Bannir les bots phpMyAdmin et w00tw00t avec Fail2ban
Très régulièrement dans mes rapports de Logwatch je me retrouve avec des dizaines d’erreurs 404 générés par des bots qui essaient de trouver une version de phpMyAdmin, ou tout simplement une faille sur le serveur web.
Voici un exemple de rapport quotidien:
Requests with error response codes 400 Bad Request /: 3 Time(s) /w00tw00t.at.ISC.SANS.DFind:): 3 Time(s) 404 Not Found /phpMyAdmin: 5 Time(s) //phpMyAdmin/index.php: 3 Time(s) //phpmyadmin/index.php: 3 Time(s) /MyAdmin/scripts/setup.php: 3 Time(s) /PMA/main.php: 3 Time(s) /admin/main.php: 3 Time(s) /db/main.php: 3 Time(s) /myadmin/main.php: 3 Time(s) /myadmin/scripts/setup.php: 3 Time(s) /mysql-admin/main.php: 3 Time(s) /mysql/main.php: 3 Time(s) /mysqladmin/main.php: 3 Time(s) /phpMyAdmin/main.php: 3 Time(s) /phpMyAdmin/scripts/setup.php: 3 Time(s) /phpmyadmin/main.php: 3 Time(s) /phpmyadmin/scripts/setup.php: 3 Time(s) /pma/scripts/setup.php: 3 Time(s) /sqlweb/main.php: 3 Time(s) /w00tw00t.at.blackhats.romanian.anti-sec:): 3 Time(s) /web/main.php: 3 Time(s) /webadmin/main.php: 3 Time(s) /webdb/main.php: 3 Time(s) /websql/main.php: 3 Time(s) //admin/phpmyadmin/index.php: 2 Time(s) //admin/pma/index.php: 2 Time(s) //db/index.php: 2 Time(s) //myadmin/index.php: 2 Time(s) //mysql/index.php: 2 Time(s) //mysqladmin/index.php: 2 Time(s) //php-my-admin/index.php: 2 Time(s) //phpMyAdmin-2.5.5-rc1/index.php: 2 Time(s) //phpMyAdmin-2/index.php: 2 Time(s) //phpadmin/index.php: 2 Time(s) //web/index.php: 2 Time(s) /PMA2005/main.php: 2 Time(s) /PMA2006/main.php: 2 Time(s) /administrator/main.php: 2 Time(s) /dawdwadwaad: 2 Time(s) /dbadmin/main.php: 2 Time(s) /demo/images/ui-bg_glass_75_d0e5f5_1x400.png: 2 Time(s) /jmx-console/HtmlAdaptor: 2 Time(s) /muieblackcat: 2 Time(s) /mysqlmanager/main.php: 2 Time(s) /p/m/a/main.php: 2 Time(s) /php-my-admin/main.php: 2 Time(s) /php-myadmin/main.php: 2 Time(s) /phpmanager/main.php: 2 Time(s) /phpmy-admin/main.php: 2 Time(s) /phpmyadmin2/main.php: 2 Time(s) /pma2005/main.php: 2 Time(s) /pma2006/main.php: 2 Time(s) /sqlmanager/main.php: 2 Time(s) /web-console/ServerInfo.jsp: 2 Time(s) //PHPMYADMIN/config/config.inc.php?p=phpinfo();: 1 Time(s) //admin/config/config.inc.php?p=phpinfo();: 1 Time(s) //admin/index.php: 1 Time(s) //dbadmin/config/config.inc.php?p=phpinfo();: 1 Time(s) //dbadmin/index.php: 1 Time(s) //myadmin/config/config.inc.php?p=phpinfo();: 1 Time(s) //mysql/config/config.inc.php?p=phpinfo();: 1 Time(s) //p/m/a/config/config.inc.php?p=phpinfo();: 1 Time(s) //php-my-admin/config/config.inc.php?p=phpinfo();: 1 Time(s) //phpMyAdmin-2.2.6/index.php: 1 Time(s) //phpMyAdmin-2.5.1/index.php: 1 Time(s) //phpMyAdmin-2.5.5-pl1/index.php: 1 Time(s) //phpMyAdmin-2.5.5-rc2/index.php: 1 Time(s) //phpMyAdmin-2.5.5/index.php: 1 Time(s) //phpMyAdmin-2.5.6-rc1/index.php: 1 Time(s) //phpMyAdmin-2.5.6-rc2/index.php: 1 Time(s) //phpMyAdmin-2.5.6/index.php: 1 Time(s) //phpMyAdmin-2.5.7-pl1/index.php: 1 Time(s) //phpMyAdmin-2.5.7/index.php: 1 Time(s) //phpMyAdmin/config/config.inc.php?p=phpinfo();: 1 Time(s) //phpmyadmin/config/config.inc.php?p=phpinfo();: 1 Time(s) //phpmyadmin1/index.php: 1 Time(s) //phpmyadmin2/index.php: 1 Time(s) //pma/config/config.inc.php?p=phpinfo();: 1 Time(s) //typo3/phpmyadmin/index.php: 1 Time(s) //web/phpMyAdmin/index.php: 1 Time(s) //websql/index.php: 1 Time(s) //xampp/phpmyadmin/index.php: 1 Time(s) /PMA/read_dump.phpmain.php: 1 Time(s) /browser/browser/browser.jsp: 1 Time(s) /cmd/cmd.jsp: 1 Time(s) /cmd1/cmd.jsp: 1 Time(s) /components/main.php: 1 Time(s) /dbadmin/read_dump.phpmain.php: 1 Time(s) /iesvc/iesvc.jsp: 1 