Blocking directory and file scan with Fail2Ban
Hi,
I am trying to block some common directory scans and file scans
For example:
[Wed Jul 29 03:46:46 2015] [client 93.174.93.146] File does not exist: /htdocs/phpMyAdmin
or
[Sat Jul 11 07:08:24 2015] [client 93.88.143.179] script 'htdocs/scripts/setup.php'
As you see one is a directory /phpMyAdmin/ and the other is a file setup.php
I did find what I am looking for but I am a bit confused because I found 3 different syntaxes and are not sure which one is right. So my question would be which one of the 3 below is correct or maybe there is a better way all together.
Initially I found this at
http://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter
but even there are 2 versions and no real comment which one is actually right or if one is better than the other.
failregex = [[]client <HOST>[]] File does not exist: /\S*phpmyadmin*
[[]client <HOST>[]] File does not exist: /\S*phpMyAdmin*
[[]client <HOST>[]] File does not exist: /\S*PMA*
[[]client <HOST>[]] File does not exist: /\S*pma*
[[]client <HOST>[]] File does not exist: /\S*admin*
[[]client <HOST>[]] File does not exist: /\S*dbadmin*
[[]client <HOST>[]] File does not exist: /\S*sql*
[[]client <HOST>[]] File does not exist: /\S*mysql*
[[]client <HOST>[]] File does not exist: /\S*myadmin*
[[]client <HOST>[]] File does not exist: /\S*MyAdmin*
[[]client <HOST>[]] File does not exist: /\S*phpmyadmin2*
[[]client <HOST>[]] File does not exist: /\S*phpMyAdmin2*
[[]client <HOST>[]] File does not exist: /\S*phpMyAdmin-2*
[[]client <HOST>[]] File does not exist: /\S*php-my-admin*
[[]client <HOST>[]] File does not exist: /\S*sqlmanager*
[[]client <HOST>[]] File does not exist: /\S*mysqlmanager*
[[]client <HOST>[]] File does not exist: /\S*PMA2005*
[[]client <HOST>[]] File does not exist: /\S*pma2005*
[[]client <HOST>[]] File does not exist: /\S*phpmanager*
[[]client <HOST>[]] File does not exist: /\S*php-myadmin*
[[]client <HOST>[]] File does not exist: /\S*phpmy-admin*
[[]client <HOST>[]] File does not exist: /\S*webadmin*
[[]client <HOST>[]] File does not exist: /\S*sqlweb*
[[]client <HOST>[]] File does not exist: /\S*websql*
[[]client <HOST>[]] File does not exist: /\S*webdb*
[[]client <HOST>[]] File does not exist: /\S*mysqladmin*
[[]client <HOST>[]] File does not exist: /\S*mysql-admin*
[[]client <HOST>[]] File does not exist: /\S*testproxy*
[[]client <HOST>[]] File does not exist: /\S*OwnCloud*
[[]client <HOST>[]] File does not exist: /\S*owncloud*
[[]client <HOST>[]] File does not exist: /\S*wp-login*
[[]client <HOST>[]] File does not exist: /\S*wp-content*
[[]client <HOST>[]] File does not exist: /\S*vtigercrm*
or
failregex = ^<HOST>.*GET.*(?i)admin.*
^<HOST>.*GET.*(?i)manager.
^<HOST>.*GET.*(?i)setup.*
^<HOST>.*GET.*(?i)mysql.*
^<HOST>.*GET.*(?i)sqlweb.*
^<HOST>.*GET.*(?i)webdb.*
^<HOST>.*GET.*(?i)pma.*
^<HOST>.*GET.*(?i)vtigercr
^<HOST>.*GET.*(?i)phpmyadm
^<HOST>.*GET.*(?i)phpMyAdm
^<HOST>.*GET.*(?i)myadmin.
^<HOST>.*GET.*(?i)testprox
^<HOST>.*GET.*(?i)bootstra
^<HOST>.*GET.*(?i)OwnCloud
^<HOST>.*GET.*(?i)owncloud
^<HOST>.*GET.*(?i)admin.*
^<HOST>.*GET.*(?i)wp-login
^<HOST>.*GET.*(?i)wp-conte
^<HOST>.*GET.*(?i)w00tw00t
or
failregex = <HOST>.*\"GET\ /*w00tw00t\.at\..*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*MyAdmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*PhpMyAdmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*admin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*pma.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*phpMyAdmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*phpMyAdmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*myadmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*mysql.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*phpadmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*webadmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*user/soapCaller\.bs.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*webdav.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*.*/admin/login\.php.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*p/m/a/.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*.*/scripts/setup\.php.*\
<HOST>.*\"GET\ /*.*/scripts/setup\.php\ HTTP.*\"\ .*\d{3}\ \d*
<HOST>.*\"GET\ /*php-my-admin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*php-myadmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*sqlmanager.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*sqlweb.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*Horde.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*horde.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ http://.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ ftp://.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ https://.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*.*/*bin/msgimport\ HTTP.*\"\ .*\d{3}
I know that some have more or less but the main issue I have is which is the right way. also what confuses me is that they specify the syntax with things like phpMyAdmin.* but the people do not scan for a file but a directory and file so I wonder what the right syntax is to block a file like setup.* and a directory like /phpMyAdmin/
Thank you for the assistance.
Best wishes,
thomas
I am trying to block some common directory scans and file scans
For example:
[Wed Jul 29 03:46:46 2015] [client 93.174.93.146] File does not exist: /htdocs/phpMyAdmin
or
[Sat Jul 11 07:08:24 2015] [client 93.88.143.179] script 'htdocs/scripts/setup.php'
As you see one is a directory /phpMyAdmin/ and the other is a file setup.php
I did find what I am looking for but I am a bit confused because I found 3 different syntaxes and are not sure which one is right. So my question would be which one of the 3 below is correct or maybe there is a better way all together.
Initially I found this at
http://www.fail2ban.org/wiki/index.php/HOWTO_apache_myadmin_filter
but even there are 2 versions and no real comment which one is actually right or if one is better than the other.
failregex = [[]client <HOST>[]] File does not exist: /\S*phpmyadmin*
[[]client <HOST>[]] File does not exist: /\S*phpMyAdmin*
[[]client <HOST>[]] File does not exist: /\S*PMA*
[[]client <HOST>[]] File does not exist: /\S*pma*
[[]client <HOST>[]] File does not exist: /\S*admin*
[[]client <HOST>[]] File does not exist: /\S*dbadmin*
[[]client <HOST>[]] File does not exist: /\S*sql*
[[]client <HOST>[]] File does not exist: /\S*mysql*
[[]client <HOST>[]] File does not exist: /\S*myadmin*
[[]client <HOST>[]] File does not exist: /\S*MyAdmin*
[[]client <HOST>[]] File does not exist: /\S*phpmyadmin2*
[[]client <HOST>[]] File does not exist: /\S*phpMyAdmin2*
[[]client <HOST>[]] File does not exist: /\S*phpMyAdmin-2*
[[]client <HOST>[]] File does not exist: /\S*php-my-admin*
[[]client <HOST>[]] File does not exist: /\S*sqlmanager*
[[]client <HOST>[]] File does not exist: /\S*mysqlmanager*
[[]client <HOST>[]] File does not exist: /\S*PMA2005*
[[]client <HOST>[]] File does not exist: /\S*pma2005*
[[]client <HOST>[]] File does not exist: /\S*phpmanager*
[[]client <HOST>[]] File does not exist: /\S*php-myadmin*
[[]client <HOST>[]] File does not exist: /\S*phpmy-admin*
[[]client <HOST>[]] File does not exist: /\S*webadmin*
[[]client <HOST>[]] File does not exist: /\S*sqlweb*
[[]client <HOST>[]] File does not exist: /\S*websql*
[[]client <HOST>[]] File does not exist: /\S*webdb*
[[]client <HOST>[]] File does not exist: /\S*mysqladmin*
[[]client <HOST>[]] File does not exist: /\S*mysql-admin*
[[]client <HOST>[]] File does not exist: /\S*testproxy*
[[]client <HOST>[]] File does not exist: /\S*OwnCloud*
[[]client <HOST>[]] File does not exist: /\S*owncloud*
[[]client <HOST>[]] File does not exist: /\S*wp-login*
[[]client <HOST>[]] File does not exist: /\S*wp-content*
[[]client <HOST>[]] File does not exist: /\S*vtigercrm*
or
failregex = ^<HOST>.*GET.*(?i)admin.*
^<HOST>.*GET.*(?i)manager.
^<HOST>.*GET.*(?i)setup.*
^<HOST>.*GET.*(?i)mysql.*
^<HOST>.*GET.*(?i)sqlweb.*
^<HOST>.*GET.*(?i)webdb.*
^<HOST>.*GET.*(?i)pma.*
^<HOST>.*GET.*(?i)vtigercr
^<HOST>.*GET.*(?i)phpmyadm
^<HOST>.*GET.*(?i)phpMyAdm
^<HOST>.*GET.*(?i)myadmin.
^<HOST>.*GET.*(?i)testprox
^<HOST>.*GET.*(?i)bootstra
^<HOST>.*GET.*(?i)OwnCloud
^<HOST>.*GET.*(?i)owncloud
^<HOST>.*GET.*(?i)admin.*
^<HOST>.*GET.*(?i)wp-login
^<HOST>.*GET.*(?i)wp-conte
^<HOST>.*GET.*(?i)w00tw00t
or
failregex = <HOST>.*\"GET\ /*w00tw00t\.at\..*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*MyAdmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*PhpMyAdmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*admin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*pma.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*phpMyAdmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*phpMyAdmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*myadmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*mysql.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*phpadmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*webadmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*user/soapCaller\.bs.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*webdav.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*.*/admin/login\.php.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*p/m/a/.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*.*/scripts/setup\.php.*\
<HOST>.*\"GET\ /*.*/scripts/setup\.php\ HTTP.*\"\ .*\d{3}\ \d*
<HOST>.*\"GET\ /*php-my-admin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*php-myadmin.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*sqlmanager.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*sqlweb.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*Horde.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*horde.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ http://.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ ftp://.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ https://.*\ HTTP.*\"\ .*\d{3}
<HOST>.*\"GET\ /*.*/*bin/msgimport\ HTTP.*\"\ .*\d{3}
I know that some have more or less but the main issue I have is which is the right way. also what confuses me is that they specify the syntax with things like phpMyAdmin.* but the people do not scan for a file but a directory and file so I wonder what the right syntax is to block a file like setup.* and a directory like /phpMyAdmin/
Thank you for the assistance.
Best wishes,
thomas
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was not sure which one is correct. I guess it is working now since I still have these in my log but I guess this is because they can hit them 5 times before they are blocked. So I think all is set.
Thank you very much