[CentOS] Apache attacks - you can't stop them, or can you?

Wed Mar 6 13:25:05 UTC 2013
Lorenzo Quatrini <lorenzo.quatrini at gmail.com>

Il 06/03/2013 14:17, Robert Moskowitz ha scritto:
> So I have this nice, simple web server up running.  Its purpose is to 
> allow me external testing with HIP, and to provide some files for 
> external distribution.  Of course, there it is sitting on port 80 and 
> the attacks are coming in per logwatch report.  Examples from the report 
> include:
> 
>   Requests with error response codes
>      404 Not Found
>         //phpMyAdmin-2.5.1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.4/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-pl1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-rc1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-rc2/scripts/setup.php: 1 Time(s)
>         /muieblackcat: 1 Time(s)
>         /myadmin/scripts/setup.php: 2 Time(s)
>         /mysql-admin/scripts/setup.php: 1 Time(s)
>         /mysql/scripts/setup.php: 1 Time(s)
>         /mysqladmin/scripts/setup.php: 2 Time(s)
>         /mysqlmanager/scripts/setup.php: 1 Time(s)
> 
> Now these are only a few, though I am probably not being hit as hard as 
> others out there.
> 
> My question is:
> 
> Is there a way to shut this nonsense down?  Or because I am sending the 
> 404, I am doing all that is reasonable to do?
> 
You could use fail2ban to reduce the load on the server; here is my config:

 cat /etc/fail2ban/filter.d/apache-errorcode.conf

# Fail2Ban configuration file
#
# Author: Lorenzo Quatrini
#
# $Revision: 1 $
#

[Definition]

errorcode = 400|403|404

# Option:  failregex
# Notes.:  Regexp to catch bad request
# Values:  TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" (?:%(errorcode)s)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


> I am wondering that if this list starts getting long, that is a lot of 
> logging and I probably don't need to log 404s?
> 
The "downside" of using fail2ban is that you will start receiving email about
banned hosts; but that is configurable, as is the number of failed attempts
before being banned.
Also you can have "trusted" hosts that never get banned... but the manual
explains this better that I can do.

Regards
Lorenzo