• web server

    From Utopian Galt@VERT/IUTOPIA to All on Sunday, April 03, 2022 18:31:39
    4/3 06:28:31p 1996 Request: GET /sql/phpmyadmin4/index.php?lang=en HTTP/1.1
    4/3 06:28:31p 1996 !ERROR: 404 Not Found (line 3721)
    4/3 06:28:31p 1996 Session thread terminated (2 clients, 6 threads remain, 511 served)
    4/3 06:28:31p 1996 HTTP connection accepted from: 188.166.240.83 port 49102
    4/3 06:28:31p 1996 Request: GET /db/phpMyAdmin-5/index.php?lang=en HTTP/1.1
    4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
    4/3 06:28:32p 1996 Session thread terminated (2 clients, 6 threads remain, 512 served)
    4/3 06:28:32p 1996 HTTP connection accepted from: 188.166.240.83 port 49260
    4/3 06:28:32p 1996 Request: GET /dbadmin/index.php?lang=en HTTP/1.1
    4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
    4/3 06:28:32p 1996 Session thread terminated (2 clients, 6 threads remain, 513 served)
    4/3 06:28:32p 1996 HTTP connection accepted from: 188.166.240.83 port 49424
    4/3 06:28:32p 1996 Request: GET /phpmyadmin2015/index.php?lang=en HTTP/1.1
    4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
    4/3 06:28:33p 1996 Session thread terminated (2 clients, 6 threads remain, 514 served)
    4/3 06:28:33p 1996 HTTP connection accepted from: 188.166.240.83 port 49542
    4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1

    How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

    That is the big takeaway.

    ---
    ■ Synchronet ■ Inland Utopia - iutopia.duckdns.org:2023
  • From MRO@VERT/BBSESINF to Utopian Galt on Sunday, April 03, 2022 23:41:29
    Re: web server
    By: Utopian Galt to All on Sun Apr 03 2022 06:31 pm


    How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

    That is the big takeaway.


    get off the internet.
    ---
    ■ Synchronet ■ ::: BBSES.info - free BBS services :::
  • From Digital Man@VERT to Utopian Galt on Sunday, April 03, 2022 22:17:34
    Re: web server
    By: Utopian Galt to All on Sun Apr 03 2022 06:31 pm

    4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1

    How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

    That is the big takeaway.

    Just ignore them. <shrug>
    --
    digital man (rob)

    Sling Blade quote #10:
    Morris: I stand on the hill, not for thrill, but for the breath of a fresh kill Norco, CA WX: 57.1°F, 82.0% humidity, 3 mph SSE wind, 0.00 inches rain/24hrs

    ---
    ■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net
  • From echicken@VERT/ECBBS to Utopian Galt on Monday, April 04, 2022 05:07:32
    Re: web server
    By: Utopian Galt to All on Sun Apr 03 2022 18:31:39

    How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

    That is the big takeaway.

    The more important question is whether these requests are causing a real, measurable problem for you.

    This sort of traffic comes in waves. You'll see huge surges that last for a matter of hours and then die off for weeks or months. Your logs show your web server isn't exactly being taxed; it's handling a couple of requests per second and responding with 404. No big deal.

    You can play whack-a-mole with these bots and add complexity to your setup if you really want to, but you can also just do nothing and it'll be fine.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    ---
    ■ Synchronet ■ electronic chicken bbs - bbs.electronicchicken.com
  • From Ragnarok@VERT/DOCKSUD to Utopian Galt on Monday, April 04, 2022 10:13:34
    El 3/4/22 a las 22:31, Utopian Galt escribió:
    4/3 06:28:31p 1996 Request: GET /sql/phpmyadmin4/index.php?lang=en HTTP/1.1
    4/3 06:28:31p 1996 !ERROR: 404 Not Found (line 3721)
    4/3 06:28:31p 1996 Session thread terminated (2 clients, 6 threads remain,
    511 served)
    4/3 06:28:31p 1996 HTTP connection accepted from: 188.166.240.83 port 49102
    4/3 06:28:31p 1996 Request: GET /db/phpMyAdmin-5/index.php?lang=en HTTP/1.1
    4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
    4/3 06:28:32p 1996 Session thread terminated (2 clients, 6 threads remain,
    512 served)
    4/3 06:28:32p 1996 HTTP connection accepted from: 188.166.240.83 port 49260
    4/3 06:28:32p 1996 Request: GET /dbadmin/index.php?lang=en HTTP/1.1
    4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
    4/3 06:28:32p 1996 Session thread terminated (2 clients, 6 threads remain,
    513 served)
    4/3 06:28:32p 1996 HTTP connection accepted from: 188.166.240.83 port 49424
    4/3 06:28:32p 1996 Request: GET /phpmyadmin2015/index.php?lang=en HTTP/1.1
    4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
    4/3 06:28:33p 1996 Session thread terminated (2 clients, 6 threads remain,
    514 served)
    4/3 06:28:33p 1996 HTTP connection accepted from: 188.166.240.83 port 49542
    4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1

    How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

    That is the big takeaway.

