thr3ads.net - CentOS - [CentOS] Am I being to paranoid? [May 2011]

If this information is useful, please help other people find it:
Share via:

Jason

2011-May-08 17:46 UTC

[CentOS] Am I being to paranoid?

Hi All,

I want to know thoughts on if I am being to paranoid/security conscious. 

CentOS 5.6, Apache, MySQL, running an Firewall in front of everything and
obviously the built-in firewall on the box. I have ssh on a different port and
starting to use Keys instead of password authentication. I host an intensive
website and I am getting about 150 unique visitors per day.

What I am seeing is LogWatch reporting a lot of 404's like:

404 Not Found
//PHPMA/: 1 Time(s)
//admin/myadmin/: 1 Time(s)
//admin/phpmyadmin/: 1 Time(s)
//adming/: 1 Time(s)
//ascils/phpmyadmin/: 1 Time(s)
//blog/wp-content/plugins/phpmyadmin/: 1 Time(s)
//database/: 2 Time(s)
//db/: 1 Time(s)
//dba/: 1 Time(s)
//dbadmin/: 2 Time(s)
//html/phpMyAdmin/: 1 Time(s)
//html/phpmyadmin/: 1 Time(s)
//lamp/phpmyadmin/: 1 Time(s)
//myadmin/: 1 Time(s)
//mydatabase/: 1 Time(s)
//mydb/: 1 Time(s)
//myphp/: 1 Time(s)
//mysql-admin/: 1 Time(s)
//mysql/: 1 Time(s)
//mysqladmin/: 2 Time(s)
//mysqlmanager/: 1 Time(s)
//phpMyAdmin-2.8.0.2/: 1 Time(s)
//phpMyAdmin-2.8.1-rc1/: 1 Time(s)
//phpMyAdmin-2.8.1/: 1 Time(s)
//phpMyAdmin-2.8.2/: 1 Time(s)
//phpMyAdmin/: 1 Time(s)
//phpadm/: 2 Time(s)
//phpma/: 1 Time(s)
//phpmanager/: 1 Time(s)
//phpmy/: 2 Time(s)
//phpmyadmin/: 1 Time(s)
//pma/: 1 Time(s)
//pmaadmin/: 1 Time(s)
//pmadmin/: 1 Time(s)
//sql/: 1 Time(s)
//sqladmin/: 2 Time(s)
//sqldatabase/: 2 Time(s)
//sqlmanager/: 1 Time(s)
//sqlweb/: 1 Time(s)
//typo3/phpmyadmin/: 1 Time(s)
//webadmin/: 1 Time(s)
//webdb/: 1 Time(s)
//websql/: 1 Time(s)
//wp-content/plugins/phpMyAdmin/: 1 Time(s)
//wp-content/plugins/wp-phpmyadmin/: 1 Time(s)
//xampp/phpmyadmin/: 1 Time(s)

So I turned on Apache ReWrite and I created a file and I put in rules like:
(just a small subset)

RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmy(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpma [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmyadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpgadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phppgadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmyadmin(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/php\-my\-admin [NC,OR]
RewriteCond %{REQUEST_URI} ^/php\-myadmin [NC,OR] 
RewriteCond %{REQUEST_URI} ^/phpmy\-admin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmanager [NC,OR]
RewriteCond %{REQUEST_URI} ^/player(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/plugins [NC,OR]
RewriteCond %{REQUEST_URI} ^/pma [NC,OR]
RewriteCond %{REQUEST_URI} ^/p/m/a [NC,OR]
RewriteCond %{REQUEST_URI} ^/pmadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/pmaadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/scripts [NC,OR]
RewriteCond %{REQUEST_URI} ^/sd(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/sql [NC,OR]
RewriteCond %{REQUEST_URI} ^/sqladmin [NC,OR]

and if one of these is hit I use a Rule of:

RewriteRule .* http://%{REMOTE_ADDR}%{REQUEST_URI} [L,R=301,QSA]

Everyday I look at the LogWatch E-Mail and I add one people are trying to hit
and restart apache.

This yields a few questions.

1. Am I being to paranoid by doing this? My logic is they dont belong here and I
could get mad if someone walked up to my apartment and tried jiggling the door
handle to see if it was unlocked.

2. I know I can simplify these rules. Wouldn't RewriteCond %{REQUEST_URI}
^/php(.*) [NC,OR] get most of the attempts for thinks like /php, /php-myadmin,
/phpmyadmin-2.0.8.8, etc?

3. Is there a better way to right these rules?

4. Why does LogWatch show this to me as a 404 , when a rewrite rule is hit and
they are re-directed back to themselves? My rules seem to be working, if I try
and hit /scripts right now, it does what I expect.

Can anyone shed some light for me on my thoughts/questions?

-- 
Jason

Eero Volotinen

2011-May-08 17:57 UTC

head link

[CentOS] Am I being to paranoid?

2011/5/8 Jason <slackmoehrle.lists at gmail.com>:> Hi All,
>
> I want to know thoughts on if I am being to paranoid/security conscious.
>
> CentOS 5.6, Apache, MySQL, running an Firewall in front of everything and
obviously the built-in firewall on the box. I have ssh on a different port and
starting to use Keys instead of password authentication. I host an intensive
website and I am getting about 150 unique visitors per day.
>
> What I am seeing is LogWatch reporting a lot of 404's like:
>
> 404 Not Found
> //PHPMA/: 1 Time(s)
> //admin/myadmin/: 1 Time(s)
> //admin/phpmyadmin/: 1 Time(s)
> //adming/: 1 Time(s)
> //ascils/phpmyadmin/: 1 Time(s)
> //blog/wp-content/plugins/phpmyadmin/: 1 Time(s)
> //database/: 2 Time(s)
> //db/: 1 Time(s)
> //dba/: 1 Time(s)
> //dbadmin/: 2 Time(s)
> //html/phpMyAdmin/: 1 Time(s)
> //html/phpmyadmin/: 1 Time(s)
> //lamp/phpmyadmin/: 1 Time(s)
> //myadmin/: 1 Time(s)
> //mydatabase/: 1 Time(s)
> //mydb/: 1 Time(s)
> //myphp/: 1 Time(s)
> //mysql-admin/: 1 Time(s)
> //mysql/: 1 Time(s)
> //mysqladmin/: 2 Time(s)
> //mysqlmanager/: 1 Time(s)
> //phpMyAdmin-2.8.0.2/: 1 Time(s)
> //phpMyAdmin-2.8.1-rc1/: 1 Time(s)
> //phpMyAdmin-2.8.1/: 1 Time(s)
> //phpMyAdmin-2.8.2/: 1 Time(s)
> //phpMyAdmin/: 1 Time(s)
> //phpadm/: 2 Time(s)
> //phpma/: 1 Time(s)
> //phpmanager/: 1 Time(s)
> //phpmy/: 2 Time(s)
> //phpmyadmin/: 1 Time(s)
> //pma/: 1 Time(s)
> //pmaadmin/: 1 Time(s)
> //pmadmin/: 1 Time(s)
> //sql/: 1 Time(s)
> //sqladmin/: 2 Time(s)
> //sqldatabase/: 2 Time(s)
> //sqlmanager/: 1 Time(s)
> //sqlweb/: 1 Time(s)
> //typo3/phpmyadmin/: 1 Time(s)
> //webadmin/: 1 Time(s)
> //webdb/: 1 Time(s)
> //websql/: 1 Time(s)
> //wp-content/plugins/phpMyAdmin/: 1 Time(s)
> //wp-content/plugins/wp-phpmyadmin/: 1 Time(s)
> //xampp/phpmyadmin/: 1 Time(s)
>
> So I turned on Apache ReWrite and I created a file and I put in rules like:
(just a small subset)
>
> RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmy(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpma [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmyadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpgadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phppgadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmyadmin(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/php\-my\-admin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/php\-myadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmy\-admin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmanager [NC,OR]
> RewriteCond %{REQUEST_URI} ^/player(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/plugins [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pma [NC,OR]
> RewriteCond %{REQUEST_URI} ^/p/m/a [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pmadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pmaadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/scripts [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sd(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sql [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sqladmin [NC,OR]
>
> and if one of these is hit I use a Rule of:
>
> RewriteRule .* http://%{REMOTE_ADDR}%{REQUEST_URI} [L,R=301,QSA]
>
> Everyday I look at the LogWatch E-Mail and I add one people are trying to
hit and restart apache.
>
> This yields a few questions.
>
> 1. Am I being to paranoid by doing this? My logic is they dont belong here
and I could get mad if someone walked up to my apartment and tried jiggling the
door handle to see if it was unlocked.
>
> 2. I know I can simplify these rules. Wouldn't RewriteCond
%{REQUEST_URI} ^/php(.*) [NC,OR] get most of the attempts for thinks like /php,
/php-myadmin, /phpmyadmin-2.0.8.8, etc?
>
> 3. Is there a better way to right these rules?
>
> 4. Why does LogWatch show this to me as a 404 , when a rewrite rule is hit
and they are re-directed back to themselves? My rules seem to be working, if I
try and hit /scripts right now, it does what I expect.
>
> Can anyone shed some light for me on my thoughts/questions?
You should take a look at mod_security: http://www.modsecurity.org/ ,
if provides better ways to block hostile attacks and probes.

--
Eero

R P Herrold

2011-May-08 18:24 UTC

head link

[CentOS] Am I being to paranoid?

quick answer:  even paranoids have enemies

On Sun, 8 May 2011, Jason wrote:
> So I turned on Apache ReWrite and I created a file and I put in rules like:
(just a small subset)
>
> RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmy(.*) [NC,OR]     .snip
> 2. I know I can simplify these rules. Wouldn't RewriteCond
%{REQUEST_URI} ^/php(.*) [NC,OR] get most of the attempts for thinks like /php,
/php-myadmin, /phpmyadmin-2.0.8.8, etc?
>
> 3. Is there a better way to right these rules?
I wrote about my approch some time ago ...

http://orcorc.blogspot.com/2010/06/reading-logs-part-3-run-your-updates.html

Send them safely off your box, and back home

-- Russ herrold

Benjamin Franz

2011-May-08 18:24 UTC

head link

[CentOS] Am I being to paranoid?

On 05/08/2011 10:46 AM, Jason wrote:> 4. Why does LogWatch show this to me as a 404 , when a rewrite rule is hit
and they are re-directed back to themselves? My rules seem to be working, if I
try and hit /scripts right now, it does what I expect.[...]

Because the remote loader is a robot, not a web browser. It is throwing 
stuff at the wall and seeing what sticks. It flat out doesn't care if 
you send back a redirect - it is just looking for a response that 
indicates a vulnerability and anything else is ignored by it.

Redirects are largely ineffective in combating bots hunting for 
exploitable scripts and programs. You would be better off using 
something like Fail2Ban to dynamically update firewall rules against 
detected attackers.

-- 
Benjamin Franz

Robert Heller

2011-May-08 19:11 UTC

head link

[CentOS] Am I being to paranoid?

