SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Member
    Join Date
    Mar 2006
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Arrow Permanent Redirects In httpd.conf OK?

    So, here's a summary of what I have been seeing in my apache logs. Several times per day I have different IP's scanning the various sites on my server looking for site-level login pages for phpmyadmin and the like. This is slamming apache and taking it down periodically.

    The short list of dirs they are trying to find are: /MyAdmin, /phpMyAdmin, /phpmyadmin, /admin, /db, /dbadmin, /myadmin, /mysql, /mysqladmin, /pma, /scripts, /sqlweb, /web, /webadmin, /webdb, /websql, /htdocs, /webdav, and a few others.

    I do not run any of the above dirs at the site level (and recommend you don't either!) on any of the sites. The attempts have been made on each site (30+ on this box), so I decided, instead of fiddling with each of the sites' .htaccess files, to simply write permanent redirects in httpd.conf so that the requests are immediately bounced away. Examples of what I have added to httpd.conf are:

    Code:
    Redirect permanent /admin http://google.com
    Redirect permanent /db http://google.com
    Redirect permanent /dbadmin http://google.com
    Redirect permanent /myadmin http://google.com
    Redirect permanent /mysql http://google.com
    Here's my question. Should I be redirecting in this manner or is there a better way to bounce/kill this traffic at the front-end of the request?

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Letting all those people perter google doesn't seem like the nicest idea to me.

    Take a look at this: Blocking Apache Attacks
    Looks good IMO
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  3. #3
    SitePoint Member
    Join Date
    Mar 2006
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the google forward is just an example. i actually have it set up to another url. would there be a way to simply kill the pid immediately if the attempt is made to those specific dirs?

  4. #4
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Not that I know off, no.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  5. #5
    SitePoint Member
    Join Date
    Mar 2006
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i went back and looked very closely at the info link you posted and i think the mod_rewrite on that page would prolly do the trick...except that i don't know how to customize it. here's the code:

    Code:
      
    LoadModule rewrite_module modules/mod_rewrite.so
    
      ...
    
      <IfModule mod_rewrite.c>
        RewriteEngine   on
        RewriteCond     %{HTTP_REFERER}    ^$
        RewriteCond     %{HTTP_USER_AGENT} ^$
        RewriteCond     %{REQUEST_URI}     ^/$
        RewriteRule     ^/.*     http://%{REMOTE_ADDR}/      [L,E=nolog:1]
      </IfModule>
    
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
      CustomLog   logs/access_log-www.mydomain.com combined env=!nolog
    so, would i just add separate lines for the 3rd RewriteCond line? such as:

    Code:
    RewriteCond     %{REQUEST_URI}     ^/myadmin$
    RewriteCond     %{REQUEST_URI}     ^/phpmyadmin$
    RewriteCond     %{REQUEST_URI}     ^/mysql$
    so, that the finished set would look like:

    Code:
    LoadModule rewrite_module modules/mod_rewrite.so
    
      ...
    
      <IfModule mod_rewrite.c>
        RewriteEngine   on
        RewriteCond     %{HTTP_REFERER}    ^$
        RewriteCond     %{HTTP_USER_AGENT} ^$
        RewriteCond     %{REQUEST_URI}     ^/myadmin$
        RewriteCond     %{REQUEST_URI}     ^/phpmyadmin$
        RewriteCond     %{REQUEST_URI}     ^/mysql$
        RewriteRule     ^/.*     http://%{REMOTE_ADDR}/      [L,E=nolog:1]
      </IfModule>
    
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
      CustomLog   logs/access_log-www.mydomain.com combined env=!nolog
    or, is there a different form/syntax i should be using to ban multiple dirs?????????

  6. #6
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    You want to deny access no matter what, so I wouldn't even bother to check referer or useragent, so remove the first two lines.

    RewriteConds are normally ANDed, so if you have 3 conditions Apache will see this as cond1 AND cond2 AND cond3, while you'd want OR, so you need to add the [OR] flag to the RewriteConds.
    Also, it would be nice if the check were case insensitive so it would also match PHPMyAdmin, phpMyAdmin, etc, etc. You can do this by adding the [NC] flag, so you get [NC,OR].

    Code:
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/myadmin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/phpmyadmin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/mysql$ [NC,OR]
    RewriteRule ^/.* http://%{REMOTE_ADDR}/      [L,E=nolog:1]
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  7. #7
    SitePoint Member
    Join Date
    Mar 2006
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks, remon. i'll give this a try. what will they see on their end?

  8. #8
    SitePoint Member
    Join Date
    Mar 2006
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The following runs and bounces to the originating IP, but is blocking ALL requests to any directory on all sites. Is the following written correctly?

    Code:
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/myadmin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/phpmyadmin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/mysql$ [NC,OR]
    RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L]
    </IfModule>

  9. #9
    SitePoint Member
    Join Date
    Mar 2006
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I got rid of the last OR and it works fine. Here's the final for anyone getting blasted:

    Code:
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/qwerty$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/w00tw00t.at.blackhats.romanian.anti-sec:$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/w00tw00t.at.blackhats.romanian.anti-sec$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/w00tw00t.at.ISC.SANS.DFind:$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/MyAdmin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/phpmyadmin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/mysql$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/mysqladmin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/admin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/db$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/dbadmin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/pma$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/scripts$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/sqlweb$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/web$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/webadmin$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/webdb$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/websql$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/htdocs$ [NC,OR]
    RewriteCond %{REQUEST_URI} ^/webdav$ [NC]
    RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L]
    </IfModule>
    I may set an ENV to track these for a while, but all I want the hackers to do, at this point, is go pack'in.

  10. #10
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Looks good. Nice job
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  11. #11
    SitePoint Member
    Join Date
    Mar 2006
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just wanted to report back. The mod_rewrite (final version above) is working quite slick. I just add directories as attempts are made and I see them in the error log. Word of caution. Please make sure that the dirs you are blocking are not used by sites on your server. Also, it is a good idea to send out a customer service email to let folks know to rename /admin dirs or any commonly named dirs running at the site level. Good luck to all...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •