Blocking apache attacks

I setup a simple wordpress personal blog last week. I noticed from the apache logs it’s being attacked by someone in Russia, who knows why…

77.220.185.190 - - [13/Dec/2010:03:13:02 -0500] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 404 316 “-” “ZmEu”
77.220.185.190 - - [13/Dec/2010:03:13:02 -0500] “GET /htdocs/ HTTP/1.1” 404 282 “-” “ZmEu”
77.220.185.190 - - [13/Dec/2010:03:13:04 -0500] “GET /phpMyAdmin-2.11.11-all-languages/ HTTP/1.1” 404 308 “-” “ZmEu”
77.220.185.190 - - [13/Dec/2010:03:13:05 -0500] “GET /phpMyAdmin-2.11.1-all-languages/ HTTP/1.1” 404 307 “-” “ZmEu”
goes on for about 200 lines…

Anyways, I’ve read a lot of posts regarding these types of attacks and other than keeping my server uptodate, there isn’t much I can do. One suggestion I read was to block certain countries from accessing my server, which seems ok I guess.

I have looked all over webmin and virtualmin for the screen where I can block IP’s or ranges of IP’s - I cant find it. I would appreciate it if someone could point me to the right module so I can block some of these attacks. Or how to write a IP block config file and where to put it.

Much thanks.

BTW, I could not be happier with Virualmin and Webmin. Great software.
Best,
-john

Howdy,

There are indeed bots scouring the Internet, looking for security holes.

In my opinion, if there are security vulnerabilities on the apps running on your server – blocking IP’s isn’t really going to help… at best, it may prolong how long it takes those bots to find the holes on your server :slight_smile:

To really keep the bad guys out, you need to keep on top of the apps running on your server, and make sure your users keep their web apps up to date.

One proactive step to take would be to use Apache’s mod_security module, which uses various rules to identify attacks against your server in real-time, and will block the request. You can read about mod_security here:

http://www.modsecurity.org/

That said, if you want to block IP’s, you can do so by going into Webmin -> Networking -> Linux Firewall. From there, you can create a new chain, and then start adding rules to that chain.

However, I personally wouldn’t be too concerned about the log entries you saw in your Apache logs. Mine are filled with those! All those mean are that a bot stopped by your server, looked for vulnerabilities, and if you’re using an up to date version of phpMyAdmin – chances are it found none, and moved on :slight_smile:

-Eric

Eric,
Thanks I feel better about the log files now. I’ll also look to the mod security module.
Best,
John

You could look into something like:

http://www.projecthoneypot.org/httpbl_implementations.php