Bannir les bots phpMyAdmin et w00tw00t avec Fail2ban

Très régulièrement dans mes rapports de Logwatch je me retrouve avec des dizaines d’erreurs 404 générés par des bots qui essaient de trouver une version de phpMyAdmin, ou tout simplement une faille sur le serveur web.

Voici un exemple de rapport quotidien:

Requests with error response codes
    400 Bad Request
       /: 3 Time(s)
       /w00tw00t.at.ISC.SANS.DFind:): 3 Time(s)
    404 Not Found
       /phpMyAdmin: 5 Time(s)
       //phpMyAdmin/index.php: 3 Time(s)
       //phpmyadmin/index.php: 3 Time(s)
       /MyAdmin/scripts/setup.php: 3 Time(s)
       /PMA/main.php: 3 Time(s)
       /admin/main.php: 3 Time(s)
       /db/main.php: 3 Time(s)
       /myadmin/main.php: 3 Time(s)
       /myadmin/scripts/setup.php: 3 Time(s)
       /mysql-admin/main.php: 3 Time(s)
       /mysql/main.php: 3 Time(s)
       /mysqladmin/main.php: 3 Time(s)
       /phpMyAdmin/main.php: 3 Time(s)
       /phpMyAdmin/scripts/setup.php: 3 Time(s)
       /phpmyadmin/main.php: 3 Time(s)
       /phpmyadmin/scripts/setup.php: 3 Time(s)
       /pma/scripts/setup.php: 3 Time(s)
       /sqlweb/main.php: 3 Time(s)
       /w00tw00t.at.blackhats.romanian.anti-sec:): 3 Time(s)
       /web/main.php: 3 Time(s)
       /webadmin/main.php: 3 Time(s)
       /webdb/main.php: 3 Time(s)
       /websql/main.php: 3 Time(s)
       //admin/phpmyadmin/index.php: 2 Time(s)
       //admin/pma/index.php: 2 Time(s)
       //db/index.php: 2 Time(s)
       //myadmin/index.php: 2 Time(s)
       //mysql/index.php: 2 Time(s)
       //mysqladmin/index.php: 2 Time(s)
       //php-my-admin/index.php: 2 Time(s)
       //phpMyAdmin-2.5.5-rc1/index.php: 2 Time(s)
       //phpMyAdmin-2/index.php: 2 Time(s)
       //phpadmin/index.php: 2 Time(s)
       //web/index.php: 2 Time(s)
       /PMA2005/main.php: 2 Time(s)
       /PMA2006/main.php: 2 Time(s)
       /administrator/main.php: 2 Time(s)
       /dawdwadwaad: 2 Time(s)
       /dbadmin/main.php: 2 Time(s)
       /demo/images/ui-bg_glass_75_d0e5f5_1x400.png: 2 Time(s)
       /jmx-console/HtmlAdaptor: 2 Time(s)
       /muieblackcat: 2 Time(s)
       /mysqlmanager/main.php: 2 Time(s)
       /p/m/a/main.php: 2 Time(s)
       /php-my-admin/main.php: 2 Time(s)
       /php-myadmin/main.php: 2 Time(s)
       /phpmanager/main.php: 2 Time(s)
       /phpmy-admin/main.php: 2 Time(s)
       /phpmyadmin2/main.php: 2 Time(s)
       /pma2005/main.php: 2 Time(s)
       /pma2006/main.php: 2 Time(s)
       /sqlmanager/main.php: 2 Time(s)
       /web-console/ServerInfo.jsp: 2 Time(s)
       //PHPMYADMIN/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //admin/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //admin/index.php: 1 Time(s)
       //dbadmin/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //dbadmin/index.php: 1 Time(s)
       //myadmin/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //mysql/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //p/m/a/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //php-my-admin/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //phpMyAdmin-2.2.6/index.php: 1 Time(s)
       //phpMyAdmin-2.5.1/index.php: 1 Time(s)
       //phpMyAdmin-2.5.5-pl1/index.php: 1 Time(s)
       //phpMyAdmin-2.5.5-rc2/index.php: 1 Time(s)
       //phpMyAdmin-2.5.5/index.php: 1 Time(s)
       //phpMyAdmin-2.5.6-rc1/index.php: 1 Time(s)
       //phpMyAdmin-2.5.6-rc2/index.php: 1 Time(s)
       //phpMyAdmin-2.5.6/index.php: 1 Time(s)
       //phpMyAdmin-2.5.7-pl1/index.php: 1 Time(s)
       //phpMyAdmin-2.5.7/index.php: 1 Time(s)
       //phpMyAdmin/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //phpmyadmin/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //phpmyadmin1/index.php: 1 Time(s)
       //phpmyadmin2/index.php: 1 Time(s)
       //pma/config/config.inc.php?p=phpinfo();: 1 Time(s)
       //typo3/phpmyadmin/index.php: 1 Time(s)
       //web/phpMyAdmin/index.php: 1 Time(s)
       //websql/index.php: 1 Time(s)
       //xampp/phpmyadmin/index.php: 1 Time(s)
       /PMA/read_dump.phpmain.php: 1 Time(s)
       /browser/browser/browser.jsp: 1 Time(s)
       /cmd/cmd.jsp: 1 Time(s)
       /cmd1/cmd.jsp: 1 Time(s)
       /components/main.php: 1 Time(s)
       /dbadmin/read_dump.phpmain.php: 1 Time(s)
       /iesvc/iesvc.jsp: 1 Time(s)
       /man/3.jsp: 1 Time(s)
       /manager/html: 1 Time(s)
       /manager/status: 1 Time(s)
       /modules/vwar/main.php: 1 Time(s)
