Every day, a large number of bots visit all sites on the Internet, starting with those that are important to us (for example, yandex, google, etc.) and ending with potentially dangerous ones. After analyzing the web server log, you will see suspicious events. At the moment, more and more types of hacks are being developed that use social engineering (hacking not the software itself, but finding flaws) left by the developer himself, the administrator. Today we will tell you how to block bots that search for backups and installed phpmyadmin. To block such bots, we will use Fail2Ban, a filter and a rule (jail). The work was carried out on Centos 7.
Backup search bots
The bot looks for backups left in the form of an archive, sorting through from the root to various typical folders. If found, it will most likely transfer the information to its owner, but copies contain files and a database that allows you to access the site. Such copies are often forgotten to be deleted after the site is transferred from one server or hosting to another.
Let's add a filter
backup-scan.local
[Definition]
failregex = ^ - - .*./(backup.tgz|backup.zip|backup.tar) HTTP/1.0" 404|301 ignoreregex =
Let's add a rule:
[backup-scan]
enabled = true
filter = backup-scan
action = iptables-multiport[chain="INPUT", name="backup-scan", port="http,https", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="admin-mail@domain.tld", sender="fail2ban", sendername="Fail2Ban", name="backup-scan"]
logpath = /var/www/vhosts/system/*/logs/accesslog
maxretry = 5
The number of retries can be reduced, which will significantly increase sensitivity and reduce the load on the web service. We recommend site owners delete all archived backups from their servers. Bots also look for archives with a domain name, etc., here we have given the basic rules.
phpMyAdmin search bots, rootkits, backdoors
These bots search for installed phpMyAdmin in order to further search for vulnerabilities in it and hacking, password guessing attacks. The phpMyAdmin database tool is very popular and is periodically hacked, depending on the installed version, settings.
Let's add a filter:
phpmyadmin.local
[Definition]
failregex = ^ - - ../(phpmyadm1n|mysqladmin)/index.php
^ - - ../(pma.php|pmd_online.php|db_pma.php) HTTP/1.0" (404|301|200)
ignoreregex =
In the filter, we specified 2 conditions at once, the second will block bots that are looking for hosted access scripts left by attackers on previously hacked sites. (handkits, backdoors)
Let's add a rule:
[phpmyadmin-scan]
enabled = true
filter = phpmyadmin
action = iptables-multiport[chain="INPUT", name="phpmyadmin", port="http,https", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="admin-mail@domain.tld", sender="fail2ban", sendername="Fail2Ban", name="phpmyadmin-scan"]
logpath = /var/www/vhosts/system/*/logs/accesslog
maxretry = 5
Do not forget to change the email in the settings to your own, it will receive blocking notifications indicating the rule, ip address. The path to the log file must also be checked and specified. In our case, several log files are processed located at the same nesting level, but in different folders. If necessary, you can specify several log files. We recommend removing read permissions after working with phpMyAdmin so that it is unavailable, with frequent use, you can add protection at the web server level using password-protected folders in htaccass and htpasswd.