0

I’ve recently set up a tiny Debian VPS for hosting a couple of personal sites.

In the Apache access logs, I’ve noticed quite a few requests for URLs like /phpMyAdmin-2.6.4/scripts/setup.php coming from one particular IP address. The IP address in question is listed on Project Honeypot. They haven’t noticed any dodgy activity from it recently, but I got these requests this morning.

I don’t run any of the services the IP address seems to be looking for, but I wondered whether I should block all requests from this IP address using the firewall on my server. I’m thinking it would at least clear up my access logs, and if it’s one IP address, in the worst case scenario, I wouldn’t have blocked many users from the site if it was used for legitimate purposes in future.

Paul D. Waite
  • 156
  • 1
  • 8

2 Answers2

1

I prefer to do that to persistent offenders. You can also install portsentry to listen on ports unused and permanently/temporarily block offenders automatically.

Try it on a desktop first, it's pretty easy and you can script around it.

That won't stop the PHP probes but you should be checking logs (with something like logwatch) for these attacks anyway and can ban persistent offenders then.

--edit--
Fail2ban can work with PHP 'probes': Fail2Ban PHP probes

--edit2--
PHPMyAdmin probes for Fail2ban

--edit3--
Sorry for all the edits but this one is something I might roll out ! Very simple but effective at stopping 404s: Fail2ban 404s

Jonathan Ross
  • 2,173
  • 11
  • 14
  • sure. Does portsentry work similarly to [fail2ban](http://www.fail2ban.org/) (mentioned in [question 176014](http://serverfault.com/questions/176014/block-an-ip-address-which-tries-to-download-entire-website)), or does it work at a different level? – Paul D. Waite Apr 13 '11 at 13:24
  • 1
    It works at the TCP or UDP port level and primarily I use it for checking people probing ports on the Server that they shouldn't. Otherwise it's very difficult to log these reconnaissance probes. Fail2ban listens to software (and bans from password failures being flagged up) rather than at the networking level. If PHP is hardened a little then it can be made pretty secure, just do the daily housekeeping with log checks: `http://tinyurl.com/y6tmw7e` – Jonathan Ross Apr 13 '11 at 13:29
  • ah sure, gotcha. – Paul D. Waite Apr 13 '11 at 14:07
1

There was a good discussion of the merits of fail2ban etc at my question on blocking the IP addresses failed logins come from.

There are some suggestions of tools to block these attacks, including fail2ban, but the main thing I got was that these tools don't achieve much more than clearing up your logs - you still need to secure your server against attack, because a successful attack could come from anywhere, and wouldn't necessarily trigger fail2ban.

Community
  • 1
dunxd
  • 9,482
  • 21
  • 80
  • 117