httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathaniel Kofalt <kofal...@umn.edu>
Subject [users@httpd] Re: Dynamically block certain requests on trigger?
Date Wed, 18 Nov 2009 23:59:13 GMT
kofal002@umn.edu wrote:
> Hello!
> I am a relatively inexperienced Apache administrator, running a small 
> public website. Traffic is extremely low, and in general the site runs 
> fine.
>
> However, I have noticed huge, automated vulnerability scans from 
> random IP addresses. Typically a single IP will request several 
> thousand invalid addresses over the course of a few minutes, wait a 
> few minutes, and try again, scanning for things like phpMyAdmin and 
> other tools that I presume could commonly be left unsecured by 
> accident. Below is a brief excerpt from my error logs, with redundant 
> requests removed. (I've also censored my www folder location):
>
> [Tue Nov 10 13:50:59 2009] [error] [client 206.210.109.21] File does 
> not exist: ...www/phpmyadmin
> [Tue Nov 10 13:51:05 2009] [error] [client 206.210.109.21] File does 
> not exist: ...www/php-my-admin
> [Tue Nov 10 13:51:05 2009] [error] [client 206.210.109.21] File does 
> not exist: ...www/phpMyAdmin-2.2.3
> [Tue Nov 10 13:51:19 2009] [error] [client 206.210.109.21] File does 
> not exist: ...www/phpMyAdmin-2.8.2
> [Tue Nov 10 13:51:20 2009] [error] [client 206.210.109.21] File does 
> not exist: ...www/admin
> [Tue Nov 10 13:51:43 2009] [error] [client 206.210.109.21] File does 
> not exist: ...www/mysql
> [Tue Nov 10 13:52:02 2009] [error] [client 206.210.109.21] File does 
> not exist: ...www/sql
> [Tue Nov 10 13:52:25 2009] [error] [client 206.210.109.21] File does 
> not exist: ...www/database
>
> Most of these bots tend to hit the same URLS, and some also try to 
> execute common scripts:
>
> [Sat Nov 07 08:32:08 2009] [error] [client 134.106.13.97] script 
> '...www/dbadminmain.php' not found or unable to stat
> [Sat Nov 07 08:32:08 2009] [error] [client 134.106.13.97] script 
> '...www/myadminmain.php' not found or unable to stat
> [Sat Nov 07 08:32:09 2009] [error] [client 134.106.13.97] script 
> '...www/mysqlmain.php' not found or unable to stat
> [Sat Nov 07 08:32:09 2009] [error] [client 134.106.13.97] script 
> '...www/mysqladminmain.php' not found or unable to stat
> [Sat Nov 07 08:32:10 2009] [error] [client 134.106.13.97] script 
> '...www/phpadminmain.php' not found or unable to stat
> [Sat Nov 07 08:32:10 2009] [error] [client 134.106.13.97] script 
> '...www/phpmyadminmain.php' not found or unable to stat
> [Sat Nov 07 08:32:11 2009] [error] [client 134.106.13.97] script 
> '...www/phpmyadmin1main.php' not found or unable to stat
> [Sat Nov 07 08:32:11 2009] [error] [client 134.106.13.97] script 
> '...www/phpmyadmin2main.php' not found or unable to stat
> [Sat Nov 07 08:32:12 2009] [error] [client 134.106.13.97] script 
> '...www/pmamain.php' not found or unable to stat
>
> At best, this is instructive in which locations are commonly 
> exploited, but this spam outweighs legitimate traffic! I end up with 
> 4MB log files, while the access log file is maybe 40kB. It looks like 
> these dolts hit "http://random.yahoo.com/fast/ryl" (based on the 
> referrer tag) and continuously scan the net. What I would like is to 
> dynamically deny IP addresses based on certain criteria. These bots 
> always generate a ton of 404 responses and hit common invalid URLs, 
> something legitimate clients will never do.
>
> What would would be perfect is a module that watches for conditions 
> like these, and if they trigger, drops requests from that IP for the 
> next 24 hours. For example. if anybody requests "phpmyadmin" at all, I 
> don't want the server to even respond (just drop the request, no 404) 
> for awhile, even to legitimate requests. Preferably, it would also log 
> the block action as well.
>
> I can only assume this problem has been tackled before, so maybe 
> that's the wrong approach. If that is the case, what is a low 
> CPU/bandwidth solution to this problem?
>
> Thanks for your assistance!
> Nathaniel Kofalt

Anyone have an idea for this?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message