kofal002@xxxxxxx wrote:
Hello!I am a relatively inexperienced Apache administrator, running a small public website. Traffic is extremely low, and in general the site runs fine.However, I have noticed huge, automated vulnerability scans from random IP addresses. Typically a single IP will request several thousand invalid addresses over the course of a few minutes, wait a few minutes, and try again, scanning for things like phpMyAdmin and other tools that I presume could commonly be left unsecured by accident. Below is a brief excerpt from my error logs, with redundant requests removed. (I've also censored my www folder location):[Tue Nov 10 13:50:59 2009] [error] [client 206.210.109.21] File does not exist: ...www/phpmyadmin [Tue Nov 10 13:51:05 2009] [error] [client 206.210.109.21] File does not exist: ...www/php-my-admin [Tue Nov 10 13:51:05 2009] [error] [client 206.210.109.21] File does not exist: ...www/phpMyAdmin-2.2.3 [Tue Nov 10 13:51:19 2009] [error] [client 206.210.109.21] File does not exist: ...www/phpMyAdmin-2.8.2 [Tue Nov 10 13:51:20 2009] [error] [client 206.210.109.21] File does not exist: ...www/admin [Tue Nov 10 13:51:43 2009] [error] [client 206.210.109.21] File does not exist: ...www/mysql [Tue Nov 10 13:52:02 2009] [error] [client 206.210.109.21] File does not exist: ...www/sql [Tue Nov 10 13:52:25 2009] [error] [client 206.210.109.21] File does not exist: ...www/databaseMost of these bots tend to hit the same URLS, and some also try to execute common scripts:[Sat Nov 07 08:32:08 2009] [error] [client 134.106.13.97] script '...www/dbadminmain.php' not found or unable to stat [Sat Nov 07 08:32:08 2009] [error] [client 134.106.13.97] script '...www/myadminmain.php' not found or unable to stat [Sat Nov 07 08:32:09 2009] [error] [client 134.106.13.97] script '...www/mysqlmain.php' not found or unable to stat [Sat Nov 07 08:32:09 2009] [error] [client 134.106.13.97] script '...www/mysqladminmain.php' not found or unable to stat [Sat Nov 07 08:32:10 2009] [error] [client 134.106.13.97] script '...www/phpadminmain.php' not found or unable to stat [Sat Nov 07 08:32:10 2009] [error] [client 134.106.13.97] script '...www/phpmyadminmain.php' not found or unable to stat [Sat Nov 07 08:32:11 2009] [error] [client 134.106.13.97] script '...www/phpmyadmin1main.php' not found or unable to stat [Sat Nov 07 08:32:11 2009] [error] [client 134.106.13.97] script '...www/phpmyadmin2main.php' not found or unable to stat [Sat Nov 07 08:32:12 2009] [error] [client 134.106.13.97] script '...www/pmamain.php' not found or unable to statAt best, this is instructive in which locations are commonly exploited, but this spam outweighs legitimate traffic! I end up with 4MB log files, while the access log file is maybe 40kB. It looks like these dolts hit "http://random.yahoo.com/fast/ryl"; (based on the referrer tag) and continuously scan the net. What I would like is to dynamically deny IP addresses based on certain criteria. These bots always generate a ton of 404 responses and hit common invalid URLs, something legitimate clients will never do.What would would be perfect is a module that watches for conditions like these, and if they trigger, drops requests from that IP for the next 24 hours. For example. if anybody requests "phpmyadmin" at all, I don't want the server to even respond (just drop the request, no 404) for awhile, even to legitimate requests. Preferably, it would also log the block action as well.I can only assume this problem has been tackled before, so maybe that's the wrong approach. If that is the case, what is a low CPU/bandwidth solution to this problem?Thanks for your assistance! Nathaniel Kofalt
Anyone have an idea for this? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|