Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 11th November 2012, 19:19
blinky blinky is offline
Member
 
Join Date: Sep 2012
Posts: 34
Thanks: 0
Thanked 0 Times in 0 Posts
Default identifying threats and dealing with the appropriately

I'm very new to Ubuntu, so installing my own home-based web, file and mail server has been a truly incredibly fascinating experience. I'mve been amazed at the sheer number of hits my web server gets and I haven't told a sould it's up and running. (Other than my domain name registrar.)

Anyways, while having my tea after lunch today I happend to have a window open that was monitoring Apache's access.log as I've been trying to eliminate a variety of bots lately.

Anyways, as I'm sitting there sipping my tea the screen is suddenly a flurry of activity and the following spews across the screen until I temporarily shut down the Apache server:
Code:
149.3.152.246 - - [11/Nov/2012:12:34:26 -0500] "GET /index.php HTTP/1.1" 404 392 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:27 -0500] "GET /admin/index.php HTTP/1.1" 401 587 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:27 -0500] "GET /admin/pma/index.php HTTP/1.1" 401 587 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:27 -0500] "GET /admin/phpmyadmin/index.php HTTP/1.1" 401 587 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:28 -0500] "GET /db/index.php HTTP/1.1" 404 394 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:28 -0500] "GET /dbadmin/index.php HTTP/1.1" 404 398 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:28 -0500] "GET /myadmin/index.php HTTP/1.1" 404 398 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:29 -0500] "GET /mysql/index.php HTTP/1.1" 404 397 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:29 -0500] "GET /mysqladmin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:30 -0500] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 404 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:30 -0500] "GET /phpadmin/index.php HTTP/1.1" 404 397 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:30 -0500] "GET /phpMyAdmin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:31 -0500] "GET /phpmyadmin/index.php HTTP/1.1" 404 399 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:31 -0500] "GET /phpmyadmin1/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:31 -0500] "GET /phpmyadmin2/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:32 -0500] "GET /pma/index.php HTTP/1.1" 404 395 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:32 -0500] "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 403 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:32 -0500] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 404 403 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:33 -0500] "GET /web/index.php HTTP/1.1" 404 395 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:33 -0500] "GET /php-my-admin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:33 -0500] "GET /websql/index.php HTTP/1.1" 404 397 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:34 -0500] "GET /phpmyadmin/index.php HTTP/1.1" 404 399 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:34 -0500] "GET /phpMyAdmin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:34 -0500] "GET /phpMyAdmin-2/index.php HTTP/1.1" 404 402 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:35 -0500] "GET /php-my-admin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:35 -0500] "GET /phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:35 -0500] "GET /phpMyAdmin-2.2.6/index.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:36 -0500] "GET /phpMyAdmin-2.5.1/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:36 -0500] "GET /phpMyAdmin-2.5.4/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:36 -0500] "GET /phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:37 -0500] "GET /phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:37 -0500] "GET /phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:37 -0500] "GET /phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:38 -0500] "GET /phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 404 410 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:38 -0500] "GET /phpMyAdmin-2.5.6-rc2/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:39 -0500] "GET /phpMyAdmin-2.5.6/index.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:39 -0500] "GET /phpMyAdmin-2.5.7/index.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:39 -0500] "GET /phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:40 -0500] "GET  HTTP/1.1" 400 226 "-" "-"
Er... um... hello? WTF?

As near as I can figure out, something at 149.3.152.246 is banging away at my server trying to access phpMyAdmin but my server is configured such that it's at least sending back 404 error... if I'm reading this right.

I an plop that IP address in a "Deny from" statement in an .htaccess file, I can block it on the router, but I would have thought something like fail2ban would have caught this.

Hmmmm... the fact that someone would try to access this piddly system is more amusing than the fact that I feel compelled to actually do anything about it.

What the best way to deal with this sort of stuff?
Reply With Quote
Sponsored Links
  #2  
Old 12th November 2012, 01:19
pititis pititis is offline
Senior Member
 
Join Date: Dec 2010
Location: München
Posts: 364
Thanks: 39
Thanked 90 Times in 68 Posts
 
Default

Hello,

Yes, it's really annoying. Best way to deal with scan drones and crap with apache?... I must say modsecurity + crs (core rule set). ModSecurity is a web application layer firewall. Modsecurity have tons of rules, you will find the base rules, optional and experimental (there are many third party rules too).

I'm using some rules from the base set. Now in ubuntu 12.04 you can install the module for apache and the core rule set with:

Code:
apt-get install modsecurity-crs
To deal with the configuration file can be hard but you will find a recommended configuration file.

Cheers!

Last edited by pititis; 12th November 2012 at 01:32.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 04:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.