kofal...@umn.edu wrote:
Hello!
I am a relatively inexperienced Apache administrator, running a small
public website. Traffic is extremely low, and in general the site runs
fine.
However, I have noticed huge, automated vulnerability scans from
random IP addresses. Typically a single IP will request several
thousand invalid addresses over the course of a few minutes, wait a
few minutes, and try again, scanning for things like phpMyAdmin and
other tools that I presume could commonly be left unsecured by
accident. Below is a brief excerpt from my error logs, with redundant
requests removed. (I've also censored my www folder location):
[Tue Nov 10 13:50:59 2009] [error] [client 206.210.109.21] File does
not exist: ...www/phpmyadmin
[Tue Nov 10 13:51:05 2009] [error] [client 206.210.109.21] File does
not exist: ...www/php-my-admin
[Tue Nov 10 13:51:05 2009] [error] [client 206.210.109.21] File does
not exist: ...www/phpMyAdmin-2.2.3
[Tue Nov 10 13:51:19 2009] [error] [client 206.210.109.21] File does
not exist: ...www/phpMyAdmin-2.8.2
[Tue Nov 10 13:51:20 2009] [error] [client 206.210.109.21] File does
not exist: ...www/admin
[Tue Nov 10 13:51:43 2009] [error] [client 206.210.109.21] File does
not exist: ...www/mysql
[Tue Nov 10 13:52:02 2009] [error] [client 206.210.109.21] File does
not exist: ...www/sql
[Tue Nov 10 13:52:25 2009] [error] [client 206.210.109.21] File does
not exist: ...www/database
Most of these bots tend to hit the same URLS, and some also try to
execute common scripts:
[Sat Nov 07 08:32:08 2009] [error] [client 134.106.13.97] script
'...www/dbadminmain.php' not found or unable to stat
[Sat Nov 07 08:32:08 2009] [error] [client 134.106.13.97] script
'...www/myadminmain.php' not found or unable to stat
[Sat Nov 07 08:32:09 2009] [error] [client 134.106.13.97] script
'...www/mysqlmain.php' not found or unable to stat
[Sat Nov 07 08:32:09 2009] [error] [client 134.106.13.97] script
'...www/mysqladminmain.php' not found or unable to stat
[Sat Nov 07 08:32:10 2009] [error] [client 134.106.13.97] script
'...www/phpadminmain.php' not found or unable to stat
[Sat Nov 07 08:32:10 2009] [error] [client 134.106.13.97] script
'...www/phpmyadminmain.php' not found or unable to stat
[Sat Nov 07 08:32:11 2009] [error] [client 134.106.13.97] script
'...www/phpmyadmin1main.php' not found or unable to stat
[Sat Nov 07 08:32:11 2009] [error] [client 134.106.13.97] script
'...www/phpmyadmin2main.php' not found or unable to stat
[Sat Nov 07 08:32:12 2009] [error] [client 134.106.13.97] script
'...www/pmamain.php' not found or unable to stat
At best, this is instructive in which locations are commonly
exploited, but this spam outweighs legitimate traffic! I end up with
4MB log files, while the access log file is maybe 40kB. It looks like
these dolts hit "http://random.yahoo.com/fast/ryl"; (based on the
referrer tag) and continuously scan the net. What I would like is to
dynamically deny IP addresses based on certain criteria. These bots
always generate a ton of 404 responses and hit common invalid URLs,
something legitimate clients will never do.
What would would be perfect is a module that watches for conditions
like these, and if they trigger, drops requests from that IP for the
next 24 hours. For example. if anybody requests "phpmyadmin" at all, I
don't want the server to even respond (just drop the request, no 404)
for awhile, even to legitimate requests. Preferably, it would also log
the block action as well.
I can only assume this problem has been tackled before, so maybe
that's the wrong approach. If that is the case, what is a low
CPU/bandwidth solution to this problem?
Thanks for your assistance!
Nathaniel Kofalt
Anyone have an idea for this?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
