homepage Welcome to WebmasterWorld Guest from 54.205.242.179
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Blocking directory scans on web server
stopping hacker scans
vtwins




msg:4183621
 3:22 pm on Aug 7, 2010 (gmt 0)

Hello All,

I'm getting hundreds to thousands of directory scans on my server every day. The country IP changes every time (mostly China, Philippines, Poland and Russia) and when I try to block them by country using .htaccess they just move to another ISP in another country and continue.

They scan for:
/websql/scripts/setup.php
/webdb/scripts/setup.php
/vhcs2/tools/pma/scripts/setup...
/sqlweb/scripts/setup.php
/pma2005/scripts/setup.php
/phpMyAdmin1/scripts/setup.php
/phpMyAdmin-3/scripts/setup.php
/phpMyAdmin-2.8.0/scripts/setup.php

These are a very small random sample of the 1700+ attempts in the last 12 hrs. They hit the server with 1-2 requests per second. I can no longer see the stats for my real visitors without an hour of reading because of this, not to mention the server load and bandwidth.

The .htaccess became useless due to the overhead needed to parse the 2MB file of countries I was blocking, and it wasn't working anyway.

Is there some other way? Like after 3-5 404's in under 1 minute block the requesting IP for 30 minutes, or something similar? I've searched everywhere and can't find a script to do this...

TIA,
Jim

 

Frank_Rizzo




msg:4183637
 4:28 pm on Aug 7, 2010 (gmt 0)

ip blocking is futile. You need to block the keywords.

If using linux you can install mod security. Out of the box it will block many things. When new exploits appear you just need to add new rules.

e.g. if you don't run phpgroupware and want to block whenever anyone tries to access that file:

SecRule REQUEST_URI "phpgroupware" "log,drop,phase:1"

That will drop the packet but you can also add the ip to iptables and ban the ip for an hour, day, week, alltime.

vtwins




msg:4183640
 4:38 pm on Aug 7, 2010 (gmt 0)

Thanks for the reply Frank- I guess I'm off to learn a bit about mod_security

sundaridevi




msg:4221037
 7:35 pm on Oct 23, 2010 (gmt 0)

I've had some problems like this, there are a couple of other very reliable ways, and low overhead, to stop these guys. Send me a PM if you're still looking

lammert




msg:4221285
 2:58 pm on Oct 24, 2010 (gmt 0)

Hi sundaridevi,

Scans for PHPMyAdmin installations are very common on many sites. Instead of sharing your solution by PM with one member, it may therefore be better to discuss it here in the thread. In that case more members will benefit from your knowledge and experience handling these annoying attempts.

sundaridevi




msg:4221371
 8:21 pm on Oct 24, 2010 (gmt 0)

Hi, I wrote to PM because what works would depend on the specific case. Well I'm new here so, here is a short rundown on some things I would try:

- Some general fixes are to install the maxmind.com country geoip database and query it rather than using an htacess solution. The free database is about 95% effective at blocking a given country but you can purchase a much more accurate database. Either one requires install on your server, but if you know php/mysql it's not too hard using their tutorials. If you don't want to install a db then you can install a script to remotely access their paid version which returns the geoloc for a given ip, from country down to metropolitain areas in the USA, it also detects many known proxies.

- To get lots of different IPs hackers must use botnets or proxies. Elite proxies are difficult to detect via environment vars. But many can be easily blocked that way. A simple google search should give you a script to detect basic proxies. So all those should be blocked. Open proxies are also pretty easy to block.

- The last, most difficult, and most important thing to do to foil sophisticated hackers is block botnets. Doing this is similar to the way email spam filters detect spammers. You'll need to query a database of known dirty IPs

If the hackers are just coming from some rogue countries that you don't have any clients from, I would start out by just blocking those countries using maxmind's free solution and then reevaluate. Fighting hackers is a never ending battle.

Good Luck

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved