Solved Protection against attempts against a web server

[quamenzullo]

Hello!

I think this looks like attempts to execute some scripts known for vulnerabilities to get an access to the server (this is always the same IP address trying all these GETs during 2 seconds):

85.25.***.*** - - [05/Feb/2016:18:01:45 +0100] "GET / HTTP/1.1" 200 147 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:45 +0100] "GET /script HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:45 +0100] "GET /jenkins/script HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:45 +0100] "GET /hudson/script HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:45 +0100] "GET /login HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:45 +0100] "GET /jenkins/login HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:45 +0100] "GET /hudson/login HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:45 +0100] "GET /jmx-console HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:45 +0100] "GET /manager/html HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /msd HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /mySqlDumper HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /msd1.24stable HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /msd1.24.4 HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /mysqldumper HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /MySQLDumper HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /mysql HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /sql HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /phpmyadmin HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /phpMyAdmin HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /mysql HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /sql HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /myadmin HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /phpMyAdmin-4.2.1-all-languages HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /phpMyAdmin-4.2.1-english HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET / HTTP/1.1" 200 147 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /sqlite/main.php HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:46 +0100] "GET /SQLite/SQLiteManager-1.2.4/main.php HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:47 +0100] "GET /SQLiteManager-1.2.4/main.php HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:47 +0100] "GET /sqlitemanager/main.php HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:47 +0100] "GET /SQlite/main.php HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"
85.25.***.*** - - [05/Feb/2016:18:01:47 +0100] "GET /SQLiteManager/main.php HTTP/1.1" 404 168 "-" "Python-urllib/2.7" "-"

Is there anything to do? (Maybe yes, but not with pf?)

 

[wblock@]

www/mod_security can provide protection against this type of thing. I use my own scripts to add attackers to the firewall, but there are canned solutions. Last time I looked, they had improved their documentation.

 

[SirDice]

I just take them and accept it's going to happen. I do check the logs regularly. Notorious scanners I report to their ISP[*] and block the whole address in the firewall.

[*] Take note, these scans are mostly done from compromised servers. The owner usually doesn't have a clue it's happening. Lookup the abuse address and write them an email, copy/paste some of the logs and don't put any analysis in your email, let the abuse handler take care of it. Just state the facts and nothing more.

 

[quamenzullo]

Okay, so I will certainly just check the logs.

I didn't know about www/mod_security, but it's for apache and I use nginx instead. (It's still possible to use it, but it requires to recompile nginx).