Strange lines in apache log file

Discussion in 'Installation/Configuration' started by Poliman, Jul 11, 2018.

  1. Poliman

    Poliman Member

    I have found some strange suspect lines in apache2 error.log file:
    Code:
    [Wed Jul 11 07:08:53.377580 2018] [access_compat:error] [pid 23644] [client 95.213.177.126:23508] AH01797: client denied by server configuration: /var/www/html/azenv.php, referer: https://proxyradar.com/
    [Wed Jul 11 07:25:02.275370 2018] [access_compat:error] [pid 27360] [client 127.0.0.1:42868] AH01797: client denied by server configuration: /var/www/html/
    [Wed Jul 11 07:26:00.318693 2018] [access_compat:error] [pid 27362] [client 31.44.68.231:56767] AH01797: client denied by server configuration: /var/www/html/
    Argument ""-"" isn't numeric in numeric gt (>) at /usr/local/ispconfig/server/scripts/vlogger line 514, <STDIN> line 9930.
    [Wed Jul 11 07:30:03.308448 2018] [access_compat:error] [pid 28507] [client 127.0.0.1:45378] AH01797: client denied by server configuration: /var/www/html/
    Argument ""-"" isn't numeric in numeric gt (>) at /usr/local/ispconfig/server/scripts/vlogger line 514, <STDIN> line 10159.
    [Wed Jul 11 07:35:02.123708 2018] [access_compat:error] [pid 28354] [client 127.0.0.1:45906] AH01797: client denied by server configuration: /var/www/html/
    Argument ""-"" isn't numeric in numeric gt (>) at /usr/local/ispconfig/server/scripts/vlogger line 514, <STDIN> line 10526.
    [Wed Jul 11 09:45:02.832304 2018] [access_compat:error] [pid 30289] [client 127.0.0.1:33006] AH01797: client denied by server configuration: /var/www/html/
    Argument ""-"" isn't numeric in numeric gt (>) at /usr/local/ispconfig/server/scripts/vlogger line 514, <STDIN> line 43127.
    [Wed Jul 11 09:50:03.107373 2018] [access_compat:error] [pid 31610] [client 127.0.0.1:36622] AH01797: client denied by server configuration: /var/www/html/
    [Wed Jul 11 09:50:30.258789 2018] [access_compat:error] [pid 31488] [client 180.76.169.57:29813] AH01797: client denied by server configuration: /var/www/html/
    [Wed Jul 11 09:50:31.304638 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/index.php
    [Wed Jul 11 09:50:35.103734 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpMyAdmin
    [Wed Jul 11 09:50:35.437706 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/pmd
    [Wed Jul 11 09:50:35.759213 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/pma
    [Wed Jul 11 09:50:36.074528 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/PMA
    [Wed Jul 11 09:50:36.424256 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/PMA2
    [Wed Jul 11 09:50:36.820883 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/pmamy
    [Wed Jul 11 09:50:37.170095 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/pmamy2
    [Wed Jul 11 09:50:37.534929 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/mysql
    [Wed Jul 11 09:50:37.858185 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/admin
    [Wed Jul 11 09:50:38.240694 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/db
    [Wed Jul 11 09:50:38.643727 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/dbadmin
    [Wed Jul 11 09:50:38.994801 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/web
    [Wed Jul 11 09:50:39.362330 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/admin
    [Wed Jul 11 09:50:39.688122 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/admin
    [Wed Jul 11 09:50:40.003408 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/admin
    [Wed Jul 11 09:50:40.323003 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/admin
    [Wed Jul 11 09:50:40.708029 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/admin
    [Wed Jul 11 09:50:41.035145 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/admin
    [Wed Jul 11 09:50:41.442375 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/admin
    [Wed Jul 11 09:50:41.752679 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/mysqladmin
    [Wed Jul 11 09:50:42.139205 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/mysql-admin
    [Wed Jul 11 09:50:42.465923 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpadmin
    [Wed Jul 11 09:50:42.805848 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpmyadmin0
    [Wed Jul 11 09:50:43.158305 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpmyadmin1
    [Wed Jul 11 09:50:43.548194 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpmyadmin2
    [Wed Jul 11 09:50:43.882230 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/myadmin
    [Wed Jul 11 09:50:44.222945 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/myadmin2
    [Wed Jul 11 09:50:44.581796 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/xampp
    [Wed Jul 11 09:50:44.966357 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpMyadmin_bak
    [Wed Jul 11 09:50:45.354844 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/www
    [Wed Jul 11 09:50:45.747375 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/tools
    [Wed Jul 11 09:50:46.115595 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpmyadmin-old
    [Wed Jul 11 09:50:46.470622 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpMyAdminold
    [Wed Jul 11 09:50:46.801989 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpMyAdmin.old
    [Wed Jul 11 09:50:47.185980 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/pma-old
    [Wed Jul 11 09:50:47.556600 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/claroline
    [Wed Jul 11 09:50:47.918772 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/typo3
    [Wed Jul 11 09:50:48.297521 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpma
    [Wed Jul 11 09:50:49.051256 2018] [access_compat:error] [pid 31622] [client 180.76.169.57:29989] AH01797: client denied by server configuration: /var/www/html/phpMyAdmin
    [Wed Jul 11 09:50:50.596853 2018] [access_compat:error] [pid 31546] [client 180.76.169.57:33187] AH01797: client denied by server configuration: /var/www/html/wuwu11.php
    [Wed Jul 11 09:50:51.517766 2018] [access_compat:error] [pid 32548] [client 180.76.169.57:33513] AH01797: client denied by server configuration: /var/www/html/xw.php
    [Wed Jul 11 09:50:52.523022 2018] [access_compat:error] [pid 31489] [client 180.76.169.57:33698] AH01797: client denied by server configuration: /var/www/html/xx.php
    [Wed Jul 11 09:50:53.538599 2018] [access_compat:error] [pid 32555] [client 180.76.169.57:33878] AH01797: client denied by server configuration: /var/www/html/s.php
    [Wed Jul 11 09:50:54.547909 2018] [access_compat:error] [pid 31546] [client 180.76.169.57:34063] AH01797: client denied by server configuration: /var/www/html/w.php
    [Wed Jul 11 09:50:55.536589 2018] [access_compat:error] [pid 31536] [client 180.76.169.57:34261] AH01797: client denied by server configuration: /var/www/html/sheep.php
    [Wed Jul 11 09:51:51.916411 2018] [access_compat:error] [pid 32628] [client 212.66.120.235:60238] AH01797: client denied by server configuration: /var/www/html/
    
