Re: [Sshguard-users] Blocking bots looking for vulnerable web apps

[Hans F. N. <Han...@hi...>]

* Forrest Aldrich <fo...@fo...> [2009-02-05]:
> I have the same problem -- my method of blocking is visually doing "tail 
> -F access.log" and putting filters in.
> 
> To use SSHGuard for this, you'd have to implement pattern searches for 
> the specific attacks... might be okay for a few, annoying for more than 
> that.   I think something like mod_security may help in this case 
> (though I've never used it).

Well, I don't think you have to do it that strict. I would say that if
an IP is getting many 404 entries (maybe with the added condition of
empty referrer) in very short time, it's likely to be a scanning
attack. SSHGuard by default doesn't block for very long so if it was a
legitime user hitting refresh like crazy, it wouldn't harm that much.

I'm using mod_security, but I would like to use SSHGuard to
1) get the burden of Apache and
2) block the IP at the network level since it probably will do other
   unfriendly things 

> I tried to figure out how the lex stuff works for implementing my own 
> patterns, but alas I'm not a programmer -- if someone can explain it, 
> I'd love to do a few things with it.

I happen to be a programmer, but I hate reinventing the wheel so I'll
wait some more time before I give it a try myself.

Hans

> Hans F. Nordhaug wrote:
> > The last months the bots looking for vulnerable web apps on my servers
> > have increaed in number and intensity. I guess you all have entries
> > like these in your log files:
> >
> > 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 404 357 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 404 357 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php HTTP/1.0" 404 350 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php HTTP/1.0" 404 352 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 354 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php HTTP/1.0" 404 352 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/main.php HTTP/1.0" 404 354 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 358 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/main.php HTTP/1.0" 404 358 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/main.php HTTP/1.0" 404 359 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/main.php HTTP/1.0" 404 359 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-"
> > 74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-"
> >
> > I wonder if someone have already tried to use SSHguard to
> > block this annoying traffic (in addition to brute force SSH attacks)? 
> > Or could someone give me a hint about how to get started on
> > setting this up (without breaking the existing SSH blocking)? 
> >
> > Regards,
> > Hans