Re: Dynamically block certain requests on trigger?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



kofal002@xxxxxxx wrote:
Hello!
I am a relatively inexperienced Apache administrator, running a small public website. Traffic is extremely low, and in general the site runs fine.

However, I have noticed huge, automated vulnerability scans from random IP addresses. Typically a single IP will request several thousand invalid addresses over the course of a few minutes, wait a few minutes, and try again, scanning for things like phpMyAdmin and other tools that I presume could commonly be left unsecured by accident. Below is a brief excerpt from my error logs, with redundant requests removed. (I've also censored my www folder location):

[Tue Nov 10 13:50:59 2009] [error] [client 206.210.109.21] File does not exist: ...www/phpmyadmin [Tue Nov 10 13:51:05 2009] [error] [client 206.210.109.21] File does not exist: ...www/php-my-admin [Tue Nov 10 13:51:05 2009] [error] [client 206.210.109.21] File does not exist: ...www/phpMyAdmin-2.2.3 [Tue Nov 10 13:51:19 2009] [error] [client 206.210.109.21] File does not exist: ...www/phpMyAdmin-2.8.2 [Tue Nov 10 13:51:20 2009] [error] [client 206.210.109.21] File does not exist: ...www/admin [Tue Nov 10 13:51:43 2009] [error] [client 206.210.109.21] File does not exist: ...www/mysql [Tue Nov 10 13:52:02 2009] [error] [client 206.210.109.21] File does not exist: ...www/sql [Tue Nov 10 13:52:25 2009] [error] [client 206.210.109.21] File does not exist: ...www/database

Most of these bots tend to hit the same URLS, and some also try to execute common scripts:

[Sat Nov 07 08:32:08 2009] [error] [client 134.106.13.97] script '...www/dbadminmain.php' not found or unable to stat [Sat Nov 07 08:32:08 2009] [error] [client 134.106.13.97] script '...www/myadminmain.php' not found or unable to stat [Sat Nov 07 08:32:09 2009] [error] [client 134.106.13.97] script '...www/mysqlmain.php' not found or unable to stat [Sat Nov 07 08:32:09 2009] [error] [client 134.106.13.97] script '...www/mysqladminmain.php' not found or unable to stat [Sat Nov 07 08:32:10 2009] [error] [client 134.106.13.97] script '...www/phpadminmain.php' not found or unable to stat [Sat Nov 07 08:32:10 2009] [error] [client 134.106.13.97] script '...www/phpmyadminmain.php' not found or unable to stat [Sat Nov 07 08:32:11 2009] [error] [client 134.106.13.97] script '...www/phpmyadmin1main.php' not found or unable to stat [Sat Nov 07 08:32:11 2009] [error] [client 134.106.13.97] script '...www/phpmyadmin2main.php' not found or unable to stat [Sat Nov 07 08:32:12 2009] [error] [client 134.106.13.97] script '...www/pmamain.php' not found or unable to stat

At best, this is instructive in which locations are commonly exploited, but this spam outweighs legitimate traffic! I end up with 4MB log files, while the access log file is maybe 40kB. It looks like these dolts hit "http://random.yahoo.com/fast/ryl"; (based on the referrer tag) and continuously scan the net. What I would like is to dynamically deny IP addresses based on certain criteria. These bots always generate a ton of 404 responses and hit common invalid URLs, something legitimate clients will never do.

What would would be perfect is a module that watches for conditions like these, and if they trigger, drops requests from that IP for the next 24 hours. For example. if anybody requests "phpmyadmin" at all, I don't want the server to even respond (just drop the request, no 404) for awhile, even to legitimate requests. Preferably, it would also log the block action as well.

I can only assume this problem has been tackled before, so maybe that's the wrong approach. If that is the case, what is a low CPU/bandwidth solution to this problem?

Thanks for your assistance!
Nathaniel Kofalt

Anyone have an idea for this?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux