Preventing Attacks Scanning for PHPMyAdmin etc

Question

I have a Linux web server running Rails and each time I check the Nginx logs I find attempts to access PHPMyAdmin, database and admin directories such as this:

190.196.161.110 - - [16/Oct/2011:23:37:31 +0100] "GET //PHPMyAdmin/ HTTP/1.1" 404 728 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

The attacks are coming from a variety of different IP addresses and they just increment version numbers and check each directory, e.g. GET //PHPMyAdmin 1.0/, GET //PHPMyAdmin 1.1/ etc.

Will this affect the performance of my web server much? Also, is there a way to automatically ban IP addresses that do such things e.g. like fail2ban for ssh log-in attempts.?

score 10 · Accepted Answer · edited Oct 17 '11 at 15:00

10

If you're using Apache for such applications, you may want to look into ModSecurity, mod_evasive and/or mod_qos. The latter two are more geared towards brute force and DoS attacks. ModSecurity though has a ton of stuff under its banner.

edited Oct 17 '11 at 15:00

Krzysztof Kotowicz

4,068
20
30

answered Oct 17 '11 at 12:59

Ryan Draga

116
1
2

Jeff Ferland · Answer 2 · 2011-10-17T15:10:24.727

3

Fail2ban has an example script for doing this from Apache log files. Basically look for the PHPMyAdmin string in your logs with a 404.

edited Oct 17 '11 at 15:10

answered Oct 17 '11 at 14:43

Jeff Ferland

38,090
9
93
171

Preventing Attacks Scanning for PHPMyAdmin etc

2 Answers2