At Sun, 8 May 2011 10:46:17 -0700 CentOS mailing list <centos at centos.org> wrote: > > Hi All, > > I want to know thoughts on if I am being to paranoid/security conscious. > > CentOS 5.6, Apache, MySQL, running an Firewall in front of everything and obviously the built-in firewall on the box. I have ssh on a different port and starting to use Keys instead of password authentication. I host an intensive website and I am getting about 150 unique visitors per day. > > What I am seeing is LogWatch reporting a lot of 404's like: > > 404 Not Found > //PHPMA/: 1 Time(s) > //admin/myadmin/: 1 Time(s) > //admin/phpmyadmin/: 1 Time(s) > //adming/: 1 Time(s) > //ascils/phpmyadmin/: 1 Time(s) > //blog/wp-content/plugins/phpmyadmin/: 1 Time(s) > //database/: 2 Time(s) > //db/: 1 Time(s) > //dba/: 1 Time(s) > //dbadmin/: 2 Time(s) > //html/phpMyAdmin/: 1 Time(s) > //html/phpmyadmin/: 1 Time(s) > //lamp/phpmyadmin/: 1 Time(s) > //myadmin/: 1 Time(s) > //mydatabase/: 1 Time(s) > //mydb/: 1 Time(s) > //myphp/: 1 Time(s) > //mysql-admin/: 1 Time(s) > //mysql/: 1 Time(s) > //mysqladmin/: 2 Time(s) > //mysqlmanager/: 1 Time(s) > //phpMyAdmin-2.8.0.2/: 1 Time(s) > //phpMyAdmin-2.8.1-rc1/: 1 Time(s) > //phpMyAdmin-2.8.1/: 1 Time(s) > //phpMyAdmin-2.8.2/: 1 Time(s) > //phpMyAdmin/: 1 Time(s) > //phpadm/: 2 Time(s) > //phpma/: 1 Time(s) > //phpmanager/: 1 Time(s) > //phpmy/: 2 Time(s) > //phpmyadmin/: 1 Time(s) > //pma/: 1 Time(s) > //pmaadmin/: 1 Time(s) > //pmadmin/: 1 Time(s) > //sql/: 1 Time(s) > //sqladmin/: 2 Time(s) > //sqldatabase/: 2 Time(s) > //sqlmanager/: 1 Time(s) > //sqlweb/: 1 Time(s) > //typo3/phpmyadmin/: 1 Time(s) > //webadmin/: 1 Time(s) > //webdb/: 1 Time(s) > //websql/: 1 Time(s) > //wp-content/plugins/phpMyAdmin/: 1 Time(s) > //wp-content/plugins/wp-phpmyadmin/: 1 Time(s) > //xampp/phpmyadmin/: 1 Time(s) > > So I turned on Apache ReWrite and I created a file and I put in rules like: (just a small subset) > > RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR] > RewriteCond %{REQUEST_URI} ^/phpmy(.*) [NC,OR] > RewriteCond %{REQUEST_URI} ^/phpma [NC,OR] > RewriteCond %{REQUEST_URI} ^/phpmyadmin [NC,OR] > RewriteCond %{REQUEST_URI} ^/phpadmin [NC,OR] > RewriteCond %{REQUEST_URI} ^/phpgadmin [NC,OR] > RewriteCond %{REQUEST_URI} ^/phppgadmin [NC,OR] > RewriteCond %{REQUEST_URI} ^/phpmyadmin(.*) [NC,OR] > RewriteCond %{REQUEST_URI} ^/php\-my\-admin [NC,OR] > RewriteCond %{REQUEST_URI} ^/php\-myadmin [NC,OR] > RewriteCond %{REQUEST_URI} ^/phpmy\-admin [NC,OR] > RewriteCond %{REQUEST_URI} ^/phpmanager [NC,OR] > RewriteCond %{REQUEST_URI} ^/player(.*) [NC,OR] > RewriteCond %{REQUEST_URI} ^/plugins [NC,OR] > RewriteCond %{REQUEST_URI} ^/pma [NC,OR] > RewriteCond %{REQUEST_URI} ^/p/m/a [NC,OR] > RewriteCond %{REQUEST_URI} ^/pmadmin [NC,OR] > RewriteCond %{REQUEST_URI} ^/pmaadmin [NC,OR] > RewriteCond %{REQUEST_URI} ^/scripts [NC,OR] > RewriteCond %{REQUEST_URI} ^/sd(.*) [NC,OR] > RewriteCond %{REQUEST_URI} ^/sql [NC,OR] > RewriteCond %{REQUEST_URI} ^/sqladmin [NC,OR] > > and if one of these is hit I use a Rule of: > > RewriteRule .* http://%{REMOTE_ADDR}%{REQUEST_URI} [L,R=301,QSA] > > Everyday I look at the LogWatch E-Mail and I add one people are trying to hit and restart apache. > > This yields a few questions. > > 1. Am I being to paranoid by doing this? My logic is they dont belong here and I could get mad if someone walked up to my apartment and tried jiggling the door handle to see if it was unlocked. Well, yes. There is a simplier way -- Apache does have an 'error page' handler, where you can customize your 404 page or how Apache responds to a 'page not found' error. Doing the redirect is not really going to solve anything anyway. Most (all?) of these accesses are from a program -- a kind of 'bad' robot, which is probably going to ignore the 301 status and come to the conclusion that these URIs are actually working and report success to its (human) master. That will open you up for more (automated) attacks and/or piss off the human hacker, who will just come up with more and nastier attacks or maybe just launch a dos attack for spite. You are better off just letting Apache handle these as 404. Imagine you have a storefront and people come by after hours and see the lights off and the closed sign -- people will go away and come back later. Imagine that the lights are on and there is no closed sign, and instead you have some poor clerk there answering the door telling people to go away. That is likely to cause more trouble, since people will just come back in 5-10 minutes and ask if the store is open now. Or worse, wait around until there is some indication that the store is open. > > 2. I know I can simplify these rules. Wouldn't RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR] get most of the attempts for thinks like /php, /php-myadmin, /phpmyadmin-2.0.8.8, etc? > > 3. Is there a better way to right these rules? > > 4. Why does LogWatch show this to me as a 404 , when a rewrite rule is hit and they are re-directed back to themselves? My rules seem to be working, if I try and hit /scripts right now, it does what I expect. Question: are you using virtual hosts? If so, they the 'visitors' are either NOT sending HTTP 1.1 headers or not using the virtual host name. > > Can anyone shed some light for me on my thoughts/questions? > -- Robert Heller -- 978-544-6933 / heller at deepsoft.com Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments