[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Hello, I have a vps open to the hostile web and I would recommend a few things. Firstly change your ssh port- check the logs for this, you will most likely be getting attacks on this too, and changing the port will stop most script kiddies Secondly install fail2ban and set it up to check apache and ssh logs - it will automatically create iptable rules to block attacks for a hour or however long you want from the attacking IP address. Thirdly disable root ssh logon and use the sudo command, therefore if you were comprimised your would limit the damage without allowing root password to be comprimised! Hope this helps! Joshua www.jhaos-theory.co.uk Sent from my BlackBerry® wireless device -----Original Message----- From: Kevin Lucas <kevin.lucas@xxxxxxxxxxxxxxxxxx> Sender: list-bounces@xxxxxxxxxxxxx Date: Tue, 30 Aug 2011 18:59:47 To: LUGList<list@xxxxxxxxxxxxx> Reply-To: list@xxxxxxxxxxxxx Subject: [LUG] iptables and hackers HI all hope you all had a good Bank hols, Now I have the router open to the Internet.... what dynamic firewall rules sw would you recommend to stop these sort of attempts 00.206.117.22 - - [29/Aug/2011:12:48:42 +0100] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 488 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:43 +0100] "GET /3rdparty/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 483 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:43 +0100] "GET /admin/mysql/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:44 +0100] "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:45 +0100] "GET /admin/pma/scripts/setup.php HTTP/1.1" 404 476 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:45 +0100] "GET /_admin/scripts/setup.php HTTP/1.1" 404 476 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:46 +0100] "GET /admin/scripts/setup.php HTTP/1.1" 404 474 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:47 +0100] "GET admin/scripts/setup.php HTTP/1.1" 400 472 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:47 +0100] "GET /admm/scripts/setup.php HTTP/1.1" 404 473 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:48 +0100] "GET /admn/scripts/setup.php HTTP/1.1" 404 473 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:48 +0100] "GET /backup/phpmyadmin/scripts/setup.php HTTP/1.1" 404 482 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:49 +0100] "GET /backup/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 482 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:53 +0100] "GET /bkup/phpmyadmin/scripts/setup.php HTTP/1.1" 404 480 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:53 +0100] "GET /bkup/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 480 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:54 +0100] "GET /cpadmindb/scripts/setup.php HTTP/1.1" 404 477 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:54 +0100] "GET /cpadmin/scripts/setup.php HTTP/1.1" 404 475 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:56 +0100] "GET /cpanelmysql/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:56 +0100] "GET /cpanelphpmyadmin/scripts/setup.php HTTP/1.1" 404 481 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:57 +0100] "GET /cpanelsql/scripts/setup.php HTTP/1.1" 404 477 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:58 +0100] "GET /cpdbadmin/scripts/setup.php HTTP/1.1" 404 477 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:58 +0100] "GET /cpphpmyadmin/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:59 +0100] "GET /databaseadmin/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:48:59 +0100] "GET /dbadmin/scripts/setup.php HTTP/1.1" 404 475 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:00 +0100] "GET /db/scripts/setup.php HTTP/1.1" 404 471 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:01 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 476 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:01 +0100] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 476 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:02 +0100] "GET /mysqladminconfig/scripts/setup.php HTTP/1.1" 404 483 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:03 +0100] "GET /mysql-admin/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:03 +0100] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 478 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:05 +0100] "GET /MySQLAdmin/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:05 +0100] "GET /mysqlmanager/scripts/setup.php HTTP/1.1" 404 480 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:06 +0100] "GET /mysql/scripts/setup.php HTTP/1.1" 404 475 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:06 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 475 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:07 +0100] "GET /phpmanager/scripts/setup.php HTTP/1.1" 404 477 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:08 +0100] "GET /phpm/scripts/setup.php HTTP/1.1" 404 473 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:08 +0100] "GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 478 "-" "ZmEu" 200.206.117.22 - - [29/Aug/2011:12:49:09 +0100] "GET /phpMyAdmin1/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu" Obvoiusly 200.206.117.22 is now blocked, but can I have something which looks at the 404, or wherever 479 is and say "no page found" so they are opportunist hackers and we will block them. -- ________________________________________________________________________ Regards Kevin Lucas Minions Post Master(Sub) sip:kevin.lucas@xxxxxxxxx www.minionsbandb.co.uk www.tearooms.minionsbandb.co.uk FaceBook Minions_shop Po House, Minions, Liskeard Cornwall PL14 5LE 01579363386 -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq