So, here’s a summary of what I have been seeing in my apache logs. Several times per day I have different IP’s scanning the various sites on my server looking for site-level login pages for phpmyadmin and the like. This is slamming apache and taking it down periodically.
The short list of dirs they are trying to find are: /MyAdmin, /phpMyAdmin, /phpmyadmin, /admin, /db, /dbadmin, /myadmin, /mysql, /mysqladmin, /pma, /scripts, /sqlweb, /web, /webadmin, /webdb, /websql, /htdocs, /webdav, and a few others.
I do not run any of the above dirs at the site level (and recommend you don’t either!) on any of the sites. The attempts have been made on each site (30+ on this box), so I decided, instead of fiddling with each of the sites’ .htaccess files, to simply write permanent redirects in httpd.conf so that the requests are immediately bounced away. Examples of what I have added to httpd.conf are:
Redirect permanent /admin http://google.com
Redirect permanent /db http://google.com
Redirect permanent /dbadmin http://google.com
Redirect permanent /myadmin http://google.com
Redirect permanent /mysql http://google.com
Here’s my question. Should I be redirecting in this manner or is there a better way to bounce/kill this traffic at the front-end of the request?
Letting all those people perter google doesn’t seem like the nicest idea to me.
Take a look at this: Blocking Apache Attacks
Looks good IMO 
the google forward is just an example. i actually have it set up to another url. would there be a way to simply kill the pid immediately if the attempt is made to those specific dirs?
i went back and looked very closely at the info link you posted and i think the mod_rewrite on that page would prolly do the trick…except that i don’t know how to customize it. here’s the code:
LoadModule rewrite_module modules/mod_rewrite.so
...
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L,E=nolog:1]
</IfModule>
LogFormat "%h %l %u %t \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\"" combined
CustomLog logs/access_log-www.mydomain.com combined env=!nolog
so, would i just add separate lines for the 3rd RewriteCond line? such as:
RewriteCond %{REQUEST_URI} ^/myadmin$
RewriteCond %{REQUEST_URI} ^/phpmyadmin$
RewriteCond %{REQUEST_URI} ^/mysql$
so, that the finished set would look like:
LoadModule rewrite_module modules/mod_rewrite.so
...
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteCond %{REQUEST_URI} ^/myadmin$
RewriteCond %{REQUEST_URI} ^/phpmyadmin$
RewriteCond %{REQUEST_URI} ^/mysql$
RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L,E=nolog:1]
</IfModule>
LogFormat "%h %l %u %t \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\"" combined
CustomLog logs/access_log-www.mydomain.com combined env=!nolog
or, is there a different form/syntax i should be using to ban multiple dirs???
You want to deny access no matter what, so I wouldn’t even bother to check referer or useragent, so remove the first two lines.
RewriteConds are normally ANDed, so if you have 3 conditions Apache will see this as cond1 AND cond2 AND cond3, while you’d want OR, so you need to add the [OR] flag to the RewriteConds.
Also, it would be nice if the check were case insensitive so it would also match PHPMyAdmin, phpMyAdmin, etc, etc. You can do this by adding the [NC] flag, so you get [NC,OR].
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/myadmin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmyadmin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/mysql$ [NC,OR]
RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L,E=nolog:1]
thanks, remon. i’ll give this a try. what will they see on their end?
The following runs and bounces to the originating IP, but is blocking ALL requests to any directory on all sites. Is the following written correctly?
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/myadmin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmyadmin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/mysql$ [NC,OR]
RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L]
</IfModule>
I got rid of the last OR and it works fine. Here’s the final for anyone getting blasted:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/qwerty$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/w00tw00t.at.blackhats.romanian.anti-sec:$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/w00tw00t.at.blackhats.romanian.anti-sec$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/w00tw00t.at.ISC.SANS.DFind:$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/MyAdmin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmyadmin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/mysql$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/mysqladmin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/admin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/db$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/dbadmin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/pma$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/scripts$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/sqlweb$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/web$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/webadmin$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/webdb$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/websql$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/htdocs$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/webdav$ [NC]
RewriteRule ^/.* http://%{REMOTE_ADDR}/ [L]
</IfModule>
I may set an ENV to track these for a while, but all I want the hackers to do, at this point, is go pack’in.
Just wanted to report back. The mod_rewrite (final version above) is working quite slick. I just add directories as attempts are made and I see them in the error log. Word of caution. Please make sure that the dirs you are blocking are not used by sites on your server. Also, it is a good idea to send out a customer service email to let folks know to rename /admin dirs or any commonly named dirs running at the site level. Good luck to all…