How to block clients by IP address from accessing certain URLs on my web server?
Clash Royale CLAN TAG#URR8PPP
up vote
9
down vote
favorite
4
How can I permanently block any ipaddress who accesses known vulnerable pages such as /phpMyadmin/?
I am running a Debian server and I often see bots, or hackers scanning my server trying to find vulnerabilities.
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpMyadmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpMyAdmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyAdmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin2/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin3/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin4/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
I have followed this stackoverflow question already: How to secure phpMyAdmin.
I am looking to start blocking bots from taking up bandwidth.
firewall webserver
edited Oct 16 '17 at 22:12
200_success
3,81911426
asked Oct 16 '17 at 15:02
Whitecat
218112
 |Â
show 1 more comment
up vote
9
down vote
favorite
4
How can I permanently block any ipaddress who accesses known vulnerable pages such as /phpMyadmin/?
I am running a Debian server and I often see bots, or hackers scanning my server trying to find vulnerabilities.
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpMyadmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpMyAdmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyAdmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin2/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin3/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin4/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
I have followed this stackoverflow question already: How to secure phpMyAdmin.
I am looking to start blocking bots from taking up bandwidth.
firewall webserver
edited Oct 16 '17 at 22:12
200_success
3,81911426
asked Oct 16 '17 at 15:02
Whitecat
218112
4
This will clean up you log files, but won't help with security at all. Either always keep you phpmyadmin up-to-date, or access it only from localhost (and block all other traffic). To access the remote server, tunnel the port via ssh.
– Stefan M
Oct 16 '17 at 15:21
I think it will help security because it will block the malicious IP addresses who try to access that site.
– Whitecat
Oct 16 '17 at 15:28
@Whitecat the404HTTP code meansPage not found. How do you sense that these IP's are offending IP's? Based on what output do you decide to block these IP's?
– Valentin B
Oct 16 '17 at 15:29
I want to block the ip based on the fact that they are going to phpMyAdmin. I have secured my site and I know anyone going to that page is malicious.
– Whitecat
Oct 16 '17 at 15:31
1
Why don't you create a.htpasswd
– nicoX
Oct 16 '17 at 19:26
 |Â
show 1 more comment
up vote
9
down vote
favorite
4
up vote
9
down vote
favorite
4
4
How can I permanently block any ipaddress who accesses known vulnerable pages such as /phpMyadmin/?
I am running a Debian server and I often see bots, or hackers scanning my server trying to find vulnerabilities.
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpMyadmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpMyAdmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyAdmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin2/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin3/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin4/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
I have followed this stackoverflow question already: How to secure phpMyAdmin.
I am looking to start blocking bots from taking up bandwidth.
firewall webserver
edited Oct 16 '17 at 22:12
200_success
3,81911426
asked Oct 16 '17 at 15:02
Whitecat
218112
How can I permanently block any ipaddress who accesses known vulnerable pages such as /phpMyadmin/?
I am running a Debian server and I often see bots, or hackers scanning my server trying to find vulnerabilities.
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpMyadmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpMyAdmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyAdmin/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin2/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin3/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
73.199.136.112 - - [16/Oct/2017:05:18:05 -0700] "HEAD /phpmyadmin4/ HTTP/1.0" 404 182 "-" "Mozilla/5.0 Jorgee"
I have followed this stackoverflow question already: How to secure phpMyAdmin.
I am looking to start blocking bots from taking up bandwidth.
firewall webserver
edited Oct 16 '17 at 22:12
200_success
3,81911426
asked Oct 16 '17 at 15:02
Whitecat
218112
edited Oct 16 '17 at 22:12
200_success
3,81911426
edited Oct 16 '17 at 22:12
200_success
3,81911426
edited Oct 16 '17 at 22:12
200_success
3,81911426
3,81911426
asked Oct 16 '17 at 15:02
Whitecat
218112
asked Oct 16 '17 at 15:02
Whitecat
218112
asked Oct 16 '17 at 15:02
Whitecat
218112
218112
4
This will clean up you log files, but won't help with security at all. Either always keep you phpmyadmin up-to-date, or access it only from localhost (and block all other traffic). To access the remote server, tunnel the port via ssh.
– Stefan M
Oct 16 '17 at 15:21
I think it will help security because it will block the malicious IP addresses who try to access that site.
– Whitecat
Oct 16 '17 at 15:28
@Whitecat the404HTTP code meansPage not found. How do you sense that these IP's are offending IP's? Based on what output do you decide to block these IP's?
– Valentin B
Oct 16 '17 at 15:29
I want to block the ip based on the fact that they are going to phpMyAdmin. I have secured my site and I know anyone going to that page is malicious.
– Whitecat
Oct 16 '17 at 15:31
1
Why don't you create a.htpasswd
– nicoX
Oct 16 '17 at 19:26
 |Â
show 1 more comment
4
This will clean up you log files, but won't help with security at all. Either always keep you phpmyadmin up-to-date, or access it only from localhost (and block all other traffic). To access the remote server, tunnel the port via ssh.
– Stefan M
Oct 16 '17 at 15:21
I think it will help security because it will block the malicious IP addresses who try to access that site.
– Whitecat
Oct 16 '17 at 15:28
@Whitecat the404HTTP code meansPage not found. How do you sense that these IP's are offending IP's? Based on what output do you decide to block these IP's?
– Valentin B
Oct 16 '17 at 15:29
I want to block the ip based on the fact that they are going to phpMyAdmin. I have secured my site and I know anyone going to that page is malicious.
– Whitecat
Oct 16 '17 at 15:31
1
Why don't you create a.htpasswd
– nicoX
Oct 16 '17 at 19:26
4
4
This will clean up you log files, but won't help with security at all. Either always keep you phpmyadmin up-to-date, or access it only from localhost (and block all other traffic). To access the remote server, tunnel the port via ssh.
– Stefan M
Oct 16 '17 at 15:21
This will clean up you log files, but won't help with security at all. Either always keep you phpmyadmin up-to-date, or access it only from localhost (and block all other traffic). To access the remote server, tunnel the port via ssh.
– Stefan M
Oct 16 '17 at 15:21
I think it will help security because it will block the malicious IP addresses who try to access that site.
– Whitecat
Oct 16 '17 at 15:28
I think it will help security because it will block the malicious IP addresses who try to access that site.
– Whitecat
Oct 16 '17 at 15:28
@Whitecat the
404 HTTP code means Page not found. How do you sense that these IP's are offending IP's? Based on what output do you decide to block these IP's?– Valentin B
Oct 16 '17 at 15:29
@Whitecat the
404 HTTP code means Page not found. How do you sense that these IP's are offending IP's? Based on what output do you decide to block these IP's?– Valentin B
Oct 16 '17 at 15:29
I want to block the ip based on the fact that they are going to phpMyAdmin. I have secured my site and I know anyone going to that page is malicious.
– Whitecat
Oct 16 '17 at 15:31
I want to block the ip based on the fact that they are going to phpMyAdmin. I have secured my site and I know anyone going to that page is malicious.
– Whitecat
Oct 16 '17 at 15:31
1
1
Why don't you create a
.htpasswd– nicoX
Oct 16 '17 at 19:26
Why don't you create a
.htpasswd– nicoX
Oct 16 '17 at 19:26
 |Â
show 1 more comment
3 Answers
3
active
oldest
votes
up vote
18
down vote
accepted
This may be more heavy weight than you're looking for, but you might consider using fail2ban (https://www.fail2ban.org). That's a tool that can monitor your log files and automatically ban addresses that generate logs that match a set of customizable patterns.
answered Oct 16 '17 at 15:32
Andy Dalton
4,7991520
5
tbh this is exact problemfail2banis designed to address. It's a bit heavy but then again the desired criteria is fairly dynamic itself. All things consideredfail2banis about as light weight as you're going to get in trying to solve this class of problems using a standard tool.
– Bratchley
Oct 16 '17 at 15:43
1
Well I suppose you could write a suid-root binary cgi, host it as /phpmyadmin, that adds the firewall rule of its caller.
– Joshua
Oct 16 '17 at 16:44
add a comment |Â
up vote
7
down vote
Don't. At best you'll achieve nothing but making your logs less cluttered; at worst you'll end up blocking legitimate visitors who happened to get (via DHCP) an IP address that used to belong to someone whose PC was infected as a botnet node.
The real problem here is the log clutter, and it can be solved just by configuring your logging to drop requests that are known vuln-scanning for vulns your site doesn't, and won't, have because you're not using the vulnerable frameworks they're scanning for. If you're concerned about complete loss of logging (perhaps they provide evidence suggesting who was responsible for a different attack, or when an attack began, etc.) then just throttling multiple log entries for junk URLs from a given IP in a short timespan should work better.
answered Oct 16 '17 at 16:57
R..
