Il 06/03/2013 14:17, Robert Moskowitz ha scritto:
So I have this nice, simple web server up running. Its purpose is to allow me external testing with HIP, and to provide some files for external distribution. Of course, there it is sitting on port 80 and the attacks are coming in per logwatch report. Examples from the report include:
Requests with error response codes 404 Not Found //phpMyAdmin-2.5.1/scripts/setup.php: 1 Time(s) //phpMyAdmin-2.5.4/scripts/setup.php: 1 Time(s) //phpMyAdmin-2.5.5-pl1/scripts/setup.php: 1 Time(s) //phpMyAdmin-2.5.5-rc1/scripts/setup.php: 1 Time(s) //phpMyAdmin-2.5.5-rc2/scripts/setup.php: 1 Time(s) /muieblackcat: 1 Time(s) /myadmin/scripts/setup.php: 2 Time(s) /mysql-admin/scripts/setup.php: 1 Time(s) /mysql/scripts/setup.php: 1 Time(s) /mysqladmin/scripts/setup.php: 2 Time(s) /mysqlmanager/scripts/setup.php: 1 Time(s)
Now these are only a few, though I am probably not being hit as hard as others out there.
My question is:
Is there a way to shut this nonsense down? Or because I am sending the 404, I am doing all that is reasonable to do?
You could use fail2ban to reduce the load on the server; here is my config:
cat /etc/fail2ban/filter.d/apache-errorcode.conf
# Fail2Ban configuration file # # Author: Lorenzo Quatrini # # $Revision: 1 $ #
[Definition]
errorcode = 400|403|404
# Option: failregex # Notes.: Regexp to catch bad request # Values: TEXT # failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" (?:%(errorcode)s)
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
I am wondering that if this list starts getting long, that is a lot of logging and I probably don't need to log 404s?
The "downside" of using fail2ban is that you will start receiving email about banned hosts; but that is configurable, as is the number of failed attempts before being banned. Also you can have "trusted" hosts that never get banned... but the manual explains this better that I can do.
Regards Lorenzo