At Sun, 8 May 2011 10:46:17 -0700 CentOS mailing list <centos at
centos.org> wrote:
> 
> Hi All,
> 
> I want to know thoughts on if I am being to paranoid/security conscious. 
> 
> CentOS 5.6, Apache, MySQL, running an Firewall in front of everything and
obviously the built-in firewall on the box. I have ssh on a different port and
starting to use Keys instead of password authentication. I host an intensive
website and I am getting about 150 unique visitors per day.
> 
> What I am seeing is LogWatch reporting a lot of 404's like:
> 
> 404 Not Found
> //PHPMA/: 1 Time(s)
> //admin/myadmin/: 1 Time(s)
> //admin/phpmyadmin/: 1 Time(s)
> //adming/: 1 Time(s)
> //ascils/phpmyadmin/: 1 Time(s)
> //blog/wp-content/plugins/phpmyadmin/: 1 Time(s)
> //database/: 2 Time(s)
> //db/: 1 Time(s)
> //dba/: 1 Time(s)
> //dbadmin/: 2 Time(s)
> //html/phpMyAdmin/: 1 Time(s)
> //html/phpmyadmin/: 1 Time(s)
> //lamp/phpmyadmin/: 1 Time(s)
> //myadmin/: 1 Time(s)
> //mydatabase/: 1 Time(s)
> //mydb/: 1 Time(s)
> //myphp/: 1 Time(s)
> //mysql-admin/: 1 Time(s)
> //mysql/: 1 Time(s)
> //mysqladmin/: 2 Time(s)
> //mysqlmanager/: 1 Time(s)
> //phpMyAdmin-2.8.0.2/: 1 Time(s)
> //phpMyAdmin-2.8.1-rc1/: 1 Time(s)
> //phpMyAdmin-2.8.1/: 1 Time(s)
> //phpMyAdmin-2.8.2/: 1 Time(s)
> //phpMyAdmin/: 1 Time(s)
> //phpadm/: 2 Time(s)
> //phpma/: 1 Time(s)
> //phpmanager/: 1 Time(s)
> //phpmy/: 2 Time(s)
> //phpmyadmin/: 1 Time(s)
> //pma/: 1 Time(s)
> //pmaadmin/: 1 Time(s)
> //pmadmin/: 1 Time(s)
> //sql/: 1 Time(s)
> //sqladmin/: 2 Time(s)
> //sqldatabase/: 2 Time(s)
> //sqlmanager/: 1 Time(s)
> //sqlweb/: 1 Time(s)
> //typo3/phpmyadmin/: 1 Time(s)
> //webadmin/: 1 Time(s)
> //webdb/: 1 Time(s)
> //websql/: 1 Time(s)
> //wp-content/plugins/phpMyAdmin/: 1 Time(s)
> //wp-content/plugins/wp-phpmyadmin/: 1 Time(s)
> //xampp/phpmyadmin/: 1 Time(s)
> 
> So I turned on Apache ReWrite and I created a file and I put in rules like:
(just a small subset)
> 
> RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmy(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpma [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmyadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpgadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phppgadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmyadmin(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/php\-my\-admin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/php\-myadmin [NC,OR] 
> RewriteCond %{REQUEST_URI} ^/phpmy\-admin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/phpmanager [NC,OR]
> RewriteCond %{REQUEST_URI} ^/player(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/plugins [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pma [NC,OR]
> RewriteCond %{REQUEST_URI} ^/p/m/a [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pmadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/pmaadmin [NC,OR]
> RewriteCond %{REQUEST_URI} ^/scripts [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sd(.*) [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sql [NC,OR]
> RewriteCond %{REQUEST_URI} ^/sqladmin [NC,OR]
> 
> and if one of these is hit I use a Rule of:
> 
> RewriteRule .* http://%{REMOTE_ADDR}%{REQUEST_URI} [L,R=301,QSA]
> 
> Everyday I look at the LogWatch E-Mail and I add one people are trying to
hit and restart apache.
> 
> This yields a few questions.
> 
> 1. Am I being to paranoid by doing this? My logic is they dont belong here
and I could get mad if someone walked up to my apartment and tried jiggling the
door handle to see if it was unlocked.
Well, yes.  There is a simplier way -- Apache does have an 'error page'
handler, where you can customize your 404 page or how Apache responds
to a 'page not found' error.  Doing the redirect is not really going to
solve anything anyway.  Most (all?) of these accesses are from a
program -- a kind of 'bad' robot, which is probably going to ignore the
301 status and come to the conclusion that these URIs are actually
working and report success to its (human) master.  That will open you
up for more (automated) attacks and/or piss off the human hacker, who
will just come up with more and nastier attacks or maybe just launch a
dos attack for spite.  You are better off just letting Apache handle
these as 404.  Imagine you have a storefront and people come by after
hours and see the lights off and the closed sign -- people will go away
and come back later.  Imagine that the lights are on and there is no
closed sign, and instead you have some poor clerk there answering the
door telling people to go away.  That is likely to cause more trouble,
since people will just come back in 5-10 minutes and ask if the store
is open now.  Or worse, wait around until there is some indication that
the store is open.
> 
> 2. I know I can simplify these rules. Wouldn't RewriteCond
%{REQUEST_URI} ^/php(.*) [NC,OR] get most of the attempts for thinks like /php,
/php-myadmin, /phpmyadmin-2.0.8.8, etc?
> 
> 3. Is there a better way to right these rules?
> 
> 4. Why does LogWatch show this to me as a 404 , when a rewrite rule is hit
and they are re-directed back to themselves? My rules seem to be working, if I
try and hit /scripts right now, it does what I expect.
Question: are you using virtual hosts?  If so, they the 'visitors' are
either NOT sending HTTP 1.1 headers or not using the virtual host name.
> 
> Can anyone shed some light for me on my thoughts/questions?
> 
-- 
Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments

Scott Silva

2011-May-09 16:09 UTC

head link

[CentOS] Am I being to paranoid?

on 5/8/2011 10:46 AM Jason spake the following:> Hi All,
> 
> I want to know thoughts on if I am being to paranoid/security conscious. 
> <snip>
You know what they say;
"Just because you are paranoid does not mean that some one is NOT out to
get you!"

Apparently Analagous Threads

Search for more reasonably related threads

CentOS - May 2011 - Am I being to paranoid?

[CentOS] Am I being to paranoid?

[CentOS] Am I being to paranoid?

[CentOS] Am I being to paranoid?

[CentOS] Am I being to paranoid?

[CentOS] Am I being to paranoid?

[CentOS] Am I being to paranoid?

Apparently Analagous Threads