Looking through apache logs, you'll see lots of people searching for vulnerabilities:
[error] [client 109.169.62.102] File does not exist: /var/www/database
[error] [client 199.71.213.70] File does not exist: /var/www/phpmyadmin
[error] [client 199.71.213.70] File does not exist: /var/www/phpMyAdmin
[error] [client 199.71.213.70] File does not exist: /var/www/PHPmyadmin
[error] [client 199.71.213.70] File does not exist: /var/www/pma
[error] [client 200.1.192.31] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:) [error] [client 199.71.213.70] File does not exist: /var/www/phpmyadmin
[error] [client 199.71.213.70] File does not exist: /var/www/phpMyAdmin
[error] [client 199.71.213.70] File does not exist: /var/www/PHPmyadmin
[error] [client 199.71.213.70] File does not exist: /var/www/pma
[error] [client 82.192.66.72] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
[error] [client 123.30.109.21] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
[error] [client 146.48.80.154] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
I am using fail2ban to watch the apache error logs and dynamically add iptables rules. I've had some success, but given that there are certain errors that: 1) I frequently see in the logs; 2) I know I should never see, I'm using the iptables pattern matching to filter the packet before it even hits Apache.
The technique is well documented here. The key line is :
This will match an HTTP request for a file /w00tw00t.at.ISC.SANS. which is used in vulnerability scans. The above link goes into even more detail on how to specify which packets (eg- exclude connection requests (TCP SYN) packets)
# iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp \ --dport 80 -m string --to 70 --algo bm --string \ 'GET /w00tw00t.at.ISC.SANS.' -j DROP
No comments:
Post a Comment