[GUIDE] How-to Use Fail2Ban to block bots phpMyAdmin etc

Reported by: Chris
Created: 2 months 2 days ago
Views: 373

Hi All,

In the recent days I noticed this in my logs file.

Of course I want to exposed malicious IP 60.251.152.85 and so forth but I noticed this "scumbag" would not stop anytime soon, so I came up with following solution:

Add/edit /etc/fail2ban/filter.dapache-antibot.conf

# change badurls to fit your taste and needs, this are the more common ones

[Definition]

badurls = myadmin|phpadmin|sql|webdb|wp-login\.php|soapCaller|manager|setup\.php|pma|status|admin\.php|phpmyadmin\.php|pma\.php|PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2|administrator|database|sql|phpMyAdmin|MyAdmin|dbadmin|php-myadmin|phpmy-admin|phpmyAdmin

failregex = ^(?i)<HOST> .* "(GET|POST|HEAD) .*(%(badurls)s).* HTTP.*" (403|404) .*$

            ^(?i)<HOST> .* "(GET|POST|HEAD) / HTTP.*" (403|404) .*$

ignoreregex =

Add/edit /etc/fail2ban/jail.conf

NOTE: * in the logpath includes all domains within tinycp hence if "60.251.152.85" changes to a different domain, it will still get denied access to server.

The above filter plus existing recidive.conf will eradicate the scumbag

Hope this help someone out there.

Regards

Join our Discord server
Write a reply Edit a reply