       /myadmin/read_dump.phpmain.php: 1 Time(s)
       /mysql/admin/main.php: 1 Time(s)
       /mysql/db/main.php: 1 Time(s)
       /mysql/dbadmin/main.php: 1 Time(s)
       /mysql/myadmin/main.php: 1 Time(s)
       /mysql/mysql-admin/main.php: 1 Time(s)
       /mysql/mysql/main.php: 1 Time(s)
       /mysql/mysqladmin/main.php: 1 Time(s)
       /mysql/mysqlmanager/main.php: 1 Time(s)
       /mysql/p/m/a/main.php: 1 Time(s)
       /mysql/pMA/main.php: 1 Time(s)
       /mysql/pMA2005/main.php: 1 Time(s)
       /mysql/pMA2006/main.php: 1 Time(s)
       /mysql/php-my-admin/main.php: 1 Time(s)
       /mysql/php-myadmin/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.2.3/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.2.6/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.4/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.5-pl1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.5-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.5-rc2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.5/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.6-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.6-rc2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.6/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.7-pl1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.5.7/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-alpha/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-alpha2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-beta1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-beta2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-pl2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-pl3/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-rc2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0-rc3/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.0/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.1-pl1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.1-pl2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.1-pl3/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.1-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.1-rc2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.2-beta1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.2-pl1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.3/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.4-pl1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.4-pl2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.4-pl3/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.4-pl4/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.4-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.6.4/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.7.0-beta1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.7.0-pl1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.7.0-pl2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.7.0-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.7.0/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.0-beta1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.0-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.0-rc2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.0.1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.0.2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.0.3/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.0.4/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.0/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.1-rc1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.1/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2.8.2/main.php: 1 Time(s)
       /mysql/phpMyAdmin-2/main.php: 1 Time(s)
       /mysql/phpMyAdmin/main.php: 1 Time(s)
       /mysql/phpMyAdmin2/main.php: 1 Time(s)
       /mysql/phpmanager/main.php: 1 Time(s)
       /mysql/phpmy-admin/main.php: 1 Time(s)
       /mysql/phpmyadmin/main.php: 1 Time(s)
       /mysql/phpmyadmin2/main.php: 1 Time(s)
       /mysql/pma2005/main.php: 1 Time(s)
       /mysql/pma2006/main.php: 1 Time(s)
       /mysql/read_dump.phpmain.php: 1 Time(s)
       /mysql/sqlmanager/main.php: 1 Time(s)
       /mysql/sqlweb/main.php: 1 Time(s)
       /mysql/web/main.php: 1 Time(s)
       /mysql/webadmin/main.php: 1 Time(s)
       /mysql/webdb/main.php: 1 Time(s)
       /mysql/websql/main.php: 1 Time(s)
       /mysqladmin/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.2.3/main.php: 1 Time(s)
       /phpMyAdmin-2.2.3/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.2.6/main.php: 1 Time(s)