    
    But inside /var/www/html are:
    Code:
    [email protected]:/var/www/html# ls -la
    total 20
    drwxr-xr-x 2 root root  4096 Jun 13 10:00 .
    drwxr-xr-x 9 root root  4096 Jul 11 14:41 ..
    -rw-r--r-- 1 root root 11321 Apr 13  2017 index.html
    
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    These are just bots which try to find phpmyadmin installations on your server or other administrative tools and access has been denied as intended.
     
  3. Jesse Norell

    Jesse Norell Well-Known Member

    You can make use of those logs and setup a fail2ban jail to block IPs from those scans.
     
  4. Poliman

    Poliman Member

    Thank you for answers. I have to check how to use fail2ban to permanently block these addresses. ;)

    PS
    How determine which port/protocol is used by these bots? Is it required for ban them with success?
    Btw if I have default jail.conf file and few filters in jail.local but without bantime etc, does it mean that whole settings (which are not in jail.local) are get from jail.conf?
    I found the line
    Code:
    fail2ban-client set JAIL_NAME banip IP_ADDRESS
    which should be useful in this case but what I should write instead of JAIL_NAME? Is it possible to block specific IP for specific time period?
     
    Last edited: Jul 12, 2018
  5. Jesse Norell

    Jesse Norell Well-Known Member

    fail2ban doesn't permanently block, but that's probably fine/better with proper tuning. There are some addr blocks on the internet that warrant permanent blocks, but most addrs are just compromised hosts themselves that might get cleaned up some day and would no longer need to be blocked, for which an automatically removed temp block is better (which is what fail2ban does).

    How to do that (works for debian 9 with the real phpmyadmin running at /phpmyadmin, but blocks other variations) is create /etc/fail2ban/filter.d/phpmyadmin.local with:
    Code:
    # Fail2ban config file for phpmyadmin filter
    #
    # Author: Jesse Norell
    #
    
    [Definition]
    
    # in practice the scans all appear to end in /scripts/setup.php,
    # you can restrict to that if you wish
    
    pmare1 = (php-?(my-?)?(sql-?)?(admin|db|manager?))
    pmare2 = ((php-?)?my-?(sql-?)?(admin|db|manager?))
    pmare3 = ((php-?)(my-?)?sql-?(admin|db|manager?))
    pmare4 = (web-?(admin-?)?(sql-?)?(db)?|pma)
    pmare5 = (web|xampp)/(%(pmare1)s|%(pmare2)s|%(pmare3)s)
    pmare6 = (phpmyadmin[^/]|.+/plugins/portable-phpmyadmin)
    pmaregex = (?i)/?((%(pmare1)s|%(pmare2)s|%(pmare3)s|%(pmare4)s|%(pmare5)s)/scripts/setup.php|%(pmare6)s)
    
    failregex = ^[^ ]* <HOST> .*"(GET|POST) /(?:%(pmaregex)s)[^"]*" [34]
    
    # ignore legitimate phpmyadmin requests if you use it,
    # eg. on a DTC server that is (lowercase) /phpmyadmin
    # and ignore any /admin redirects
    
    # disallowed paths (appended to /phpmyadmin/)
    pmabadreq = scripts/setup.php
    
    ignoreregex = ^.* "(GET|POST) /phpmyadmin/(?!%(pmabadreq)s)
                ^.* "GET /phpmyadmin HTTP/.\.." 3
                ^.* "GET /admin/? HTTP/.\.." 3
    
    Then add a jail to /etc/fail2ban/jail.local:
    Code:
    [phpmyadmin]
    
    enabled  = true
    port = http,https
    logpath  = %(apache_access_log)s
               /var/www/clients/client*/web*/log/access.log
    maxretry = 3
    findtime = 600
    bantime  = 3600
    
    It's a web server, so ports 80 and 443.

    I'm not sure I understand that question, but you don't need to know the port numbers in order to use fail2ban to match/block them. The above config has "port = http,https" set, which may or may not be used in your fail2ban setup, it depends on what banaction you are using (eg. I have `banaction = %(banaction_allports)s` set on that server, so all ports are banned, and that port = line is ignored).

    Yes, jail.conf is read first, then jail.local, so anything in the former overrides the latter. If your jail doesn't have a specific setting like bantime, it will use the setting from the '[DEFAULT]` section. You can have a `[DEFAULT]` in both jail.conf and jail.local, where eg. you just override a few settings in the latter.

    As an example, here's the section from jail.local on this server (xx.xx.xx.0/24 is a local ip block I want to ensure we don't block):
    Code:
    [DEFAULT] 
    
    ignoreip = 127.0.0.1 xx.xx.xx.0/24
    destemail = [email protected]
    sender = [email protected]
    banaction = %(banaction_allports)s
    
     
    till likes this.
  6. Poliman

    Poliman Member

    Thank you for detailed answer. I have to digest it. :)
     

Share This Page