[CentOS] Interpreting logwatch

Wed Sep 8 13:23:49 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

Timothy Murphy wrote:
> Every few days I see in the logwatch on my Centos-5.5 web-server
> what seems like a rather feeble break-in attempt.
> Eg today I see
> ---------------------------
>     403 Forbidden
>        /phpMyAdmin/scripts/setup.php: 2 Time(s)
>        /phpmyadmin/scripts/setup.php: 2 Time(s)
>     404 Not Found
>        /PMA2005/scripts/setup.php: 1 Time(s)
>        /TRAD_files/datestamp.js: 1 Time(s)
> ...
> ---------------------------
> followed by dozens of similar lines.
>
> As far as I can see, the IP of the person making the attempt
> (if there was an attempt) is not given.
>
> I'm not at all sure what if anything I should do about this.
>
> In fact, I'm not clear how one should deal with logwatch entries
> in general.
> Is there any document giving advice on this?

We run fail2ban. It blocks a given IP for so long after so many (3? 5?)
failed attempts to break in. It also does a whois on the IP, which is a
little more info.

          mark, wondering if the Chinese Railway is trying again today