       /phpMyAdmin-2.2.7-pl1/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.5.1/main.php: 1 Time(s)
       /phpMyAdmin-2.5.4/main.php: 1 Time(s)
       /phpMyAdmin-2.5.5-pl1/main.php: 1 Time(s)
       /phpMyAdmin-2.5.5-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.5.5-rc2/main.php: 1 Time(s)
       /phpMyAdmin-2.5.5/main.php: 1 Time(s)
       /phpMyAdmin-2.5.6-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.5.6-rc2/main.php: 1 Time(s)
       /phpMyAdmin-2.5.6/main.php: 1 Time(s)
       /phpMyAdmin-2.5.6/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.5.7-pl1/main.php: 1 Time(s)
       /phpMyAdmin-2.5.7-pl1/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.5.7/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-alpha/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-alpha2/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-beta1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-beta2/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-pl2/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-pl3/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-pl3/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.6.0-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-rc2/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0-rc3/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0/main.php: 1 Time(s)
       /phpMyAdmin-2.6.0/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.6.1-pl1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.1-pl2/main.php: 1 Time(s)
       /phpMyAdmin-2.6.1-pl3/main.php: 1 Time(s)
       /phpMyAdmin-2.6.1-pl3/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.6.1-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.1-rc2/main.php: 1 Time(s)
       /phpMyAdmin-2.6.1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.2-beta1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.2-pl1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.2/main.php: 1 Time(s)
       /phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.3-pl1/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.3/main.php: 1 Time(s)
       /phpMyAdmin-2.6.4-pl1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.4-pl2/main.php: 1 Time(s)
       /phpMyAdmin-2.6.4-pl3/main.php: 1 Time(s)
       /phpMyAdmin-2.6.4-pl4/main.php: 1 Time(s)
       /phpMyAdmin-2.6.4-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.6.4/main.php: 1 Time(s)
       /phpMyAdmin-2.6.4/read_dump.phpmain.php: 1 Time(s)
       /phpMyAdmin-2.7.0-beta1/main.php: 1 Time(s)
       /phpMyAdmin-2.7.0-pl1/main.php: 1 Time(s)
       /phpMyAdmin-2.7.0-pl2/main.php: 1 Time(s)
       /phpMyAdmin-2.7.0-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.7.0/main.php: 1 Time(s)
       /phpMyAdmin-2.8.0-beta1/main.php: 1 Time(s)
       /phpMyAdmin-2.8.0-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.8.0-rc2/main.php: 1 Time(s)
       /phpMyAdmin-2.8.0.1/main.php: 1 Time(s)
       /phpMyAdmin-2.8.0.2/main.php: 1 Time(s)
       /phpMyAdmin-2.8.0.3/main.php: 1 Time(s)
       /phpMyAdmin-2.8.0.4/main.php: 1 Time(s)
       /phpMyAdmin-2.8.0/main.php: 1 Time(s)
       /phpMyAdmin-2.8.1-rc1/main.php: 1 Time(s)
       /phpMyAdmin-2.8.1/main.php: 1 Time(s)
       /phpMyAdmin-2.8.2/main.php: 1 Time(s)
       /phpMyAdmin-2/main.php: 1 Time(s)
       /phpMyAdmin2/main.php: 1 Time(s)
       /phpadmin/read_dump.phpmain.php: 1 Time(s)
       /phpmyadmin/read_dump.phpmain.php: 1 Time(s)
       /phpmyadmin1/read_dump.phpmain.php: 1 Time(s)
       /phpmyadmin2/read_dump.phpmain.php: 1 Time(s)
       /safe2/index.jsp: 1 Time(s)
       /sql/admin/main.php: 1 Time(s)
       /sql/db/main.php: 1 Time(s)
       /sql/dbadmin/main.php: 1 Time(s)
       /sql/main.php: 1 Time(s)
       /sql/myadmin/main.php: 1 Time(s)
       /sql/p/m/a/main.php: 1 Time(s)
       /sql/pMA/main.php: 1 Time(s)
       /sql/pMA2005/main.php: 1 Time(s)
       /sql/pMA2006/main.php: 1 Time(s)
       /sql/php-my-admin/main.php: 1 Time(s)
       /sql/php-myadmin/main.php: 1 Time(s)
       /typo3/phpmyadmin/read_dump.phpmain.php: 1 Time(s)
       /web/phpMyAdmin/read_dump.phpmain.php: 1 Time(s)
       /xampp/main.php: 1 Time(s)
       /xampp/phpMyAdmin/libraries/main.php: 1 Time(s)
       /xampp/phpMyAdmin/main.php: 1 Time(s)
       /xampp/phpmyadmin/read_dump.phpmain.php: 1 Time(s)
       /xampplite/main.php: 1 Time(s)
       /zecmd/zecmd.jsp: 1 Time(s)

