LinuxQuestions.org - [SOLVED] seeing a lot of hits by bots or people against my www server can i block them

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - seeing a lot of hits by bots or people against my www server can i block them (https://www.linuxquestions.org/questions/linux-security-4/seeing-a-lot-of-hits-by-bots-or-people-against-my-www-server-can-i-block-them-833118/)

seeing a lot of hits by bots or people against my www server can i block them

So have set up a test site and it seems that the bots or someone is trying to hitting various pages that are not on the server.

Is there a way to block the ip etc?

I am running fail2ban and deny hosts but not sure how to get them to read the access_log file. Or even if that is the correct application to use.

Thanx

Maybe a way to do that would be to tell the kernel through iptables to drop packets from a specified address. Check this website for configuration:

http://nixcraft.com/getting-started-...p-address.html

Anyway, if this is product of some botnet, it wont change much to block some addreses.

PD: No experience with fail2ban :(

Good Luck!

Quote:

Originally Posted by unix1adm (Post 4102094)

Is there a way to block the ip etc?

To get direct advice, you are going to have to supply more information. Are you getting hit from a single IP, a small group of IPs, or a wide spread of IPs with little relationship between them?

Quote:

Originally Posted by unix1adm (Post 4102094)

I am running fail2ban and deny hosts but not sure how to get them to read the access_log file. Or even if that is the correct application to use.

Either fail2ban or denyhosts ought to be useful in this circumstance. Both? I don't know if they can be made to work together. Possibly, possibly not. It would seem to be more useful to start by working with one and ensure that it is correctly configured and working as you expect. If there is a problem that you then can't cope with, then have a look at the other, see whether it works better for you.

Quote:

...it seems that the bots or someone is trying to hitting various pages that are not on the server.

Ensure that this is not just happening because of dangling links (ie, links that point to a page that does not exist).

What I was expecting to see, from the thread title, was that you were getting a lot of hits as people were trying to dictionary attack/brute force ssh. You are getting problems only for http. Is this correct? Any chance of posting any samples of what you are seeing (with your own IP obfuscated)?

I get many ssh hits too but fail2ban gets those.

This is from logwatch. This is just a test site for me while i develop it so I want to be sure it secure. I looks ok but i want to have as much in place before i put this on a club www site I am developing.

--------------------- httpd Begin ------------------------

Requests with error response codes
400 Bad Request
/w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)
404 Not Found
/admin/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
/favicon.ico: 2 Time(s)
/mysql-admin/scripts/setup.php: 1 Time(s)
/mysql/scripts/setup.php: 1 Time(s)
/mysqladmin/scripts/setup.php: 2 Time(s)
/p/m/a/scripts/setup.php: 1 Time(s)
/php-my-admin/scripts/setup.php: 1 Time(s)
/php-myadmin/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.2.3/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.2.6/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.5.1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.5.5-pl1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.5.5/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.5.6-rc1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.5.6-rc2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.5.6/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.5.7-pl1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.5.7/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.0-alpha/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.0-alpha2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.0-beta1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.0-beta2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.0-pl1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.0-rc1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.0-rc3/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.0/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.1-pl2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.1-pl3/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.1-rc2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.2-beta1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.2-pl1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.2-rc1/scripts/setup.php: 2 Time(s)
/phpMyAdmin-2.6.2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.3-rc1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.3/scripts/setup.php: 2 Time(s)
/phpMyAdmin-2.6.4-pl1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.4-pl2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.4-pl3/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.4-pl4/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.6.4-rc1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.7.0-pl1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.7.0-pl2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.7.0-rc1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.7.0/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.8.0-rc1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.8.0-rc2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.8.0.1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.8.0.2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.8.0.3/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.8.0.4/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.8.1-rc1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.8.1/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2.8.2/scripts/setup.php: 1 Time(s)
/phpMyAdmin-2/scripts/setup.php: 1 Time(s)
/phpMyAdmin/scripts/setup.php: 1 Time(s)
/phpadmin/scripts/setup.php: 1 Time(s)
/phpmy-admin/scripts/setup.php: 1 Time(s)
/phpmyadmin/scripts/setup.php: 2 Time(s)
/phpmyadmin1/scripts/setup.php: 1 Time(s)
/phpmyadmin2/scripts/setup.php: 1 Time(s)
/pma/scripts/setup.php: 1 Time(s)
/pma2005/scripts/setup.php: 1 Time(s)
/sqlmanager/scripts/setup.php: 1 Time(s)
/sqlweb/scripts/setup.php: 1 Time(s)
/typo3/phpmyadmin/scripts/setup.php: 1 Time(s)
/upgrade.php: 1 Time(s)
/w00tw00t.at.blackhats.romanian.anti-sec:): 1 Time(s)
/web/scripts/setup.php: 1 Time(s)
/webadmin/scripts/setup.php: 1 Time(s)
/webdb/scripts/setup.php: 1 Time(s)
/websql/scripts/setup.php: 2 Time(s)
/xampp/phpmyadmin/scripts/setup.php: 1 Time(s)
503 Service Unavailable
/: 1 Time(s)
/index.php: 3 Time(s)

That looks distinctly like a scripted attack on all of the likely admin tools (phpMyAdmin) with all plausible spellings (phpMyAdmin, php-my-admin, phpmy-admin, phpmyadmin2...) that you might have left unsecured.

Does this list of attempts to force the door handles all come from one ip (if so, blocking that 1 ip gives some immediate relief...until another ip is tried...but is manageable for a small number of IPs or IP ranges if you look at logs frequently enough to catch developing threats)? If this is from a scattering of IPs, blocking IPs one-by-one is a bit more problematic.

That is where things like denyhosts and fail2ban become more useful; you don't have to know the ip in advance, nor do you have to personally trawl through log files on a short time period in order to get some protection. The danger is that you can do what, in retrospect,was obviously 'a bit too paranoid' stuff that locks more than just the bad guys out.

i looked at the access log but dont see any ips in there for those requests. How or where can I look for those ?

May be I am looking at the wrong logfile?

Quote:

Originally Posted by salasi (Post 4102531)

(..) that you might have left unsecured.

Please note it's a list of 404s.

Quote:

Originally Posted by salasi (Post 4102531)

That is where things like denyhosts and fail2ban become more useful

Since these are generic probes any HTTP host will see in logs and since the paths don't exist anyway I think it would be best to use specific HTTP protection first like mod_security, reverse proxy et cetera and only then move on to more generic measures like fail2ban (or denyhosts but only in firewall not tcp_wrapper mode).

ok i will have a look into that and post back.