0

We get tons of these in our apache error log every day.

[Wed Oct 17 03:27:37 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/phpmyadmin
[Wed Oct 17 03:27:37 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/phpMyAdmin
[Wed Oct 17 03:27:37 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/pmd
[Wed Oct 17 03:27:37 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/pma
[Wed Oct 17 03:27:37 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/PMA
[Wed Oct 17 03:27:38 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/PMA2
[Wed Oct 17 03:27:38 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/pmamy
[Wed Oct 17 03:27:38 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/pmamy2
[Wed Oct 17 03:27:38 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/mysql
[Wed Oct 17 03:27:38 2018] [error] [client 103.41.124.159] File does not exist: /var/www/html/admin

Is there a way to:

  1. Block these from getting logged?
  2. Block the IP addresses that do this? Build a list of them to block?

This particular IP had 54 different "pokes". They come from different IP addresses so I'm not sure what to do.

bgtvfr
  • 1,224
  • 10
  • 19
MB34
  • 167
  • 2
  • 9

1 Answers1

4
  1. Block these from getting logged?

This does not seem a good idea : getting rid of logs will never improve security :)

  1. Block the IP addresses that do this? Build a list of them to block?

That's exactly the job fail2ban was designed for. By default, it blocks this IP temporarly.

Maybe the solution you are looking for is fail2ban.

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured.

Source : https://www.fail2ban.org/wiki/index.php/Main_Page

bgtvfr
  • 1,224
  • 10
  • 19