Comme vous pouvez le voir, un bon nombre de version de phpMyAdmin sont testées. Afin d’alléger mes rapports Logwatch et de bloquer un peu plus ces bots, j’ai mis en place deux nouveaux filtres sur mon Fail2ban.

Si vous ne connaissez pas Fail2ban, je vous invite à le découvrir tout de suite. Un petit outil génial qui permet de bannir (crée une règle iptables) un attaquant lorsqu’il répond à une certaine règle (par exemple quand une personne essaie de se connecter plusieurs fois à votre serveur SSH).

Filtre phpMyAdmin

Création du nouveau filtre /etc/fail2ban/filter.d/apache-phpmyadmin.conf:

# Fail2Ban configuration file
#
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
#
# Author: Gina Haeussge
#

[Definition]

docroot = /var/www
badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2|administrator|database|sql|phpMyAdmin|MyAdmin|dbadmin|php-myadmin|phpmy-admin|phpmyAdmin

# Option:  failregex
# Notes.:  Regexp to match often probed and not available phpmyadmin paths.
# Values:  TEXT
#
failregex = [[]client <HOST>[]] File does not exist: %(docroot)s/(?:%(badadmin)s)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Activer la règle dans /etc/fail2ban/filter.d/apache-phpmyadmin.conf

/etc/fail2ban/jail.conf

[apache-phpmyadmin]
 enabled = true
 port = http,https
 filter = apache-phpmyadmin
 logpath = /var/log/apache*/*error.log
 maxretry = 1

Si vous avez une version de phpMyAdmin d’installée sur votre serveur, changer la valeur de “maxretry” pour éviter de vous auto-bannir en cas d’erreur d’url.

Filtre w00tw00t

Pareil que pour phpMyAdmin, on crée notre filtre /etc/fail2ban/filter.d/apache-w00tw00t.conf:

#[Mon May 07 10:28:42 2012] [error] [client 64.27.0.183] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
#[Sun May 06 09:04:53 2012] [error] [client 62.141.38.111] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
#
# Author: Maxime Chaillou
#
[Definition]
# Option:  failregex
# Notes.:  regex to match w00tw00t scan messages into the logfile.
#
# Values:  TEXT
failregex = ^.*\\[client <HOST>\\] File does not exist: /var/www/w00tw00t\\.at.*$
            ^.*\\[client <HOST>\\] .* /w00tw00t\\.at.*$
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =

On active maintenant notre nouveau filtre anti-w00tw00t dans /etc/fail2ban/filter.d/apache-phpmyadmin.conf

[apache-w00tw00t]
enabled  = true
port     = http,https
filter   = apache-w00tw00t
logpath  = /var/log/apache*/*error.log
maxretry = 1

Un petit restart de fail2ban et c’est parti, on est plus (moins) embêté par ces bots.

/etc/init.d/fail2ban restart

Tester les filtres

Si vous voulez tester vos nouveaux filtres avant de les mettre en service, vous pouvez utiliser une commande fournit par fail2ban qui est fail2ban-regex:

fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf

 

Source: Banning phpMyAdmin bots using fail2ban

Vus : 4286
Publié par Maxime CHAILLOU : 11