How to thwart PHPMyAdmin attacks?

security brute-force-attacks

Still relevant almost 4 years later.

Since presumably mod_rewrite is handling the bona fide traffic, these scripts are not going to add much more to the load. But yes, they may cause lag momentarily. In general you are not going to be able to prevent these entirely.

The mods and plugins to mitigate this tend to focus on frequencies and rates prior to blocking the ip at the local firewall (iptables). A better approach should include signatures such as fragments of the (bogus in normal use) directory names. Then it has to be considered how reactive this needs to be. One could adapt parts of the "denyhosts" package (a product to protect against similar issues for SSH password logins) to read behind the log and identify the "signatures" to add the ip addresses to /etc/hosts.deny.

As a rule these people don't come back from the same host, so we might want something quicker. The beauty of open source is that we can tweak it. mod_evasive seems OK, but what if your server is queried by scripts legitimately (curl, wget, and the like). Hence no CAPTCHA, and the need for whitelists or a reset by POST or GET parms.

For those of you worried about the risk of the attack (the OP was not, the OP was bothered by resource consumption), if you actually have phpmyadmin then:

Use per-directory directives.

ORDER DENY, ALLOW
DENY FROM ALL
ALLOW FROM *safe places*

Seriously, very few people should have access. Unless they are a DBA, what justifies the risk? During an incident Apache can be reconfigured on demand to open the door from a single address. If you are away, then VPN in to a VNC/RDP desktop on the same network or use a proxy.

Their script will still hit you for 404's (and at least one 403). Leaving dummy folders and config code for them to find just encourages them. I just use grep -v to filter out the directory names.


start with not serving any content from the default vhost so bots that attack you blindly based just on an ip address have less chance of making a request that will trigger any 'heavyweight' action on your side.

then you can use fail2ban and check content of your logs + block ips from which blind scans came.

Related

Nagios Multiple servers config files
Rkhunter reports file properties have changed
Printer Recommendation for Three Stooges Environment
Windows Event Log Forwarding
On AWS why does internal DNS lookup for RDS fail in PHP page?
Can I change rabbitmq node name?
sftp server chroot initial directory
Auto mounting samba windows share in Fedora Core 15
Linux Huge Pages Usage Accounting
nginx with php-fpm downloading php files rather than executing them on mac os x (local environment)
I want to install an MSI twice
Getting "The target account name is incorrect" when accessing a share on the desktop