what should be limit to use for IPTABLE rate limiting for a webserver

jamesbon · 02-04-2011, 01:22 AM

I see on my webserver some logs as follows

Quote:

203.252.157.98 - :25:02 "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:03 "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:03 "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:04 "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:05 "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:06 "GET //phppgadmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:06 "GET //PMA/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:07 "GET //admin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:08 "GET //MyAdmin/ HTTP/1.1" 404 392 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :27:36 "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :27:42 "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :27:42 "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :27:43 "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - - "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

and some more as follows

Quote:

118.219.234.254 - - [19/Oct/2010:22:57:41 "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:41 "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:42 "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:42 "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:43 "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:44 "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:44 "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:45 "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:45 "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:51 "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 407 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:52 "GET /admin/pma/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:52 "GET /admin/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:53 "GET /db/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:54 "GET /dbadmin/scripts/setup.php HTTP/1.1" 404 402 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:54 "GET /myadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:55 "GET /mysql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:55 "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:56 "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:56 "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:57 "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:57 "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:58 "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:58 "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:59 "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:59 "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:00 "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:01 "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:01 "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:02 "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

I have 2 questions
1) When such an attack happens on my site then while such scanning is going on how do I detect it? (In a very less time)
2)I have decided to rate limit the IPTABLES so as to reduce such DOS attacks by some script kiddies (to scan for vulnerabilities in phpmyadmin or some other script) to some extent.So how much should it be limited so that genuine users do not get kicked out.What is the best practise for question 2?

rosv · 02-04-2011, 03:07 AM

Hi,
1. Making sure that you're not vulnerable to the most common default configuration/old software security holes is probabaly the easiest way to stay out of trouble. "Attacks" like these will always take place but won't be a big deal of you've done your configuration correctly.

Noway2 · 02-04-2011, 04:41 AM

You might like the application called fail2ban. Instead of rate limiting the connections, which could and probably will impact valid users, you can target the script kiddies directly. I too received an attempt to locate myadmin on my site, which I do have, but it is not accessible via a public interface; the important point being that their URL guessing FAILS. With fail2ban, too many attempts to access invalid URL will result in a temporary blockage of their IP address. >99.99% of the time this is sufficient to make them go away.

Here is a log output from my fail2ban from yesterday which stopped this same activity cold:

Code:

2011-02-03 15:16:23,830 fail2ban.actions: WARNING [apache] Ban 82.208.56.105
2011-02-03 15:16:24,852 fail2ban.actions: WARNING [apache] 82.208.56.105 already banned

This particular one managed to get more connection attempts than normal before fail2ban was able to stop them, 19 total, but this occurred in about a two second window. Notice that the fail2ban log tried to ban them twice, which was based upon the number of log entries, but once triggered the first time they were shut down. See the following error logs:

Code:

[Thu Feb 03 15:16:21 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/scripts
[Thu Feb 03 15:16:21 2011] [error] [client 82.208.56.105] Re-negotiation request failed
[Thu Feb 03 15:16:21 2011] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/pma
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/mysql
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/phpMyAdmin
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/scripts
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] Re-negotiation request failed
[Thu Feb 03 15:16:22 2011] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/pma
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/mysql
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www/scripts
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/phpMyAdmin
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] access to /usr/share/phpmyadmin/scripts failed, reason: SSL connection required
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/pma
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/mysql
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/phpMyAdmin
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/scripts
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] access to /usr/share/phpmyadmin/scripts failed, reason: SSL connection required
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/pma
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/mysql