[CentOS] Interpreting logwatch
m.roth at 5-cent.us
m.roth at 5-cent.us
Wed Sep 8 13:23:49 UTC 2010
Timothy Murphy wrote:
> Every few days I see in the logwatch on my Centos-5.5 web-server
> what seems like a rather feeble break-in attempt.
> Eg today I see
> ---------------------------
> 403 Forbidden
> /phpMyAdmin/scripts/setup.php: 2 Time(s)
> /phpmyadmin/scripts/setup.php: 2 Time(s)
> 404 Not Found
> /PMA2005/scripts/setup.php: 1 Time(s)
> /TRAD_files/datestamp.js: 1 Time(s)
> ...
> ---------------------------
> followed by dozens of similar lines.
>
> As far as I can see, the IP of the person making the attempt
> (if there was an attempt) is not given.
>
> I'm not at all sure what if anything I should do about this.
>
> In fact, I'm not clear how one should deal with logwatch entries
> in general.
> Is there any document giving advice on this?
We run fail2ban. It blocks a given IP for so long after so many (3? 5?)
failed attempts to break in. It also does a whois on the IP, which is a
little more info.
mark, wondering if the Chinese Railway is trying again today
More information about the CentOS
mailing list