RU EN ES

Domain and IP whois

Domains HostingHosting VPS HostingVPS / VDS SSLCertificates Company Company

VPS / VDS hosting >  Protect your web server from malicious bots with Fail2Ban

Every day, a large number of bots come to all sites on the Internet, starting with those that are important to us (for example yandex, google, etc.) and ending with potentially threatening ones. After analyzing the web server log, you will see suspicious events. At the moment, types of hacks using social engineering (hacking not the software itself, but finding shortcomings) left by the developer and administrator themselves are developing more and more. Today we will tell you how to block bots that search for backups and installed phpmyadmin. To block such bots, we will use Fail2Ban, a filter and a rule (jail). Tested on Centos 7.

Backup Search Bots

The bot looks for backups left in the archive, sorting from the root to various typical folders. If it is found, it will most likely transmit information to its owner, and the copies contain files and a database, and allow access to the site. Such copies are often forgotten to be deleted after moving the site from one server or hosting to another.

Add a filter backup-scan.local:

[Definition]
failregex = ^<HOST> - - .*./(backup.rar|backup.tgz|backup.zip|backup.tar|backup.tar.gz|dump.sql|database.sql|database.sql|backup.sql|public_html.zip|home.zip|html.zip|archive.zip|archive.rar|archive.tar|archive.tar.gz|archive.tgz|archive.sql|bak.zip|bak.rar|bak.tar|bak.tar.gz|bak.sql|bak.tgz|site.zip|site.tgz|www.zip|www.rar|www.tar|www.tar.gz|www.tgz|www.sql|site.rar|site.tar|site.tar.gz|site.sql) HTTP/1.0" 404|301
ignoreregex =

 Add rule:

[backup-scan]
enabled = true
filter = backup-scan
action = iptables-multiport[chain="INPUT", name="backup-scan", port="http,https", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="admin-mail@domain.tld", sender="fail2ban", sendername="Fail2Ban", name="backup-scan"]
logpath = /var/www/vhosts/system/*/logs/*access*log
maxretry = 5

 The number of attempts can be reduced, which will significantly increase the sensitivity and reduce the load on the web service. We recommend that site owners delete all backups in the form of archives from their servers. Bots are also looking for archives with a domain name, etc., here we have given the basic rules.

Search bots phpMyAdmin, rootkits, backdoors

These bots search for installed phpMyAdmin in order to further search for vulnerabilities and hacking in it, password guessing attacks. The phpMyAdmin database tool is very popular and is periodically hacked, depending on the installed version, settings.

Add a filter phpmyadmin.local

[Definition]
failregex = ^<HOST> - - .*./(phpmyadm1n|mysqladmin|phpMyAdmin-4.4.0|phpmyadmin1|phpMyadmin_bak|phpmyadmin-old|phpMyAdminold|phpMyAdmin.old|admin/phpMyAdmin|admin/phpmyadmin2|admin/phpmyadmin|myadmin2|admin/phpMyAdmin2|phpMyAdm1n|phpMyAdm1n|phpMyadmi|phpMyAdmion|phpMyAdmin|myadmin|phpmyadmin|phpMyadmi|pma|PMA|pma-old|pmamy|pmamy2|phpma|shaAdmin)/index.php
^<HOST> - - .*./(pma.php|xshell.php|shell.php|wshell.php|cmd.php|cmdd.php|cmx.php|ak47.php|ak48.php|conflg.php|defect.php|desktop.ini.php|htdocs.php|lala-dpr.php|muhstik-dpr.php|lol.php|hell.php|pmd_online.php|db_pma.php) HTTP/1.0" (404|301|200)
ignoreregex =

In the filter, we specified 2 conditions at once, the second one will block bots that are looking for hosted access scripts left by attackers on previously hacked sites. (rootkits, backdoors)

Add rule:
 
[phpmyadmin-scan]
enabled = true
filter = phpmyadmin
action = iptables-multiport[chain="INPUT", name="phpmyadmin", port="http,https", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="admin-mail@domain.tld", sender="fail2ban", sendername="Fail2Ban", name="phpmyadmin-scan"]
logpath = /var/www/vhosts/system/*/logs/*access*log
maxretry = 5
Do not forget to change the email in the settings to your own one; notifications about locks with the rule, ip addresses will be sent to it. The path to the log file must also be checked and your own. In our case, several log files are located located at the same nesting level, but in different folders. If necessary, you can specify several log files. We recommend that after working with phpMyAdmin remove read permissions so that it is not available, with frequent use, you can add protection at the web server level using password protected folders in htaccass and htpasswd.

Client Area

Log in

Forgot Password


Sign Up


Check mail:

Mail:
Pass.:

VPS Application catalog

Additional services

Knowledge base

VPS hosting

We were chosen by leading media companies with large volumes of data and high load

Calculate tariff

Domain transfer