[CentOS] Am I being to paranoid?

Sun May 8 17:57:23 UTC 2011
Eero Volotinen <eero.volotinen at iki.fi>

2011/5/8 Jason <slackmoehrle.lists at gmail.com>:
> Hi All,
>
> I want to know thoughts on if I am being to paranoid/security conscious.
>
> CentOS 5.6, Apache, MySQL, running an Firewall in front of everything and obviously the built-in firewall on the box. I have ssh on a different port and starting to use Keys instead of password authentication. I host an intensive website and I am getting about 150 unique visitors per day.
>
> What I am seeing is LogWatch reporting a lot of 404's like:
>
> 404 Not Found
> //PHPMA/: 1 Time(s)
> //admin/myadmin/: 1 Time(s)
> //admin/phpmyadmin/: 1 Time(s)
> //adming/: 1 Time(s)
> //ascils/phpmyadmin/: 1 Time(s)
> //blog/wp-content/plugins/phpmyadmin/: 1 Time(s)
> //database/: 2 Time(s)
> //db/: 1 Time(s)
> //dba/: 1 Time(s)
> //dbadmin/: 2 Time(s)
> //html/phpMyAdmin/: 1 Time(s)
> //html/phpmyadmin/: 1 Time(s)
> //lamp/phpmyadmin/: 1 Time(s)
> //myadmin/: 1 Time(s)
> //mydatabase/: 1 Time(s)
> //mydb/: 1 Time(s)
> //myphp/: 1 Time(s)
> //mysql-admin/: 1 Time(s)
> //mysql/: 1 Time(s)
> //mysqladmin/: 2 Time(s)
> //mysqlmanager/: 1 Time(s)
> //phpMyAdmin-2.8.0.2/: 1 Time(s)
> //phpMyAdmin-2.8.1-rc1/: 1 Time(s)
> //phpMyAdmin-2.8.1/: 1 Time(s)
> //phpMyAdmin-2.8.2/: 1 Time(s)
> //phpMyAdmin/: 1 Time(s)
> //phpadm/: 2 Time(s)
> //phpma/: 1 Time(s)
> //phpmanager/: 1 Time(s)
> //phpmy/: 2 Time(s)
> //phpmyadmin/: 1 Time(s)
> //pma/: 1 Time(s)
> //pmaadmin/: 1 Time(s)
> //pmadmin/: 1 Time(s)
> //sql/: 1 Time(s)
> //sqladmin/: 2 Time(s)
> //sqldatabase/: 2 Time(s)
> //sqlmanager/: 1 Time(s)
> //sqlweb/: 1 Time(s)
> //typo3/phpmyadmin/: 1 Time(s)
> //webadmin/: 1 Time(s)
> //webdb/: 1 Time(s)
> //websql/: 1 Time(s)
> //wp-content/plugins/phpMyAdmin/: 1 Time(s)
> //wp-content/plugins/wp-phpmyadmin/: 1 Time(s)
> //xampp/phpmyadmin/: 1 Time(s)
>
> So I turned on Apache ReWrite and I created a file and I put in rules like: (just a small subset)
>
> RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmy(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpma [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmyadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpgadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phppgadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmyadmin(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/php\-my\-admin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/php\-myadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmy\-admin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmanager [NC,OR]
> RewriteCond %{REQUEST_URI} ^/player(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/plugins [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pma [NC,OR]
> RewriteCond %{REQUEST_URI} ^/p/m/a [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pmadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pmaadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/scripts [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sd(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sql [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sqladmin [NC,OR]
>
> and if one of these is hit I use a Rule of:
>
> RewriteRule .* http://%{REMOTE_ADDR}%{REQUEST_URI} [L,R=301,QSA]
>
> Everyday I look at the LogWatch E-Mail and I add one people are trying to hit and restart apache.
>
> This yields a few questions.
>
> 1. Am I being to paranoid by doing this? My logic is they dont belong here and I could get mad if someone walked up to my apartment and tried jiggling the door handle to see if it was unlocked.
>
> 2. I know I can simplify these rules. Wouldn't RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR] get most of the attempts for thinks like /php, /php-myadmin, /phpmyadmin-2.0.8.8, etc?
>
> 3. Is there a better way to right these rules?
>
> 4. Why does LogWatch show this to me as a 404 , when a rewrite rule is hit and they are re-directed back to themselves? My rules seem to be working, if I try and hit /scripts right now, it does what I expect.
>
> Can anyone shed some light for me on my thoughts/questions?

You should take a look at mod_security: http://www.modsecurity.org/ ,
if provides better ways to block hostile attacks and probes.

--
Eero