    ---
    ■ Synchronet ■ Inland Utopia - iutopia.duckdns.org:2023

    use fail2ban and block these connections

    ---
    ■ Synchronet ■ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
  • From Ragnarok@VERT/DOCKSUD to Digital Man on Monday, April 04, 2022 10:15:53
    El 4/4/22 a las 02:17, Digital Man escribió:
    Re: web server
    By: Utopian Galt to All on Sun Apr 03 2022 06:31 pm

    > 4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1
    >
    > How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?
    >
    > That is the big takeaway.

    Just ignore them. <shrug>

    can you add the client ip to the 404 error log? it will make easy to
    made a fail2ban filter

    ---
    ■ Synchronet ■ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
  • From Tracker1@VERT/TRN to Utopian Galt on Monday, April 04, 2022 18:42:58
    On 4/3/22 18:31, Utopian Galt wrote:
    ... Request: GET /sql/phpmyadmin4/index.php?lang=en HTTP/1.1
    ... !ERROR: 404 Not Found (line 3721)
    ...

    How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

    That is the big takeaway.

    These are bots trying to see if you have various (potentially
    compromisable) web applications on default ports... as long as you're
    seeing 400 responses, you are fine... the 404 is basically a bugger off.

    I wouldn't worry too much about them... You could create an
    /error/404.ssjs to handle these with a custom response (I'm doing this
    for a custom default.html and/or redirect), but it's probably not worth
    the effort imo.

    Alternatively, you could use a different webserver as a frontline
    reverse proxy and configure those routes not to go to your BBS host...
    this will make integration of TLS on your other services potentially
    much more difficult though.
    --
    Michael J. Ryan - tracker1@roughneckbbs.com

    ---
    ■ Synchronet ■ Roughneck BBS - roughneckbbs.com
  • From Digital Man@VERT to Ragnarok on Monday, April 04, 2022 19:55:47
    Re: Re: web server
    By: Ragnarok to Digital Man on Mon Apr 04 2022 10:15 am

    El 4/4/22 a las 02:17, Digital Man escribió:
    Re: web server
    By: Utopian Galt to All on Sun Apr 03 2022 06:31 pm

    > 4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1
    >
    > How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?
    >
    > That is the big takeaway.

    Just ignore them. <shrug>

    can you add the client ip to the 404 error log? it will make easy to
    made a fail2ban filter

    Okay, I just added that. But I wouldn't recommend blocking any/ever client that makes a bad HTTP request. You could have a bad link on your own web pages and be blocking a lot of honest to goodness users.
    --
    digital man (rob)

    Synchronet/BBS Terminology Definition #37:
    FTSC = FidoNet Technical Standards Committee
    Norco, CA WX: 62.6°F, 71.0% humidity, 2 mph SE wind, 0.00 inches rain/24hrs

    ---
    ■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net
  • From Ragnarok@VERT/DOCKSUD to Digital Man on Tuesday, April 05, 2022 09:23:07
    El 4/4/22 a las 23:55, Digital Man escribió:

    Okay, I just added that. But I wouldn't recommend blocking any/ever client that makes a bad HTTP request. You could have a bad link on your own web pages and be blocking a lot of honest to goodness users.

    I agree, I would only block if the same error occurs many times from the
    same host

    An idea would be to be able to add aliases with return code
    example:

    [ctrl/web_alias.ini]

    /phpmyadmin* = return 403
    /wp-admin* = return 403


    etc...

    I don't have wordpress or phpmyadmin so I can assume these are attacks
    and identify and block them

    ---
    ■ Synchronet ■ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
  • From Ragnarok@VERT/DOCKSUD to echicken on Tuesday, April 05, 2022 09:27:27
    El 4/4/22 a las 07:07, echicken escribió:
    Re: web server
    By: Utopian Galt to All on Sun Apr 03 2022 18:31:39

    UG> How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

    UG> That is the big takeaway.

    The more important question is whether these requests are causing a real, measurable problem for you.

    This sort of traffic comes in waves. You'll see huge surges that last for a matter of hours and then die off for weeks or months. Your logs show your web server isn't exactly being taxed; it's handling a couple of requests per second and responding with 404. No big deal.

    You can play whack-a-mole with these bots and add complexity to your setup if you really want to, but you can also just do nothing and it'll be fine.


    It doesn't bother me that the disk fills up with 404 logs because
    logrotate exists
    the worst problem is cpu usage.
    those requests increase the sbbs process from 5% to 50% sometimes

    ---
    ■ Synchronet ■ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
  • From Digital Man@VERT to Ragnarok on Tuesday, April 05, 2022 18:50:11
    Re: Re: web server
    By: Ragnarok to Digital Man on Tue Apr 05 2022 09:23 am

    El 4/4/22 a las 23:55, Digital Man escribió:

    Okay, I just added that. But I wouldn't recommend blocking any/ever client that makes a bad HTTP request. You could have a bad link on your own web pages and be blocking a lot of honest to goodness users.

    I agree, I would only block if the same error occurs many times from the same host

    An idea would be to be able to add aliases with return code
    example:

    [ctrl/web_alias.ini]

    /phpmyadmin* = return 403
    /wp-admin* = return 403

    I'm not sure. Ask Deuce in #synchronet.
    --
    digital man (rob)

    Breaking Bad quote #37:
    only the very best... with just a right amount of dirty. - Saul
    Norco, CA WX: 73.9°F, 56.0% humidity, 4 mph ESE wind, 0.00 inches rain/24hrs

    ---
    ■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net