Time(s) /man/3.jsp: 1 Time(s) /manager/html: 1 Time(s) /manager/status: 1 Time(s) /modules/vwar/main.php: 1 Time(s) /myadmin/read_dump.phpmain.php: 1 Time(s) /mysql/admin/main.php: 1 Time(s) /mysql/db/main.php: 1 Time(s) /mysql/dbadmin/main.php: 1 Time(s) /mysql/myadmin/main.php: 1 Time(s) /mysql/mysql-admin/main.php: 1 Time(s) /mysql/mysql/main.php: 1 Time(s) /mysql/mysqladmin/main.php: 1 Time(s) /mysql/mysqlmanager/main.php: 1 Time(s) /mysql/p/m/a/main.php: 1 Time(s) /mysql/pMA/main.php: 1 Time(s) /mysql/pMA2005/main.php: 1 Time(s) /mysql/pMA2006/main.php: 1 Time(s) /mysql/php-my-admin/main.php: 1 Time(s) /mysql/php-myadmin/main.php: 1 Time(s) /mysql/phpMyAdmin-2.2.3/main.php: 1 Time(s) /mysql/phpMyAdmin-2.2.6/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.4/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.5-pl1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.5-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.5-rc2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.5/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.6-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.6-rc2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.6/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.7-pl1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.5.7/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-alpha/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-alpha2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-beta1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-beta2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-pl2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-pl3/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-rc2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0-rc3/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.0/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.1-pl1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.1-pl2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.1-pl3/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.1-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.1-rc2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.2-beta1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.2-pl1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.3/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.4-pl1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.4-pl2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.4-pl3/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.4-pl4/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.4-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.6.4/main.php: 1 Time(s) /mysql/phpMyAdmin-2.7.0-beta1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.7.0-pl1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.7.0-pl2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.7.0-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.7.0/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.0-beta1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.0-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.0-rc2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.0.1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.0.2/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.0.3/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.0.4/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.0/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.1-rc1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.1/main.php: 1 Time(s) /mysql/phpMyAdmin-2.8.2/main.php: 1 Time(s) /mysql/phpMyAdmin-2/main.php: 1 Time(s) /mysql/phpMyAdmin/main.php: 1 Time(s) /mysql/phpMyAdmin2/main.php: 1 Time(s) /mysql/phpmanager/main.php: 1 Time(s) /mysql/phpmy-admin/main.php: 1 Time(s) /mysql/phpmyadmin/main.php: 1 Time(s) /mysql/phpmyadmin2/main.php: 1 Time(s) /mysql/pma2005/main.php: 1 Time(s) /mysql/pma2006/main.php: 1 Time(s) /mysql/read_dump.phpmain.php: 1 Time(s) /mysql/sqlmanager/main.php: 1 Time(s) /mysql/sqlweb/main.php: 1 Time(s) /mysql/web/main.php: 1 Time(s) /mysql/webadmin/main.php: 1 Time(s) /mysql/webdb/main.php: 1 Time(s) /mysql/websql/main.php: 1 Time(s) /mysqladmin/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.2.3/main.php: 1 Time(s) /phpMyAdmin-2.2.3/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.2.6/main.php: 1 Time(s) /phpMyAdmin-2.2.7-pl1/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.5.1/main.php: 1 Time(s) /phpMyAdmin-2.5.4/main.php: 1 Time(s) /phpMyAdmin-2.5.5-pl1/main.php: 1 Time(s) /phpMyAdmin-2.5.5-rc1/main.php: 1 Time(s) /phpMyAdmin-2.5.5-rc2/main.php: 1 Time(s) /phpMyAdmin-2.5.5/main.php: 1 Time(s) /phpMyAdmin-2.5.6-rc1/main.php: 1 Time(s) /phpMyAdmin-2.5.6-rc2/main.php: 1 Time(s) /phpMyAdmin-2.5.6/main.php: 1 Time(s) /phpMyAdmin-2.5.6/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.5.7-pl1/main.php: 1 Time(s) /phpMyAdmin-2.5.7-pl1/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.5.7/main.php: 1 Time(s) /phpMyAdmin-2.6.0-alpha/main.php: 1 Time(s) /phpMyAdmin-2.6.0-alpha2/main.php: 1 Time(s) /phpMyAdmin-2.6.0-beta1/main.php: 1 Time(s) /phpMyAdmin-2.6.0-beta2/main.php: 1 Time(s) /phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s) /phpMyAdmin-2.6.0-pl2/main.php: 1 Time(s) /phpMyAdmin-2.6.0-pl3/main.php: 1 Time(s) /phpMyAdmin-2.6.0-pl3/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.6.0-rc1/main.php: 1 Time(s) /phpMyAdmin-2.6.0-rc2/main.php: 1 Time(s) /phpMyAdmin-2.6.0-rc3/main.php: 1 Time(s) /phpMyAdmin-2.6.0/main.php: 1 Time(s) /phpMyAdmin-2.6.0/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.6.1-pl1/main.php: 1 Time(s) /phpMyAdmin-2.6.1-pl2/main.php: 1 Time(s) /phpMyAdmin-2.6.1-pl3/main.php: 1 Time(s) /phpMyAdmin-2.6.1-pl3/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.6.1-rc1/main.php: 1 Time(s) /phpMyAdmin-2.6.1-rc2/main.php: 1 Time(s) /phpMyAdmin-2.6.1/main.php: 1 Time(s) /phpMyAdmin-2.6.2-beta1/main.php: 1 Time(s) /phpMyAdmin-2.6.2-pl1/main.php: 1 Time(s) /phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s) /phpMyAdmin-2.6.2/main.php: 1 Time(s) /phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s) /phpMyAdmin-2.6.3-pl1/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s) /phpMyAdmin-2.6.3/main.php: 1 Time(s) /phpMyAdmin-2.6.4-pl1/main.php: 1 Time(s) /phpMyAdmin-2.6.4-pl2/main.php: 1 Time(s) /phpMyAdmin-2.6.4-pl3/main.php: 1 Time(s) /phpMyAdmin-2.6.4-pl4/main.php: 1 Time(s) /phpMyAdmin-2.6.4-rc1/main.php: 1 Time(s) /phpMyAdmin-2.6.4/main.php: 1 Time(s) /phpMyAdmin-2.6.4/read_dump.phpmain.php: 1 Time(s) /phpMyAdmin-2.7.0-beta1/main.php: 1 Time(s) /phpMyAdmin-2.7.0-pl1/main.php: 1 Time(s) /phpMyAdmin-2.7.0-pl2/main.php: 1 Time(s) /phpMyAdmin-2.7.0-rc1/main.php: 1 Time(s) /phpMyAdmin-2.7.0/main.php: 1 Time(s) /phpMyAdmin-2.8.0-beta1/main.php: 1 Time(s) /phpMyAdmin-2.8.0-rc1/main.php: 1 Time(s) /phpMyAdmin-2.8.0-rc2/main.php: 1 Time(s) /phpMyAdmin-2.8.0.1/main.php: 1 Time(s) /phpMyAdmin-2.8.0.2/main.php: 1 Time(s) /phpMyAdmin-2.8.0.3/main.php: 1 Time(s) /phpMyAdmin-2.8.0.4/main.php: 1 Time(s) /phpMyAdmin-2.8.0/main.php: 1 Time(s) /phpMyAdmin-2.8.1-rc1/main.php: 1 Time(s) /phpMyAdmin-2.8.1/main.php: 1 Time(s) /phpMyAdmin-2.8.2/main.php: 1 Time(s) /phpMyAdmin-2/main.php: 1 Time(s) /phpMyAdmin2/main.php: 1 Time(s) /phpadmin/read_dump.phpmain.php: 1 Time(s) /phpmyadmin/read_dump.phpmain.php: 1 Time(s) /phpmyadmin1/read_dump.phpmain.php: 1 Time(s) /phpmyadmin2/read_dump.phpmain.php: 1 Time(s) /safe2/index.jsp: 1 Time(s) /sql/admin/main.php: 1 Time(s) /sql/db/main.php: 1 Time(s) /sql/dbadmin/main.php: 1 Time(s) /sql/main.php: 1 Time(s) /sql/myadmin/main.php: 1 Time(s) /sql/p/m/a/main.php: 1 Time(s) /sql/pMA/main.php: 1 Time(s) /sql/pMA2005/main.php: 1 Time(s) /sql/pMA2006/main.php: 1 Time(s) /sql/php-my-admin/main.php: 1 Time(s) /sql/php-myadmin/main.php: 1 Time(s) /typo3/phpmyadmin/read_dump.phpmain.php: 1 Time(s) /web/phpMyAdmin/read_dump.phpmain.php: 1 Time(s) /xampp/main.php: 1 Time(s) /xampp/phpMyAdmin/libraries/main.php: 1 Time(s) /xampp/phpMyAdmin/main.php: 1 Time(s) /xampp/phpmyadmin/read_dump.phpmain.php: 1 Time(s) /xampplite/main.php: 1 Time(s) /zecmd/zecmd.jsp: 1 Time(s)
Comme vous pouvez le voir, un bon nombre de version de phpMyAdmin sont testées. Afin d’alléger mes rapports Logwatch et de bloquer un peu plus ces bots, j’ai mis en place deux nouveaux filtres sur mon Fail2ban.
Si vous ne connaissez pas Fail2ban, je vous invite à le découvrir tout de suite. Un petit outil génial qui permet de bannir (crée une règle iptables) un attaquant lorsqu’il répond à une certaine règle (par exemple quand une personne essaie de se connecter plusieurs fois à votre serveur SSH).
Filtre phpMyAdmin
Création du nouveau filtre /etc/fail2ban/filter.d/apache-phpmyadmin.conf:
# Fail2Ban configuration file # # Bans bots scanning for non-existing phpMyAdmin installations on your webhost. # # Author: Gina Haeussge # [Definition] docroot = /var/www badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2|administrator|database|sql|phpMyAdmin|MyAdmin|dbadmin|php-myadmin|phpmy-admin|phpmyAdmin # Option: failregex # Notes.: Regexp to match often probed and not available phpmyadmin paths. # Values: TEXT # failregex = [[]client <HOST>[]] File does not exist: %(docroot)s/(?:%(badadmin)s) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Activer la règle dans /etc/fail2ban/filter.d/apache-phpmyadmin.conf
/etc/fail2ban/jail.conf
[apache-phpmyadmin] enabled = true port = http,https filter = apache-phpmyadmin logpath = /var/log/apache*/*error.log maxretry = 1
Si vous avez une version de phpMyAdmin d’installée sur votre serveur, changer la valeur de “maxretry” pour éviter de vous auto-bannir en cas d’erreur d’url.
Filtre w00tw00t
Pareil que pour phpMyAdmin, on crée notre filtre /etc/fail2ban/filter.d/apache-w00tw00t.conf:
#[Mon May 07 10:28:42 2012] [error] [client 64.27.0.183] File does not exist: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:) #[Sun May 06 09:04:53 2012] [error] [client 62.141.38.111] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) # # Author: Maxime Chaillou # [Definition] # Option: failregex # Notes.: regex to match w00tw00t scan messages into the logfile. # # Values: TEXT failregex = ^.*\\[client <HOST>\\] File does not exist: /var/www/w00tw00t\\.at.*$ ^.*\\[client <HOST>\\] .* /w00tw00t\\.at.*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =
On active maintenant notre nouveau filtre anti-w00tw00t dans /etc/fail2ban/filter.d/apache-phpmyadmin.conf
[apache-w00tw00t] enabled = true port = http,https filter = apache-w00tw00t logpath = /var/log/apache*/*error.log maxretry = 1
Un petit restart de fail2ban et c’est parti, on est plus (moins) embêté par ces bots.
/etc/init.d/fail2ban restart
Tester les filtres
Si vous voulez tester vos nouveaux filtres avant de les mettre en service, vous pouvez utiliser une commande fournit par fail2ban qui est fail2ban-regex:
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf