Am I being to paranoid?

05-08-2011, 05:46 PM

Hi All,

I want to know thoughts on if I am being to paranoid/security conscious.

CentOS 5.6, Apache, MySQL, running an Firewall in front of everything and obviously the built-in firewall on the box. I have ssh on a different port and starting to use Keys instead of password authentication. I host an intensive website and I am getting about 150 unique visitors per day.

What I am seeing is LogWatch reporting a lot of 404's like:

404 Not Found
//PHPMA/: 1 Time(s)
//admin/myadmin/: 1 Time(s)
//admin/phpmyadmin/: 1 Time(s)
//adming/: 1 Time(s)
//ascils/phpmyadmin/: 1 Time(s)
//blog/wp-content/plugins/phpmyadmin/: 1 Time(s)
//database/: 2 Time(s)
//db/: 1 Time(s)
//dba/: 1 Time(s)
//dbadmin/: 2 Time(s)
//html/phpMyAdmin/: 1 Time(s)
//html/phpmyadmin/: 1 Time(s)
//lamp/phpmyadmin/: 1 Time(s)
//myadmin/: 1 Time(s)
//mydatabase/: 1 Time(s)
//mydb/: 1 Time(s)
//myphp/: 1 Time(s)
//mysql-admin/: 1 Time(s)
//mysql/: 1 Time(s)
//mysqladmin/: 2 Time(s)
//mysqlmanager/: 1 Time(s)
//phpMyAdmin-2.8.0.2/: 1 Time(s)
//phpMyAdmin-2.8.1-rc1/: 1 Time(s)
//phpMyAdmin-2.8.1/: 1 Time(s)
//phpMyAdmin-2.8.2/: 1 Time(s)
//phpMyAdmin/: 1 Time(s)
//phpadm/: 2 Time(s)
//phpma/: 1 Time(s)
//phpmanager/: 1 Time(s)
//phpmy/: 2 Time(s)
//phpmyadmin/: 1 Time(s)
//pma/: 1 Time(s)
//pmaadmin/: 1 Time(s)
//pmadmin/: 1 Time(s)
//sql/: 1 Time(s)
//sqladmin/: 2 Time(s)
//sqldatabase/: 2 Time(s)
//sqlmanager/: 1 Time(s)
//sqlweb/: 1 Time(s)
//typo3/phpmyadmin/: 1 Time(s)
//webadmin/: 1 Time(s)
//webdb/: 1 Time(s)
//websql/: 1 Time(s)
//wp-content/plugins/phpMyAdmin/: 1 Time(s)
//wp-content/plugins/wp-phpmyadmin/: 1 Time(s)
//xampp/phpmyadmin/: 1 Time(s)

So I turned on Apache ReWrite and I created a file and I put in rules like: (just a small subset)

RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmy(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpma [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmyadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpgadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phppgadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmyadmin(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/php-my-admin [NC,OR]
RewriteCond %{REQUEST_URI} ^/php-myadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmy-admin [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpmanager [NC,OR]
RewriteCond %{REQUEST_URI} ^/player(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/plugins [NC,OR]
RewriteCond %{REQUEST_URI} ^/pma [NC,OR]
RewriteCond %{REQUEST_URI} ^/p/m/a [NC,OR]
RewriteCond %{REQUEST_URI} ^/pmadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/pmaadmin [NC,OR]
RewriteCond %{REQUEST_URI} ^/scripts [NC,OR]
RewriteCond %{REQUEST_URI} ^/sd(.*) [NC,OR]
RewriteCond %{REQUEST_URI} ^/sql [NC,OR]
RewriteCond %{REQUEST_URI} ^/sqladmin [NC,OR]

and if one of these is hit I use a Rule of:

RewriteRule .* http://%{REMOTE_ADDR}%{REQUEST_URI} [L,R=301,QSA]

Everyday I look at the LogWatch E-Mail and I add one people are trying to hit and restart apache.

This yields a few questions.

1. Am I being to paranoid by doing this? My logic is they dont belong here and I could get mad if someone walked up to my apartment and tried jiggling the door handle to see if it was unlocked.

2. I know I can simplify these rules. Wouldn't RewriteCond %{REQUEST_URI} ^/php(.*) [NC,OR] get most of the attempts for thinks like /php, /php-myadmin, /phpmyadmin-2.0.8.8, etc?

3. Is there a better way to right these rules?

4. Why does LogWatch show this to me as a 404 , when a rewrite rule is hit and they are re-directed back to themselves? My rules seem to be working, if I try and hit /scripts right now, it does what I expect.

Can anyone shed some light for me on my thoughts/questions?

--
Jason

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos