seeing a lot of hits by bots or people against my www server can i block them
So have set up a test site and it seems that the bots or someone is trying to hitting various pages that are not on the server.
Is there a way to block the ip etc? I am running fail2ban and deny hosts but not sure how to get them to read the access_log file. Or even if that is the correct application to use. Thanx |
Maybe a way to do that would be to tell the kernel through iptables to drop packets from a specified address. Check this website for configuration:
http://nixcraft.com/getting-started-...p-address.html Anyway, if this is product of some botnet, it wont change much to block some addreses. PD: No experience with fail2ban :( Good Luck! |
Quote:
Quote:
Quote:
What I was expecting to see, from the thread title, was that you were getting a lot of hits as people were trying to dictionary attack/brute force ssh. You are getting problems only for http. Is this correct? Any chance of posting any samples of what you are seeing (with your own IP obfuscated)? |
I get many ssh hits too but fail2ban gets those.
This is from logwatch. This is just a test site for me while i develop it so I want to be sure it secure. I looks ok but i want to have as much in place before i put this on a club www site I am developing. --------------------- httpd Begin ------------------------ Requests with error response codes 400 Bad Request /w00tw00t.at.ISC.SANS.DFind:): 1 Time(s) 404 Not Found /admin/scripts/setup.php: 1 Time(s) /dbadmin/scripts/setup.php: 1 Time(s) /favicon.ico: 2 Time(s) /mysql-admin/scripts/setup.php: 1 Time(s) /mysql/scripts/setup.php: 1 Time(s) /mysqladmin/scripts/setup.php: 2 Time(s) /p/m/a/scripts/setup.php: 1 Time(s) /php-my-admin/scripts/setup.php: 1 Time(s) /php-myadmin/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.2.3/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.2.6/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.5.1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.5.5-pl1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.5.5/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.5.6-rc1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.5.6-rc2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.5.6/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.5.7-pl1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.5.7/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.0-alpha/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.0-alpha2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.0-beta1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.0-beta2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.0-pl1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.0-rc1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.0-rc3/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.0/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.1-pl2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.1-pl3/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.1-rc2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.2-beta1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.2-pl1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.2-rc1/scripts/setup.php: 2 Time(s) /phpMyAdmin-2.6.2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.3-rc1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.3/scripts/setup.php: 2 Time(s) /phpMyAdmin-2.6.4-pl1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.4-pl2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.4-pl3/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.4-pl4/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.6.4-rc1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.7.0-pl1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.7.0-pl2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.7.0-rc1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.7.0/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.8.0-rc1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.8.0-rc2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.8.0.1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.8.0.2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.8.0.3/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.8.0.4/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.8.1-rc1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.8.1/scripts/setup.php: 1 Time(s) /phpMyAdmin-2.8.2/scripts/setup.php: 1 Time(s) /phpMyAdmin-2/scripts/setup.php: 1 Time(s) /phpMyAdmin/scripts/setup.php: 1 Time(s) /phpadmin/scripts/setup.php: 1 Time(s) /phpmy-admin/scripts/setup.php: 1 Time(s) /phpmyadmin/scripts/setup.php: 2 Time(s) /phpmyadmin1/scripts/setup.php: 1 Time(s) /phpmyadmin2/scripts/setup.php: 1 Time(s) /pma/scripts/setup.php: 1 Time(s) /pma2005/scripts/setup.php: 1 Time(s) /sqlmanager/scripts/setup.php: 1 Time(s) /sqlweb/scripts/setup.php: 1 Time(s) /typo3/phpmyadmin/scripts/setup.php: 1 Time(s) /upgrade.php: 1 Time(s) /w00tw00t.at.blackhats.romanian.anti-sec:): 1 Time(s) /web/scripts/setup.php: 1 Time(s) /webadmin/scripts/setup.php: 1 Time(s) /webdb/scripts/setup.php: 1 Time(s) /websql/scripts/setup.php: 2 Time(s) /xampp/phpmyadmin/scripts/setup.php: 1 Time(s) 503 Service Unavailable /: 1 Time(s) /index.php: 3 Time(s) |
That looks distinctly like a scripted attack on all of the likely admin tools (phpMyAdmin) with all plausible spellings (phpMyAdmin, php-my-admin, phpmy-admin, phpmyadmin2...) that you might have left unsecured.
Does this list of attempts to force the door handles all come from one ip (if so, blocking that 1 ip gives some immediate relief...until another ip is tried...but is manageable for a small number of IPs or IP ranges if you look at logs frequently enough to catch developing threats)? If this is from a scattering of IPs, blocking IPs one-by-one is a bit more problematic. That is where things like denyhosts and fail2ban become more useful; you don't have to know the ip in advance, nor do you have to personally trawl through log files on a short time period in order to get some protection. The danger is that you can do what, in retrospect,was obviously 'a bit too paranoid' stuff that locks more than just the bad guys out. |
i looked at the access log but dont see any ips in there for those requests. How or where can I look for those ?
May be I am looking at the wrong logfile? |
Quote:
Quote:
|
ok i will have a look into that and post back.
|
All times are GMT -5. The time now is 07:14 PM. |