Menu
▾
▴
Re: [Sshguard-users] Blocking bots looking for vulnerable web apps
|
From: Forrest A. <fo...@fo...> - 2009-02-05 19:05:29
|
I have the same problem -- my method of blocking is visually doing "tail -F access.log" and putting filters in. To use SSHGuard for this, you'd have to implement pattern searches for the specific attacks... might be okay for a few, annoying for more than that. I think something like mod_security may help in this case (though I've never used it). I tried to figure out how the lex stuff works for implementing my own patterns, but alas I'm not a programmer -- if someone can explain it, I'd love to do a few things with it. _F Hans F. Nordhaug wrote: > The last months the bots looking for vulnerable web apps on my servers > have increaed in number and intensity. I guess you all have entries > like these in your log files: > > 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 404 357 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 404 357 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php HTTP/1.0" 404 350 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php HTTP/1.0" 404 352 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 354 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php HTTP/1.0" 404 352 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/main.php HTTP/1.0" 404 354 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 358 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/main.php HTTP/1.0" 404 358 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/main.php HTTP/1.0" 404 359 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/main.php HTTP/1.0" 404 359 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-" > 74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-" > > I wonder if someone have already tried to use SSHguard to > block this annoying traffic (in addition to brute force SSH attacks)? > Or could someone give me a hint about how to get started on > setting this up (without breaking the existing SSH blocking)? > > Regards, > Hans > > ------------------------------------------------------------------------------ > Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) > software. With Adobe AIR, Ajax developers can use existing skills and code to > build responsive, highly engaging applications that combine the power of local > resources and data with the reach of the web. Download the Adobe AIR SDK and > Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
