What's happening this time ?
This time it's again about Wordpress, but for the people not running Wordpress.
It's also about PHPMyAdmin, but for the people not running PHPMyAdmin. I could
go on with a list of popular PHP application but you get the idea : you've seen
it in your logs, haven't you ? All those hits on
/phpmyadmin/index.php, some variations, even some other PHP applications, but
they're not installed, resulting in massive 404 errors filling the error log
All these hits come from bots, trying to bruteforce their way into Wordpress blogs or phpMyAdmin instances.
What are our options ?
Thankfully, all we need is already in Fail2ban : filters are present in
filters.d/ subdirectory. Let's review them for Apache, but don't worry
Nginx users, there are corresponding files.
The files are: * apache-common.conf * botsearch-common.conf * apache-botsearch.conf
Now on to the jail configuration file
Since we don't need to create a filter, let's skip to the jail configuration file. Nothing fancy here, this is just a tiny variation on the jail already shown in the post about blocking Wordpress bruteforce attacks.
[bot-jail] enabled = true filter = apache-botsearch[webroot="/path/to/documentroot/"] logpath = /path/to/error.log" maxretry = 3
Of course, the
maxretry option can be adjusted following the needs, but I
think a value of 3 to 5 is low enough to be sure the 404 errors come from a
robot and not from a human.
I hope you enjoyed this post, as the rest of this series. If you did, please share it on your favorite social networks :-)