Dima Iva
asked on
How to block malicious PHP file requests in Apache on Windows?
Greetings!
We have an Apache server running in XAMPP on Windows. Our Apache error.log is full of things like this:
[Mon Feb 03 18:01:58.011720 2020] [php7:error] [pid 5832:tid 1844] [client 193.112.9.107:10583] script 'C:/xampp/htdocs/journal/u
[Mon Feb 03 18:01:58.605480 2020] [php7:error] [pid 5832:tid 1844] [client 193.112.9.107:10710] script 'C:/xampp/htdocs/journal/y
And the php_error_log reflects it like:
[03-Feb-2020 18:01:35] ojs2: 404 Not Found
[03-Feb-2020 18:01:37] ojs2: 404 Not Found
It doesn't seem to be a huge problem, but it clogs log files and probably increases server load.
Is there a way on a Windows machnine to either block like bad IPs like fail2ban does on Linux, or to simply block php request (since our site has no php files anyway)?
We have an Apache server running in XAMPP on Windows. Our Apache error.log is full of things like this:
[Mon Feb 03 18:01:58.011720 2020] [php7:error] [pid 5832:tid 1844] [client 193.112.9.107:10583] script 'C:/xampp/htdocs/journal/u
[Mon Feb 03 18:01:58.605480 2020] [php7:error] [pid 5832:tid 1844] [client 193.112.9.107:10710] script 'C:/xampp/htdocs/journal/y
And the php_error_log reflects it like:
[03-Feb-2020 18:01:35] ojs2: 404 Not Found
[03-Feb-2020 18:01:37] ojs2: 404 Not Found
It doesn't seem to be a huge problem, but it clogs log files and probably increases server load.
Is there a way on a Windows machnine to either block like bad IPs like fail2ban does on Linux, or to simply block php request (since our site has no php files anyway)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
William Fulks
This sort of thing is typical on most web server. At my old job, the number one most requested file was the wordpress login page. It got bombarded every day by hackers, most likely running script bots to comb for login pages and then flood them with logins to try and guess the password. It's super annoying. It doesn't hurt to block those repeat offenders, but it's going to keep coming from different directions. I doubt that it would have much impact on server performance or bandwidth, though. Are you experiencing performance issues?
I keep a 404 log on the web sites I support. It is not unusual to get the same request from multiple IP addresses. Next week they will come from different IP addresses.
ASKER
Thank you, I will give a try to wail2ban (a fail2ban Windows port) as suggested by David, but will keep William and Dave's comments in mind.
Fail2Ban - Unsung hero of the net.
Most Linux Distros install Fail2Ban now by default, with several basic recipes enabled, like SSH brute force login attack blocking.
Other common recipes are blocking WordPress logins (wp-admin + xmlrpc) along with blocking user enumeration attacks.
Once you start using Fail2Ban, you'll likely find many applications for it's use.
Most Linux Distros install Fail2Ban now by default, with several basic recipes enabled, like SSH brute force login attack blocking.
Other common recipes are blocking WordPress logins (wp-admin + xmlrpc) along with blocking user enumeration attacks.
Once you start using Fail2Ban, you'll likely find many applications for it's use.
You're welcome!