How can I block hacking attempts targeting phpMyAdmin?

hacking web-server

My website gets thousands of hits daily from different IPs trying to access:

/php-myadmin/
/myadmin/
/mysql/

...and thousands of other variations. None of these directories exist, I don't even have phpmyadmin on my server.

I don't think any of these attempts have been successful, however they must be taking their toll on the server's resources and wasting bandwidth, so I would like to stop them if possible. I've blocked a handful of these IPs but they keep coming back with fresh IPs, is there any way I can prevent this more permanently?


Don't worry about it. Serving a 404 is a tiny, tiny, tiny amount of work for a web server to do. You could probably serve ten 404's a second using a 486. The bandwidth per 404 is negligible; a tiny GET request and a tiny 404 response.

Seriously; don't worry about it. This is just part and parcel of running a server on the internet.


Unfortunately for You this is how Internet works. Just ignore it. Thousands of bots/trojans scan the Internet. Source IP will be always random. There is no cure.

The only 100% solution for eliminating that traffic is illustrated below: enter image description here

An alternative is:
- to move with https/http from port 80/443 to something else. Bots usually don't look for http server on all other 65k ports.
- use VPN to connect to the server (I guess this not possible if You host a public website).


What you want is Fail2ban (assuming this is a linux machine, you didn't say...)

What is Fail2ban?

Fail2ban will parse system logs, looking for particular regular expressions to block. When it finds a match (or several matches from the same IP, depending on how you configure it), it will block, typically through IPTables. Typically this is used to block failed authentication attempts against SSH or web servers.

You configure it to ban them for a set amount of time (could be minutes, could be days...depends on how persistent they are), after which the ban will expire, unless they try again.

How does this help block phpmyadmin scanning bots?

It can just as easily be used to match common signs of an attack, like trying to access non-existent phpmyadmin folders. You will have to figure out the correct regular expression to match such attempts, and ensure you don't block legitimate users.

The configuration given in this blog post may work verbatium or require some tweaking for your setup.

Why should I block them? The 404 errors don't cost much

Blocking them in iptables DOES have some use - odds are if they are checking for phpmyadmin vulnerabilities, they may try other services for vulnerabilities as well, until they hit something that works. Banning them will make most bots/scripts give up after awhile, and they'll move on to better targets.

Even through the scans don't cost much (unless they actually find a vulnerability), they do flood your logs making it harder to see successful attacks and problems with your web server.

As the comment below says, Fail2ban does require some system resources. But not much. At the very least I can say I've never had a performance problem I could attribute to Fail2ban. I have however had performance problems from very aggressive scripts trying to brute force passwords or throwing thousands of SQL injection attempts and other exploits per second at my server. Blocking them at the firewall level takes FAR fewer resources than blocking them at the server/application level. It can also be extended to run custom scripts to ban IP addresses - so instead of banning them in IPtables, you could possibly have it ban them in a hardware firewall, or email someone if the same person keeps trying to attack you so you can complain to their ISP or have your datacenter block them on their firewalls.

Any other tips?

It is HIGHLY RECOMMENDED that you whitelist a few IP addresses that you control so you don't accidentally lock yourself out.

Related

How to bring .vimrc around when I SSH?
I changed my TTL from 24 hours to 5 minutes. Do I need to wait 24 hours before changing the records?
What's the biggest time saver you've implemented? [closed]
Windows 2008 ignores Gratuitous ARP requests
How to allow a user to use journalctl to see user-specific systemd service logs?
Why does FTP passive mode require a port range as opposed to only one port?
IIS7 What unit does time-taken have in a w3c-log?
Postfix: "Connection timed out" on all outbound email [closed]
Use a specific forwarded key from SSH-agent?
Update the container of a service in Amazon ECS
Must eigenvalues be numbers?
Examples of infinite groups such that all their respective elements are of finite order.