1,500913
6
fail2banbans are temporary - X hits of a bad login attempt within Y seconds, Z minute ban, with configurable X Y and Z. Dropping logs of active intrusion attempts sounds to me like a significantly more dangerous choice.
– Shadur
Oct 16 '17 at 17:02
2
in the 0.1% chance this happens, legitimate users to this instance of phpmyadmin should be able to just message OP to get unblocked. Also, fail2ban can shut out a scanning attack before it happens to hit the unpatched or zero day vulnerability on your server.
– Segfault
Oct 16 '17 at 17:18
1
@Segfault: There presumably are no legitimate users of/phymyadmin/because/phymyadmin/doesn't exist on the server (see: 404). Rather the legitimate users in question are any users of the site who would be blocked by firewalling them.
– R..
Oct 16 '17 at 17:19
1
The "best" actually includes further tests being blocked including ones that might have actually succeeded. Playing around with the log contents also seems like a good way to lose information when you realize you've made some sort of error in your filter. If you're worried about log clutter then you need an analytics platform like ELK to sift through it all for the stuff you're interested in.
– Bratchley
Oct 17 '17 at 3:57
2
The other, related, issue is the increasing use of CGN. An ISP can have hundreds of customers sharing a single IP address, making IP blocking dangerous at best, even temporary ones. You can have a legitimate user and an active scan from the same address at the same time.
– Bob
Oct 17 '17 at 6:38
 |Â
show 4 more comments
up vote
4
down vote
find the phpMyAdmin.conf in one of the httpd config directories and add deny 73.199.136.112 in allow / deny section of the config file and a require IP in the 2.4 section. I have put an example of the full config file below where I have the entries in reverse, i block everything but the allowed IP segments to access the tool.
[thebtm@server conf.d]# cat /etc/httpd/conf.d/phpMyAdmin.conf
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 10.10.26
Require ip 192.168.56
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 10.10.25
Allow from 192.168.56
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
# These directories do not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#<IfModule mod_security.c>
# <Directory /usr/share/phpMyAdmin/>
# SecRuleInheritance Off
# </Directory>
#</IfModule>
answered Oct 16 '17 at 15:17
thebtm
710411
This is awesome. But the problem is there are constant bots from many different ip's. I cannot possibly keep up with every different IP as I get between 20-30 unique malicious ips per day.
– Whitecat
Oct 16 '17 at 15:27
2
That is why I showed the reverse where you allow the segments you want to have access and auto block the rest.
– thebtm
Oct 16 '17 at 15:38
Alias /phpmyadmin /usr/share/phpMyAdmind/phpmyadminshould be changed to something else for security purposes.Alias /secret /usr/share/phpMyAdmind
– nicoX
Oct 18 '17 at 15:20
I modified the default config file that comes with the tool when you install it and made up some random IP addresses.
– thebtm
Oct 18 '17 at 15:24
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
18
down vote
accepted
This may be more heavy weight than you're looking for, but you might consider using fail2ban (https://www.fail2ban.org). That's a tool that can monitor your log files and automatically ban addresses that generate logs that match a set of customizable patterns.
answered Oct 16 '17 at 15:32
Andy Dalton
4,7991520
5
tbh this is exact problemfail2banis designed to address. It's a bit heavy but then again the desired criteria is fairly dynamic itself. All things consideredfail2banis about as light weight as you're going to get in trying to solve this class of problems using a standard tool.
– Bratchley
Oct 16 '17 at 15:43
1
Well I suppose you could write a suid-root binary cgi, host it as /phpmyadmin, that adds the firewall rule of its caller.
– Joshua
Oct 16 '17 at 16:44
add a comment |Â
up vote
18
down vote
accepted
This may be more heavy weight than you're looking for, but you might consider using fail2ban (https://www.fail2ban.org). That's a tool that can monitor your log files and automatically ban addresses that generate logs that match a set of customizable patterns.
answered Oct 16 '17 at 15:32
Andy Dalton
4,7991520
5
tbh this is exact problemfail2banis designed to address. It's a bit heavy but then again the desired criteria is fairly dynamic itself. All things consideredfail2banis about as light weight as you're going to get in trying to solve this class of problems using a standard tool.
– Bratchley
Oct 16 '17 at 15:43
1
Well I suppose you could write a suid-root binary cgi, host it as /phpmyadmin, that adds the firewall rule of its caller.
– Joshua
Oct 16 '17 at 16:44
add a comment |Â
up vote
18
down vote
accepted
up vote
18
down vote
accepted
This may be more heavy weight than you're looking for, but you might consider using fail2ban (https://www.fail2ban.org). That's a tool that can monitor your log files and automatically ban addresses that generate logs that match a set of customizable patterns.
answered Oct 16 '17 at 15:32
Andy Dalton
4,7991520
This may be more heavy weight than you're looking for, but you might consider using fail2ban (https://www.fail2ban.org). That's a tool that can monitor your log files and automatically ban addresses that generate logs that match a set of customizable patterns.
answered Oct 16 '17 at 15:32
Andy Dalton
4,7991520
answered Oct 16 '17 at 15:32
Andy Dalton
4,7991520
answered Oct 16 '17 at 15:32
Andy Dalton
4,7991520
answered Oct 16 '17 at 15:32
Andy Dalton
4,7991520
4,7991520
5
tbh this is exact problemfail2banis designed to address. It's a bit heavy but then again the desired criteria is fairly dynamic itself. All things consideredfail2banis about as light weight as you're going to get in trying to solve this class of problems using a standard tool.
– Bratchley
Oct 16 '17 at 15:43
1
Well I suppose you could write a suid-root binary cgi, host it as /phpmyadmin, that adds the firewall rule of its caller.
– Joshua
Oct 16 '17 at 16:44
add a comment |Â
5
tbh this is exact problemfail2banis designed to address. It's a bit heavy but then again the desired criteria is fairly dynamic itself. All things consideredfail2banis about as light weight as you're going to get in trying to solve this class of problems using a standard tool.
– Bratchley
Oct 16 '17 at 15:43
1
Well I suppose you could write a suid-root binary cgi, host it as /phpmyadmin, that adds the firewall rule of its caller.
– Joshua
Oct 16 '17 at 16:44
5
5
tbh this is exact problem
fail2ban is designed to address. It's a bit heavy but then again the desired criteria is fairly dynamic itself. All things considered fail2ban is about as light weight as you're going to get in trying to solve this class of problems using a standard tool.– Bratchley
Oct 16 '17 at 15:43
tbh this is exact problem
fail2ban is designed to address. It's a bit heavy but then again the desired criteria is fairly dynamic itself. All things considered fail2ban is about as light weight as you're going to get in trying to solve this class of problems using a standard tool.– Bratchley
Oct 16 '17 at 15:43
1
1
Well I suppose you could write a suid-root binary cgi, host it as /phpmyadmin, that adds the firewall rule of its caller.
– Joshua
Oct 16 '17 at 16:44
Well I suppose you could write a suid-root binary cgi, host it as /phpmyadmin, that adds the firewall rule of its caller.
– Joshua
Oct 16 '17 at 16:44
add a comment |Â
up vote
7
down vote
Don't. At best you'll achieve nothing but making your logs less cluttered; at worst you'll end up blocking legitimate visitors who happened to get (via DHCP) an IP address that used to belong to someone whose PC was infected as a botnet node.
The real problem here is the log clutter, and it can be solved just by configuring your logging to drop requests that are known vuln-scanning for vulns your site doesn't, and won't, have because you're not using the vulnerable frameworks they're scanning for. If you're concerned about complete loss of logging (perhaps they provide evidence suggesting who was responsible for a different attack, or when an attack began, etc.) then just throttling multiple log entries for junk URLs from a given IP in a short timespan should work better.
answered Oct 16 '17 at 16:57
R..
1,500913
6
fail2banbans are temporary - X hits of a bad login attempt within Y seconds, Z minute ban, with configurable X Y and Z. Dropping logs of active intrusion attempts sounds to me like a significantly more dangerous choice.
– Shadur
Oct 16 '17 at 17:02
2
in the 0.1% chance this happens, legitimate users to this instance of phpmyadmin should be able to just message OP to get unblocked. Also, fail2ban can shut out a scanning attack before it happens to hit the unpatched or zero day vulnerability on your server.
– Segfault
Oct 16 '17 at 17:18
1
@Segfault: There presumably are no legitimate users of/phymyadmin/because/phymyadmin/doesn't exist on the server (see: 404). Rather the legitimate users in question are any users of the site who would be blocked by firewalling them.
– R..
Oct 16 '17 at 17:19
1
The "best" actually includes further tests being blocked including ones that might have actually succeeded. Playing around with the log contents also seems like a good way to lose information when you realize you've made some sort of error in your filter. If you're worried about log clutter then you need an analytics platform like ELK to sift through it all for the stuff you're interested in.
