Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google      Sign In   
  • Create Account

Subscribe to HRA Now!

 



Are you a Google Analytics enthusiast?

Share and download Custom Google Analytics Reports, dashboards and advanced segments--for FREE! 

 



 

 www.CustomReportSharing.com 

From the folks who brought you High Rankings!



Photo
- - - - -

Tool To Block Misbehaving Bots


  • Please log in to reply
2 replies to this topic

#1 Scottie

Scottie

    Psycho Mom

  • Admin
  • 6,294 posts
  • Location:Columbia, SC

Posted 02 April 2010 - 07:46 PM

Hey Randy, this one's sort of aimed at you...

I'm wondering if there's a tool (or a tool could be built) that would go through the error logs and add the IP addresses to the .htaccess for bots sniffing around for vulnerabilities.

For example, I keep getting probes like this:

[Fri Apr 02 02:05:16 2010] [error] [client 209.90.98.94] File does not exist: /var/www/cube
[Fri Apr 02 02:05:16 2010] [error] [client 209.90.98.94] File does not exist: /var/www/email
[Fri Apr 02 02:05:16 2010] [error] [client 209.90.98.94] File does not exist: /var/www/login
[Fri Apr 02 02:05:16 2010] [error] [client 209.90.98.94] File does not exist: /var/www/mail
[Fri Apr 02 02:05:16 2010] [error] [client 209.90.98.94] File does not exist: /var/www/rc
[Fri Apr 02 02:05:17 2010] [error] [client 209.90.98.94] File does not exist: /var/www/RC
[Fri Apr 02 02:05:17 2010] [error] [client 209.90.98.94] File does not exist: /var/www/rcube
[Fri Apr 02 02:05:17 2010] [error] [client 209.90.98.94] File does not exist: /var/www/round
[Fri Apr 02 02:05:17 2010] [error] [client 209.90.98.94] File does not exist: /var/www/roundcube
[Fri Apr 02 02:05:17 2010] [error] [client 209.90.98.94] File does not exist: /var/www/RoundCube
[Fri Apr 02 02:05:17 2010] [error] [client 209.90.98.94] File does not exist: /var/www/webmail
[Fri Apr 02 02:05:18 2010] [error] [client 209.90.98.94] File does not exist: /var/www/WebMail
[Thu Apr 01 00:54:47 2010] [error] [client 196.41.2.166] File does not exist: /var/www/phpMyAdmin
[Thu Apr 01 00:54:48 2010] [error] [client 196.41.2.166] File does not exist: /var/www/phpmyadmin
[Thu Apr 01 00:55:16 2010] [error] [client 196.41.2.166] File does not exist: /var/www/phpMyAdmin
[Thu Apr 01 00:55:17 2010] [error] [client 196.41.2.166] File does not exist: /var/www/phpmyadmin
[Sun Mar 28 05:19:57 2010] [error] [client 220.173.235.58] File does not exist: /var/www/phpMyAdmin
[Sun Mar 28 05:19:57 2010] [error] [client 220.173.235.58] File does not exist: /var/www/phpmyadmin
[Sun Mar 28 05:20:50 2010] [error] [client 220.173.235.58] File does not exist: /var/www/mysql
[Sat Mar 27 06:12:10 2010] [error] [client 195.251.255.138] File does not exist: /var/www/mambo
[Sat Mar 27 06:12:10 2010] [error] [client 195.251.255.138] File does not exist: /var/www/dotproject
[Sat Mar 27 06:12:11 2010] [error] [client 195.251.255.138] File does not exist: /var/www/admin
[Sat Mar 27 06:12:11 2010] [error] [client 195.251.255.138] File does not exist: /var/www/webcalendar
[Sat Mar 27 06:12:11 2010] [error] [client 195.251.255.138] File does not exist: /var/www/cal
[Sat Mar 27 06:12:11 2010] [error] [client 195.251.255.138] File does not exist: /var/www/calendar
[Sat Mar 27 06:12:12 2010] [error] [client 195.251.255.138] File does not exist: /var/www/support


These clients are obviously fishing to find something to hack into... every so often I go in manually and grab these addresses and block them, but it would seem a somewhat simple thing to do to give a script a list of keywords and have it add the offending IP addresses to the high level .htaccess.

There might already be something out there that does this and I'm just not looking for the right terms to find it. Anyone know of such a thing?

I'm thinking a couple linux commands and a cron job to kick it off daily shouldn't be too hard... I might take a crack at it but if there's something out there already...

#2 Randy

Randy

    Convert Me!

  • Moderator
  • 17,540 posts

Posted 05 April 2010 - 01:03 PM

Hey Scottie,

Sorry for the slow response. Been a bit tied up recently as I'm sure many here have recognized. wink1.gif

You could certainly build something to sniff the error logs and set it up on a cron job to look for X number of attempts over Y amount of time, then have it auto add a Deny for that IP number to the .htaccess file to the server. There may be even such a tool out there already, but if there is one I'm not aware of it.

The reason I don't know of any such tool is that I tend to approach security more from a Server level than a Site level. So the rules get added right at the firewall level on the server --blocking the hack attacks from every site. So I'm looking more for attempts at admin/root types of logins where there are X number of failures in Y minutes. In my case I look for 5 failed login attempts over the course of 3 minutes, which is the standard configuration of the combo of CSF and LFD I use. (FTR, this combo does more than just firewall stuff. It also does some MD5 Sum checking on files running at the server level and reports if new stuff gets installed or some package gets changed. So I know pretty quickly if a server has actually been hacked.)

I do pay attention to error logs, but I do that in a more manual way. Mainly because every now and then I'll change things around and forget to update something somewhere, which then starts reporting errors from real users. The cautionary tale being that you need to be careful when setting up an automated system to make sure you don't inadvertently start blocking access to real users. Especially since once you block 'em they won't have a way to report it to you.

The other issue I would have with an auto type blocker is that it would require the .htaccess to be writable. Which is something I try to avoid at all costs. I just don't like to open up such a security hole by allowing a script to change my .htaccess without my knowledge or prior permission. The idea of a writable .htaccess is counter productive where security is the main concern IMHO. So I'd rather take a couple of minutes every week or two to look at the error logs with my own eyes, then decide if I want to put a block into place.

There are a lot of log file analyzers out there that will drop the info into a MySQL database to make it easier search. I don't use any of those personally at the moment. But there should be several freebie options out there that will allow you to parse, store and review the data in multiple ways. I'd use one of those before I went out and created a new one.

#3 Scottie

Scottie

    Psycho Mom

  • Admin
  • 6,294 posts
  • Location:Columbia, SC

Posted 06 April 2010 - 09:40 AM

Good info Randy, I'll look into that. I've gotten a little obsessed with going through my server logs lately... smile.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

SPAM FREE FORUM!
 
If you are just registering to spam,
don't bother. You will be wasting your
time as your spam will never see the
light of day!