So I called my hosting provider (Bluehost). They were singularly unhelpful; they would upsell me to a VPS package which would give me root, but they wouldn't do anything else. They seemed to have a problem with the fact that mine is a site that I wrote from end to end in PHP, not a wordpress or weebly site. Frankly, it if had been one of those, it likely would have been cracked by this attack, but I am security-focused, and my site didn't break.
So, after Bluehost demonstrated a manifest lack of interest in addressing attacks on sites they host, I decided the quickest way to proceed was to directly alter the scripts that were being attacked.
So, I added this line to each script:
if(preg_match('/^185.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_SERVER['REMOTE_ADDR'])) exit;
Quick, dirty, and blocks a big chunk of Europe. But effective in stopping the attack.
I suppose the best thing for me to do is to rate-limit access to these forms. Maybe 1 per minute maximum. That will take a bit of work, but I suppose it must be done...unless someone here has a better idea?
In the meanwhile, I considered it worth mentioning that Bluehost is singularly useless in helping their customers mitigate attacks. That is information worth knowing and passing around.