– Bratchley
Oct 17 '17 at 3:57
2
The other, related, issue is the increasing use of CGN. An ISP can have hundreds of customers sharing a single IP address, making IP blocking dangerous at best, even temporary ones. You can have a legitimate user and an active scan from the same address at the same time.
– Bob
Oct 17 '17 at 6:38
 |Â
show 4 more comments
up vote
7
down vote
Don't. At best you'll achieve nothing but making your logs less cluttered; at worst you'll end up blocking legitimate visitors who happened to get (via DHCP) an IP address that used to belong to someone whose PC was infected as a botnet node.
The real problem here is the log clutter, and it can be solved just by configuring your logging to drop requests that are known vuln-scanning for vulns your site doesn't, and won't, have because you're not using the vulnerable frameworks they're scanning for. If you're concerned about complete loss of logging (perhaps they provide evidence suggesting who was responsible for a different attack, or when an attack began, etc.) then just throttling multiple log entries for junk URLs from a given IP in a short timespan should work better.
answered Oct 16 '17 at 16:57
R..
1,500913
6
fail2banbans are temporary - X hits of a bad login attempt within Y seconds, Z minute ban, with configurable X Y and Z. Dropping logs of active intrusion attempts sounds to me like a significantly more dangerous choice.
– Shadur
Oct 16 '17 at 17:02
2
in the 0.1% chance this happens, legitimate users to this instance of phpmyadmin should be able to just message OP to get unblocked. Also, fail2ban can shut out a scanning attack before it happens to hit the unpatched or zero day vulnerability on your server.
– Segfault
Oct 16 '17 at 17:18
1
@Segfault: There presumably are no legitimate users of/phymyadmin/because/phymyadmin/doesn't exist on the server (see: 404). Rather the legitimate users in question are any users of the site who would be blocked by firewalling them.
– R..
Oct 16 '17 at 17:19
1
The "best" actually includes further tests being blocked including ones that might have actually succeeded. Playing around with the log contents also seems like a good way to lose information when you realize you've made some sort of error in your filter. If you're worried about log clutter then you need an analytics platform like ELK to sift through it all for the stuff you're interested in.
– Bratchley
Oct 17 '17 at 3:57
2
The other, related, issue is the increasing use of CGN. An ISP can have hundreds of customers sharing a single IP address, making IP blocking dangerous at best, even temporary ones. You can have a legitimate user and an active scan from the same address at the same time.
– Bob
Oct 17 '17 at 6:38
 |Â
show 4 more comments
up vote
7
down vote
up vote
7
down vote
Don't. At best you'll achieve nothing but making your logs less cluttered; at worst you'll end up blocking legitimate visitors who happened to get (via DHCP) an IP address that used to belong to someone whose PC was infected as a botnet node.
The real problem here is the log clutter, and it can be solved just by configuring your logging to drop requests that are known vuln-scanning for vulns your site doesn't, and won't, have because you're not using the vulnerable frameworks they're scanning for. If you're concerned about complete loss of logging (perhaps they provide evidence suggesting who was responsible for a different attack, or when an attack began, etc.) then just throttling multiple log entries for junk URLs from a given IP in a short timespan should work better.
answered Oct 16 '17 at 16:57
R..
1,500913
Don't. At best you'll achieve nothing but making your logs less cluttered; at worst you'll end up blocking legitimate visitors who happened to get (via DHCP) an IP address that used to belong to someone whose PC was infected as a botnet node.
The real problem here is the log clutter, and it can be solved just by configuring your logging to drop requests that are known vuln-scanning for vulns your site doesn't, and won't, have because you're not using the vulnerable frameworks they're scanning for. If you're concerned about complete loss of logging (perhaps they provide evidence suggesting who was responsible for a different attack, or when an attack began, etc.) then just throttling multiple log entries for junk URLs from a given IP in a short timespan should work better.
answered Oct 16 '17 at 16:57
R..
1,500913
edited Oct 16 '17 at 17:15
answered Oct 16 '17 at 16:57
R..
1,500913
answered Oct 16 '17 at 16:57
R..
1,500913
answered Oct 16 '17 at 16:57
R..
1,500913
1,500913
6
fail2banbans are temporary - X hits of a bad login attempt within Y seconds, Z minute ban, with configurable X Y and Z. Dropping logs of active intrusion attempts sounds to me like a significantly more dangerous choice.
– Shadur
Oct 16 '17 at 17:02
2
in the 0.1% chance this happens, legitimate users to this instance of phpmyadmin should be able to just message OP to get unblocked. Also, fail2ban can shut out a scanning attack before it happens to hit the unpatched or zero day vulnerability on your server.
