strange panel requests from fake google bots

**fulltilt** · May 27th 2017

- IMSCP: 1.4.3
- Distribution: Debian 8.6
- Proftpd
- PHP FCGID
- MariaDB 10.0
- Courier
- Roundcube
- Pydio
- Plugins:
PanelRedirect 1.1.5, PMA Captcha 1.1.1, RoundCubePlugins 2.0.1, SpamAssassin 1.1.1 , LetsEncrypt 3.2.0

I see many of these requests in my panel access.log

Code

188.165.203.182 - - [27/May/2017:15:45:18 +0200] "GET /wp-admin/setup-config.php?step=1 HTTP/1.1" 404 724 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
178.18.90.86 - - [27/May/2017:15:43:05 +0200] "GET /blog/wp-admin/setup-config.php?step=1 HTTP/1.1" 302 250 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
82.217.114.19 - - [27/May/2017:15:41:13 +0200] "GET /manager/assets/modext/core/modx.js HTTP/1.1" 302 247 "-" "Mozilla/5.0 (Windows NT 6.2; rv:46.0) Gecko/20100101 Firefox/46.0"
94.23.35.86 - - [27/May/2017:15:40:27 +0200] "GET /new/wp-admin/setup-config.php?step=1 HTTP/1.1" 404 724 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
80.91.50.132 - - [27/May/2017:16:02:31 +0200] "GET /wp-admin/setup-config.php?step=1 HTTP/1.1" 302 245 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

It seems to be a slowloris attack which could also explain my apache timeouts ...

**fulltilt** · May 28th 2017

@Nuxwin maybe you should move this thread to the security or OT area ...
Currently I am using Fail2Ban and ModReqtimeout I would be thankful for further suggestions.

It seems to be a huge international network .. since yesterday about 800 IP addresses were blocked w/ fail2ban.

Code

Fail2Ban/etc/fail2ban/filter.d/apache-nokiddies.conf[Definition]failregex = ^<HOST> .*"GET .*w00tw00t ^<HOST> .*"GET .*admin.* 403 ^<HOST> .*"GET .*admin.* 404 ^<HOST> .*"GET .*install.* 404 ^<HOST> .*"GET .*dbadmin.* 404 ^<HOST> .*"GET .*myadmin.* 404 ^<HOST> .*"GET .*MyAdmin.* 404 ^<HOST> .*"GET .*mysql.* 404 ^<HOST> .*"GET .*websql.* 404 ^<HOST> .*"GET \/pma\/.* 404 ^<HOST> .*"GET .*wp-content.* 404 ^<HOST> .*"GET .*wp-login.* 404 ^<HOST> .*"GET .*typo3.* 404 ^<HOST> .*"HEAD .*manager.* 404 ^<HOST> .*"HEAD .*blackcat.* 404 ^<HOST> .*"HEAD .*sprawdza.php.* 404 ^<HOST> .*"GET .*webdav.* 404 ^<HOST> .*"GET .*wp-admin.* 404 ^<HOST> .*"GET .*manager.* 302 ^<HOST> .*"GET .*setup-config.php.* 404ignoreregex =################/etc/fail2ban/jail.local[apache-nokiddies]enabled = trueport = http,httpsfilter = apache-nokiddieslogpath = /var/log/apache2/*/access.logmaxretry = 1bantime = 2592000##################ModReqtimeout/etc/apache2/mods-available/reqtimeout.conf RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500

## edit ##
do not use the sample filter from above ...
you need to adjust the regex according to your logs f.ex.

Code

^<HOST> .*"GET \/bitrix\/admin\/index.php.* 400
^<HOST> .*"GET \/admin\/login.php HTTP\/1.1 400

Server version: Apache/2.4.10 (Debian)
http://httpd.apache.org/security/vulnerabilities_24.html

**fulltilt** · May 31st 2017

yeah ... 24 hours w/o apache crash / restart

additional filter

Code

nano /etc/fail2ban/filter.d/apache-postflood.conf
# Fail2Ban configuration file
#
# Author: Marco Ziesing
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the post requests in the logfile. The host
# must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias
# for (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^<HOST>.*"POST.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
nano /etc/fail2ban/jail.local
[apache-postflood]
enabled = true
filter = apache-postflood
port = http,https
logpath = /var/log/apache2/*/access.log
findtime = 10
maxretry = 12

Display More

strange panel requests from fake google bots

Share

Daily visitors