Security issue - Tired of seeing "GET /phpMyAdmin-2.6.0" in logs

[jols]

I am tired of spineless hackers trying to get at phpMyAdmin. I am seeing tons of entries like this in the apache logs each and every day:

72.148.168.226 - - [05/Apr/2006:17:01:32 -0500] "GET /myadmin/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:01:33 -0500] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:01:33 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:01:34 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:01:34 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:01:34 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:01:35 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:02:14 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:02:15 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:02:15 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 -
72.148.168.226 - - [05/Apr/2006:17:02:16 -0500] "GET /PMA/main.php HTTP/1.0" 404 -


Usually goes on for 50 to 200 lines at a throw. Then another IP comes in and tries to do the same thing.

I would hope that the brute force detection thing we installed would do the trick here, but no dice. Does anyone know how I can tweak BFD or perhaps PortSentry to stop this stuff cold?

[WEB-PROS]

Well you could just make that link redirect people to some other page, then people would see you have stopped them and give up on the first try. This can all be done through cpanel and redirects for your domain. Hope it helps, i don't really know much about the bfd config file.

[jayh38]

BFD probably wouldnt help in this case as these are not login attempts but file/page requests.

Adding these addresses to a firewall would cause more hassles as they constantly and relentlessly change. Their goal may be to get your firewall or other services to hang up by maxing out your IP tent as well.

Are you running mod_security with a good basic ruleset?

Also, be sure to enable php open_basedir tweak is setup as well.

If you are getting up to 200 connections from a single ip before they rotate to the next IP, then you might want to look at flood protection or perhaps setting max connections from a single IP to a certain limit.

One of the better solutions would be finding a provider that offers this type of hardware firewall protection instead.

[serversphere]

Look in /usr/local/bfd and find the 'pattern.auth' file. These strings are what BFD uses when it greps the log files. You can add strings and expressions here to tweak BFD to act on any string/regular expression you need. In your case, something like '[Pp][Hh][Pp].*HTTP.*404..' (reg expressions not my forte!) would probably do the trick.

*edit*

Keep in mind that this will ban IPs that get multiple 404s when looking for php files - this might cause unwanted bans so use with caution!! Not tested and I guarantee nothing.