– Segfault
Oct 16 '17 at 17:18
1
@Segfault: There presumably are no legitimate users of/phymyadmin/because/phymyadmin/doesn't exist on the server (see: 404). Rather the legitimate users in question are any users of the site who would be blocked by firewalling them.
– R..
Oct 16 '17 at 17:19
1
The "best" actually includes further tests being blocked including ones that might have actually succeeded. Playing around with the log contents also seems like a good way to lose information when you realize you've made some sort of error in your filter. If you're worried about log clutter then you need an analytics platform like ELK to sift through it all for the stuff you're interested in.
– Bratchley
Oct 17 '17 at 3:57
2
The other, related, issue is the increasing use of CGN. An ISP can have hundreds of customers sharing a single IP address, making IP blocking dangerous at best, even temporary ones. You can have a legitimate user and an active scan from the same address at the same time.
– Bob
Oct 17 '17 at 6:38
 |Â
show 4 more comments
6
fail2banbans are temporary - X hits of a bad login attempt within Y seconds, Z minute ban, with configurable X Y and Z. Dropping logs of active intrusion attempts sounds to me like a significantly more dangerous choice.
– Shadur
Oct 16 '17 at 17:02
2
in the 0.1% chance this happens, legitimate users to this instance of phpmyadmin should be able to just message OP to get unblocked. Also, fail2ban can shut out a scanning attack before it happens to hit the unpatched or zero day vulnerability on your server.
– Segfault
Oct 16 '17 at 17:18
1
@Segfault: There presumably are no legitimate users of/phymyadmin/because/phymyadmin/doesn't exist on the server (see: 404). Rather the legitimate users in question are any users of the site who would be blocked by firewalling them.
– R..
Oct 16 '17 at 17:19
1
The "best" actually includes further tests being blocked including ones that might have actually succeeded. Playing around with the log contents also seems like a good way to lose information when you realize you've made some sort of error in your filter. If you're worried about log clutter then you need an analytics platform like ELK to sift through it all for the stuff you're interested in.
– Bratchley
Oct 17 '17 at 3:57
2
The other, related, issue is the increasing use of CGN. An ISP can have hundreds of customers sharing a single IP address, making IP blocking dangerous at best, even temporary ones. You can have a legitimate user and an active scan from the same address at the same time.
– Bob
Oct 17 '17 at 6:38
6
6
fail2ban bans are temporary - X hits of a bad login attempt within Y seconds, Z minute ban, with configurable X Y and Z. Dropping logs of active intrusion attempts sounds to me like a significantly more dangerous choice.– Shadur
Oct 16 '17 at 17:02
fail2ban bans are temporary - X hits of a bad login attempt within Y seconds, Z minute ban, with configurable X Y and Z. Dropping logs of active intrusion attempts sounds to me like a significantly more dangerous choice.– Shadur
Oct 16 '17 at 17:02
2
2
in the 0.1% chance this happens, legitimate users to this instance of phpmyadmin should be able to just message OP to get unblocked. Also, fail2ban can shut out a scanning attack before it happens to hit the unpatched or zero day vulnerability on your server.
– Segfault
Oct 16 '17 at 17:18
in the 0.1% chance this happens, legitimate users to this instance of phpmyadmin should be able to just message OP to get unblocked. Also, fail2ban can shut out a scanning attack before it happens to hit the unpatched or zero day vulnerability on your server.
– Segfault
Oct 16 '17 at 17:18
1
1
@Segfault: There presumably are no legitimate users of
/phymyadmin/ because /phymyadmin/ doesn't exist on the server (see: 404). Rather the legitimate users in question are any users of the site who would be blocked by firewalling them.– R..
Oct 16 '17 at 17:19
@Segfault: There presumably are no legitimate users of
/phymyadmin/ because /phymyadmin/ doesn't exist on the server (see: 404). Rather the legitimate users in question are any users of the site who would be blocked by firewalling them.– R..
Oct 16 '17 at 17:19
1
1
The "best" actually includes further tests being blocked including ones that might have actually succeeded. Playing around with the log contents also seems like a good way to lose information when you realize you've made some sort of error in your filter. If you're worried about log clutter then you need an analytics platform like ELK to sift through it all for the stuff you're interested in.
– Bratchley
Oct 17 '17 at 3:57
The "best" actually includes further tests being blocked including ones that might have actually succeeded. Playing around with the log contents also seems like a good way to lose information when you realize you've made some sort of error in your filter. If you're worried about log clutter then you need an analytics platform like ELK to sift through it all for the stuff you're interested in.
