[CentOS] Am I being to paranoid?

Sun May 8 19:11:43 UTC 2011
Robert Heller <heller at deepsoft.com>

At Sun, 8 May 2011 10:46:17 -0700 CentOS mailing list <centos at centos.org> wrote:

> 
> Hi All,
> 
> I want to know thoughts on if I am being to paranoid/security conscious. 
> 
> CentOS 5.6, Apache, MySQL, running an Firewall in front of everything and obviously the built-in firewall on the box. I have ssh on a different port and starting to use Keys instead of password authentication. I host an intensive website and I am getting about 150 unique visitors per day. 
> 
> What I am seeing is LogWatch reporting a lot of 404's like:
> 
> 404 Not Found
> //PHPMA/: 1 Time(s)
> //admin/myadmin/: 1 Time(s)
> //admin/phpmyadmin/: 1 Time(s)
> //adming/: 1 Time(s)
> //ascils/phpmyadmin/: 1 Time(s)
> //blog/wp-content/plugins/phpmyadmin/: 1 Time(s)
> //database/: 2 Time(s)
> //db/: 1 Time(s)
> //dba/: 1 Time(s)
> //dbadmin/: 2 Time(s)
> //html/phpMyAdmin/: 1 Time(s)
> //html/phpmyadmin/: 1 Time(s)
> //lamp/phpmyadmin/: 1 Time(s)
> //myadmin/: 1 Time(s)
> //mydatabase/: 1 Time(s)
> //mydb/: 1 Time(s)
> //myphp/: 1 Time(s)
> //mysql-admin/: 1 Time(s)
> //mysql/: 1 Time(s)
> //mysqladmin/: 2 Time(s)
> //mysqlmanager/: 1 Time(s)
> //phpMyAdmin-2.8.0.2/: 1 Time(s)
> //phpMyAdmin-2.8.1-rc1/: 1 Time(s)
> //phpMyAdmin-2.8.1/: 1 Time(s)
> //phpMyAdmin-2.8.2/: 1 Time(s)
> //phpMyAdmin/: 1 Time(s)
> //phpadm/: 2 Time(s)
> //phpma/: 1 Time(s)
> //phpmanager/: 1 Time(s)
> //phpmy/: 2 Time(s)
> //phpmyadmin/: 1 Time(s)
> //pma/: 1 Time(s)
> //pmaadmin/: 1 Time(s)
> //pmadmin/: 1 Time(s)
> //sql/: 1 Time(s)
> //sqladmin/: 2 Time(s)
> //sqldatabase/: 2 Time(s)
> //sqlmanager/: 1 Time(s)
> //sqlweb/: 1 Time(s)
> //typo3/phpmyadmin/: 1 Time(s)
> //webadmin/: 1 Time(s)
> //webdb/: 1 Time(s)
> //websql/: 1 Time(s)
> //wp-content/plugins/phpMyAdmin/: 1 Time(s)
> //wp-content/plugins/wp-phpmyadmin/: 1 Time(s)
> //xampp/phpmyadmin/: 1 Time(s)
> 
> So I turned on Apache ReWrite and I created a file and I put in rules like: (just a small subset)
> 
> RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmy(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpma [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmyadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpgadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phppgadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmyadmin(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/php\-my\-admin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/php\-myadmin [NC,OR] 
> RewriteCond %{REQUEST_URI} ^/phpmy\-admin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmanager [NC,OR]
> RewriteCond %{REQUEST_URI} ^/player(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/plugins [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pma [NC,OR]
> RewriteCond %{REQUEST_URI} ^/p/m/a [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pmadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pmaadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/scripts [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sd(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sql [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sqladmin [NC,OR]
> 
> and if one of these is hit I use a Rule of:
> 
> RewriteRule .* http://%{REMOTE_ADDR}%{REQUEST_URI} [L,R=301,QSA]
> 
> Everyday I look at the LogWatch E-Mail and I add one people are trying to hit and restart apache.
> 
> This yields a few questions.
> 
> 1. Am I being to paranoid by doing this? My logic is they dont belong here and I could get mad if someone walked up to my apartment and tried jiggling the door handle to see if it was unlocked. 

Well, yes.  There is a simplier way -- Apache does have an 'error page'
handler, where you can customize your 404 page or how Apache responds
to a 'page not found' error.  Doing the redirect is not really going to
solve anything anyway.  Most (all?) of these accesses are from a
program -- a kind of 'bad' robot, which is probably going to ignore the
301 status and come to the conclusion that these URIs are actually
working and report success to its (human) master.  That will open you
up for more (automated) attacks and/or piss off the human hacker, who
will just come up with more and nastier attacks or maybe just launch a
dos attack for spite.  You are better off just letting Apache handle
these as 404.  Imagine you have a storefront and people come by after
hours and see the lights off and the closed sign -- people will go away
and come back later.  Imagine that the lights are on and there is no
closed sign, and instead you have some poor clerk there answering the
door telling people to go away.  That is likely to cause more trouble,
since people will just come back in 5-10 minutes and ask if the store
is open now.  Or worse, wait around until there is some indication that
the store is open.

> 
> 2. I know I can simplify these rules. Wouldn't RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR] get most of the attempts for thinks like /php, /php-myadmin, /phpmyadmin-2.0.8.8, etc?
> 
> 3. Is there a better way to right these rules?
> 
> 4. Why does LogWatch show this to me as a 404 , when a rewrite rule is hit and they are re-directed back to themselves? My rules seem to be working, if I try and hit /scripts right now, it does what I expect. 

Question: are you using virtual hosts?  If so, they the 'visitors' are
either NOT sending HTTP 1.1 headers or not using the virtual host name.

> 
> Can anyone shed some light for me on my thoughts/questions?
> 

-- 
Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments