How to block these?

Discussion in 'General' started by anewday, Aug 7, 2010.

  1. anewday

    anewday Moderator

    I see a ton of these entries in the error_log from different IPs but they don't appear on the domain access logs. It doesn't show any specific vhost. :confused:

    Code:
    2010-08-05 21:13:18.275	INFO	[200.111.13.242:23166-68#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.5.7/scripts/setup.php]
    2010-08-05 21:13:18.313	INFO	[200.111.13.242:26240-80#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.0-rc3/scripts/setup.php]
    2010-08-05 21:13:18.499	INFO	[200.111.13.242:23166-69#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.5.8/scripts/setup.php]
    2010-08-05 21:13:18.509	INFO	[200.111.13.242:26240-81#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.0/scripts/setup.php]
    2010-08-05 21:13:18.724	INFO	[200.111.13.242:26240-82#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.1-pl1/scripts/setup.php]
    2010-08-05 21:13:18.726	INFO	[200.111.13.242:23166-70#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.5.9/scripts/setup.php]
    2010-08-05 21:13:18.914	INFO	[200.111.13.242:26240-83#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.1-pl2/scripts/setup.php]
    2010-08-05 21:13:18.955	INFO	[200.111.13.242:23166-71#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.0-alpha/scripts/setup.php]
    2010-08-05 21:13:19.099	INFO	[200.111.13.242:26240-84#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.1-pl3/scripts/setup.php]
    2010-08-05 21:13:19.176	INFO	[200.111.13.242:23166-72#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.0-alpha2/scripts/setup.php]
    2010-08-05 21:13:19.314	INFO	[200.111.13.242:26240-85#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.1-rc1/scripts/setup.php]
    2010-08-05 21:13:19.396	INFO	[200.111.13.242:23166-73#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.0-beta1/scripts/setup.php]
    2010-08-05 21:13:19.520	INFO	[200.111.13.242:26240-86#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.1-rc2/scripts/setup.php]
    2010-08-05 21:13:19.620	INFO	[200.111.13.242:23166-74#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.0-beta2/scripts/setup.php]
    2010-08-05 21:13:19.713	INFO	[200.111.13.242:26240-87#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.1/scripts/setup.php]
    2010-08-05 21:13:19.844	INFO	[200.111.13.242:23166-75#APVH_Default] File not found [/usr/local/apache/htdocs/phpMyAdmin-2.6.0-pl1/scripts/setup.php]
    
    Code:
    2010-08-04 04:08:00.333	INFO	[74.63.192.178:4555-0#APVH_Default] File not found [/usr/local/apache/htdocs/w00tw00t.at.ISC.SANS.DFind:)]
    2010-08-04 04:08:00.335	INFO	[74.63.192.178:4557-0#APVH_Default] File not found [/usr/local/apache/htdocs/w00tw00t.at.ISC.SANS.DFind:)]
    2010-08-04 04:08:01.035	INFO	[74.63.192.178:2197-0#APVH_Default] File not found [/usr/local/apache/htdocs/w00tw00t.at.ISC.SANS.DFind:)]
    2010-08-04 04:33:36.602	INFO	[174.132.220.130:3487-0#APVH_Default] File not found [/usr/local/apache/htdocs/w00tw00t.at.ISC.SANS.DFind:)]
    2010-08-04 04:33:36.603	INFO	[174.132.220.130:3488-0#APVH_Default] File not found [/usr/local/apache/htdocs/w00tw00t.at.ISC.SANS.DFind:)]
    2010-08-04 04:33:36.606	INFO	[174.132.220.130:3489-0#APVH_Default] File not found [/usr/local/apache/htdocs/w00tw00t.at.ISC.SANS.DFind:)]
    2010-08-04 04:33:37.445	INFO	[174.132.220.130:4075-0#APVH_Default] File not found [/usr/local/apache/htdocs/w00tw00t.at.ISC.SANS.DFind:)]
    
    Is there any way to ban those IPs automatically?
  2. NiteWave

    NiteWave Administrator

    you can try fail2ban to search error_log for "File not found". configure it for example during 1 minutes, there are 15 "File not found" log entries from a single IP, then ban the IP for 10 minutes.
  3. anewday

    anewday Moderator

    Any way to block access to those? It is filling up the logs.
  4. NiteWave

    NiteWave Administrator

    install fail2ban, configure it as I suggested in previous post. The IP will be blocked by firewall -- iptables, so not reach lsws and not leave more logs in error_log

Share This Page