– Bratchley
Oct 17 '17 at 3:57
2
2
The other, related, issue is the increasing use of CGN. An ISP can have hundreds of customers sharing a single IP address, making IP blocking dangerous at best, even temporary ones. You can have a legitimate user and an active scan from the same address at the same time.
– Bob
Oct 17 '17 at 6:38
The other, related, issue is the increasing use of CGN. An ISP can have hundreds of customers sharing a single IP address, making IP blocking dangerous at best, even temporary ones. You can have a legitimate user and an active scan from the same address at the same time.
– Bob
Oct 17 '17 at 6:38
 |Â
show 4 more comments
up vote
4
down vote
find the phpMyAdmin.conf in one of the httpd config directories and add deny 73.199.136.112 in allow / deny section of the config file and a require IP in the 2.4 section. I have put an example of the full config file below where I have the entries in reverse, i block everything but the allowed IP segments to access the tool.
[thebtm@server conf.d]# cat /etc/httpd/conf.d/phpMyAdmin.conf
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 10.10.26
Require ip 192.168.56
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 10.10.25
Allow from 192.168.56
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
# These directories do not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#<IfModule mod_security.c>
# <Directory /usr/share/phpMyAdmin/>
# SecRuleInheritance Off
# </Directory>
#</IfModule>
answered Oct 16 '17 at 15:17
thebtm
710411
This is awesome. But the problem is there are constant bots from many different ip's. I cannot possibly keep up with every different IP as I get between 20-30 unique malicious ips per day.
– Whitecat
Oct 16 '17 at 15:27
2
That is why I showed the reverse where you allow the segments you want to have access and auto block the rest.
– thebtm
Oct 16 '17 at 15:38
Alias /phpmyadmin /usr/share/phpMyAdmind/phpmyadminshould be changed to something else for security purposes.Alias /secret /usr/share/phpMyAdmind
– nicoX
Oct 18 '17 at 15:20
I modified the default config file that comes with the tool when you install it and made up some random IP addresses.
– thebtm
Oct 18 '17 at 15:24
add a comment |Â
up vote
4
down vote
find the phpMyAdmin.conf in one of the httpd config directories and add deny 73.199.136.112 in allow / deny section of the config file and a require IP in the 2.4 section. I have put an example of the full config file below where I have the entries in reverse, i block everything but the allowed IP segments to access the tool.
[thebtm@server conf.d]# cat /etc/httpd/conf.d/phpMyAdmin.conf
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 10.10.26
Require ip 192.168.56
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 10.10.25
Allow from 192.168.56
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
# These directories do not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#<IfModule mod_security.c>
# <Directory /usr/share/phpMyAdmin/>
# SecRuleInheritance Off
# </Directory>
#</IfModule>
answered Oct 16 '17 at 15:17
thebtm
710411
This is awesome. But the problem is there are constant bots from many different ip's. I cannot possibly keep up with every different IP as I get between 20-30 unique malicious ips per day.
– Whitecat
Oct 16 '17 at 15:27
2
That is why I showed the reverse where you allow the segments you want to have access and auto block the rest.
– thebtm
Oct 16 '17 at 15:38
Alias /phpmyadmin /usr/share/phpMyAdmind/phpmyadminshould be changed to something else for security purposes.Alias /secret /usr/share/phpMyAdmind
– nicoX
Oct 18 '17 at 15:20
I modified the default config file that comes with the tool when you install it and made up some random IP addresses.
– thebtm
Oct 18 '17 at 15:24
add a comment |Â
up vote
4
down vote
up vote
4
down vote
find the phpMyAdmin.conf in one of the httpd config directories and add deny 73.199.136.112 in allow / deny section of the config file and a require IP in the 2.4 section. I have put an example of the full config file below where I have the entries in reverse, i block everything but the allowed IP segments to access the tool.
[thebtm@server conf.d]# cat /etc/httpd/conf.d/phpMyAdmin.conf
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 10.10.26
Require ip 192.168.56
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 10.10.25
Allow from 192.168.56
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
# These directories do not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#<IfModule mod_security.c>
# <Directory /usr/share/phpMyAdmin/>
# SecRuleInheritance Off
# </Directory>
#</IfModule>
answered Oct 16 '17 at 15:17
thebtm
710411
find the phpMyAdmin.conf in one of the httpd config directories and add deny 73.199.136.112 in allow / deny section of the config file and a require IP in the 2.4 section. I have put an example of the full config file below where I have the entries in reverse, i block everything but the allowed IP segments to access the tool.
