How to use .htaccess to redirect Chinese hacking attempts?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to use .htaccess to redirect Chinese hacking attempts?
My server (CentOS 5.4) is being bombarded 24x7 with IP addresses from China trying to exploit phpMyAdmin. For every one I block on the firewall, half a dozen come to the funeral! It's a pity these morons don't have something better to occupy their time. I'm getting page after page of this (see below) every day and it's been going on for weeks. I don't even have phpMyAdmin on the server. I don't use it and I deleted it.
I've read that you can use .htaccess and / or mod_rewrite to redirect / block them based on any query for phpMyAdmin (they try all letters in upper and lower case, leading to page after page). Unfortunately, I have no idea of how to do this. I already have an .htaccess file. Maybe someone can suggest what to add to stop these pests from wasting my bandwidth and suggest somewhere I could redirect them to to cause them maximum problems. I don't want to block the entire country, seems a bit like overkill, not all Chinese are morons. we aren't even in the USA, so why they are doing this is beyond me.
A TINY sample!
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.2
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.3
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.4
[Sun Aug 08 13:29:09 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.5
[Sun Aug 08 13:29:09 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.6
[Sun Aug 08 13:29:09 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.7
[Sun Aug 08 13:29:10 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.8
[Sun Aug 08 13:29:10 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.9
+1 for rewriting (or using mod_security?).
-1 for using DenyHosts (in the default setup). See why.
Quote:
Originally Posted by baldur2630
Maybe someone can suggest what to add to stop these pests from wasting my bandwidth and suggest somewhere I could redirect them to to cause them maximum problems.
Sure you may be pissed of but that's not the way to handle things.
I'm already using Denyhosts for SSH, but I only use SSH on rare occasions so most of the time the Port isn't open. I use a Smoothwall Express Firewall as well as IPTables.
I've put Bathory's offering into my .htaccess file. I'll check over the next day or two and let you know if it works, but it looks good.
Pissed off isn't a word I would use, I passed that already a few weeks ago. If I had MY way, it would be the death penalty for spammers and these spotty-faced morons with nothing better to do than try to deface other people's work.
IMO, the best tool for the job would be modsecurity (or any other IPS-like application).
And, no matter how you look at it, you're going to be wasting bandwidth...blocking is about the only thing you can do. Such traffic nowadays doesn't really constitute a huge waste issue, not when talking about web servers and the traffic they typically handle.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.