[thebtm@server conf.d]# cat /etc/httpd/conf.d/phpMyAdmin.conf
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 10.10.26
Require ip 192.168.56
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 10.10.25
Allow from 192.168.56
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
# These directories do not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#<IfModule mod_security.c>
# <Directory /usr/share/phpMyAdmin/>
# SecRuleInheritance Off
# </Directory>
#</IfModule>
answered Oct 16 '17 at 15:17
thebtm
710411
answered Oct 16 '17 at 15:17
thebtm
710411
answered Oct 16 '17 at 15:17
thebtm
710411
answered Oct 16 '17 at 15:17
thebtm
710411
710411
This is awesome. But the problem is there are constant bots from many different ip's. I cannot possibly keep up with every different IP as I get between 20-30 unique malicious ips per day.
– Whitecat
Oct 16 '17 at 15:27
2
That is why I showed the reverse where you allow the segments you want to have access and auto block the rest.
– thebtm
Oct 16 '17 at 15:38
Alias /phpmyadmin /usr/share/phpMyAdmind/phpmyadminshould be changed to something else for security purposes.Alias /secret /usr/share/phpMyAdmind
– nicoX
Oct 18 '17 at 15:20
I modified the default config file that comes with the tool when you install it and made up some random IP addresses.
– thebtm
Oct 18 '17 at 15:24
add a comment |Â
This is awesome. But the problem is there are constant bots from many different ip's. I cannot possibly keep up with every different IP as I get between 20-30 unique malicious ips per day.
– Whitecat
Oct 16 '17 at 15:27
2
That is why I showed the reverse where you allow the segments you want to have access and auto block the rest.
– thebtm
Oct 16 '17 at 15:38
Alias /phpmyadmin /usr/share/phpMyAdmind/phpmyadminshould be changed to something else for security purposes.Alias /secret /usr/share/phpMyAdmind
– nicoX
Oct 18 '17 at 15:20
I modified the default config file that comes with the tool when you install it and made up some random IP addresses.
– thebtm
Oct 18 '17 at 15:24
This is awesome. But the problem is there are constant bots from many different ip's. I cannot possibly keep up with every different IP as I get between 20-30 unique malicious ips per day.
– Whitecat
Oct 16 '17 at 15:27
This is awesome. But the problem is there are constant bots from many different ip's. I cannot possibly keep up with every different IP as I get between 20-30 unique malicious ips per day.
– Whitecat
Oct 16 '17 at 15:27
2
2
That is why I showed the reverse where you allow the segments you want to have access and auto block the rest.
– thebtm
Oct 16 '17 at 15:38
That is why I showed the reverse where you allow the segments you want to have access and auto block the rest.
– thebtm
Oct 16 '17 at 15:38
Alias /phpmyadmin /usr/share/phpMyAdmind /phpmyadmin should be changed to something else for security purposes. Alias /secret /usr/share/phpMyAdmind– nicoX
Oct 18 '17 at 15:20
Alias /phpmyadmin /usr/share/phpMyAdmind /phpmyadmin should be changed to something else for security purposes. Alias /secret /usr/share/phpMyAdmind– nicoX
Oct 18 '17 at 15:20
I modified the default config file that comes with the tool when you install it and made up some random IP addresses.
– thebtm
Oct 18 '17 at 15:24
I modified the default config file that comes with the tool when you install it and made up some random IP addresses.
– thebtm
Oct 18 '17 at 15:24
add a comment |Â
Â
draft saved
draft discarded
Â
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f398437%2fhow-to-block-clients-by-ip-address-from-accessing-certain-urls-on-my-web-server%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
4
This will clean up you log files, but won't help with security at all. Either always keep you phpmyadmin up-to-date, or access it only from localhost (and block all other traffic). To access the remote server, tunnel the port via ssh.
– Stefan M
Oct 16 '17 at 15:21
I think it will help security because it will block the malicious IP addresses who try to access that site.
– Whitecat
Oct 16 '17 at 15:28
@Whitecat the
404HTTP code meansPage not found. How do you sense that these IP's are offending IP's? Based on what output do you decide to block these IP's?– Valentin B
Oct 16 '17 at 15:29
I want to block the ip based on the fact that they are going to phpMyAdmin. I have secured my site and I know anyone going to that page is malicious.
– Whitecat
Oct 16 '17 at 15:31
1
Why don't you create a
.htpasswd– nicoX
Oct 16 '17 at 19:26