A '404 bot' tries to find backend login pages on common url paths. The bot scans multiple endpoints. If a call returns 2xx, it is possible that the login gets bruteforced.

WordPress and Typo CMS in combination with phpmyadmin are probably the  most installed platforms for blogs. For this reason, there a lot of bots  trying to attack unprotected installations. Some bots first try to find  the path to the admin area.

What is the reason for this protection?

I recently analyzed my httpd logs (access_log, error_log). There were some accesses I didn't expect that much:

[...] /mysql/admin/ HTTP/1.1" 404 [...]
[...] /mysql/dbadmin/ HTTP/1.1" 404 [...]
[...] /mysql/sqlmanager/ HTTP/1.1" 404 [...]
[...] /mysql/mysqlmanager/ HTTP/1.1" 404 [...]
[...] /phpmyadmin/ HTTP/1.1" 404 [...]
[...] /phpMyadmin/ HTTP/1.1" 404 [...]
[...] /phpMyAdmin/ HTTP/1.1" 404 [...]
[...] /phpmyAdmin/ HTTP/1.1" 404 [...]
[...] /phpmyadmin2/ HTTP/1.1" 404 [...]
[...] /phpmyadmin3/ HTTP/1.1" 404 [...]
[...] /phpmyadmin4/ HTTP/1.1" 404 [...]
[...] /2phpmyadmin/ HTTP/1.1" 404 [...]
[...] /phpmy/ HTTP/1.1" 404 [...]
[...] /phppma/ HTTP/1.1" 404 [...]
[...] /myadmin/ HTTP/1.1" 404 [...]
[...] /shopdb/ HTTP/1.1" 404 [...]
[...] /MyAdmin/ HTTP/1.1" 404 [...]
[...] /program/ HTTP/1.1" 404 [...]
[...] /PMA/ HTTP/1.1" 404 [...]
...

This abstract of this file is simplified. It also contains a lot more than this.

# Attacks by day

This chart shows the count of this type of attacks for each day on readfromfile.com. It's quite interesting to see, that most of the attacks are on Sundays (Day 1 and Day 8). During the week, its only half of the attacks. As you can see, there are a lot break in attempts. I noticed, that almost every attempt is made of 104 HEAD or GET requests. A data set of common back-end admin names are  probably used. Furthermore, no detected IP attacks twice in this period.

What is the bot trying to do?

These bots are trying to detect a back-end admin area.  After a successful detection, it is possible that this bot will start a  brute-force attack on an admin login panel. If you want to protect your  admin area (wordpress, phpmyadmin, typo cms ...) and also your website  in general, you can use fail2ban.

How can I protect my website?

Is this your first time using fail2ban? Please visit my previous post for an installation guide and general instructions.

If you already installed fail2ban, you are ready to go.

cd /etc/fail2ban/filter.d

In this directory are all defined filters for fail2ban. You can easily create a new filter:

nano apache-block-scan-bots.conf

Just Copy&Paste the following code into your new file.

[INCLUDES]
before = apache-common.conf
 
[Definition]
failregex = (?i)^%(_apache_error_client)s (AH\d+:)? File does not exist: (?=.*(phpmyadmin|pma|admin|typo3|xampp|wp-(login|signup|admin)\.php|roundcube|sql|db)).*$
 
ignoreregex =

We now have to activate the filter.

nano ../jail.local

Just append this at the end of the file.

[apache-block-scan-bots]
enabled = true
port = http,https
filter = apache-block-scan-bots
logpath = /var/log/httpd/error_log
maxretry = 4
findtime = 60
bantime = 15770000 # = 6 months

Feel free to modify maxretry, findtime and bantime.

The last step is to reload the fail2ban configuration.

fail2ban-client reload

This configuration will ban every scan attempt, if there are more than 4 requests of this kind during 1 minute.

If you want to test this regex on your log files, please visit this post for more information.


Please comment below, if you have any questions.

Tested on:

  • OS: CentOS 7
  • Web server: Apache httpd 2.4.6
  • fail2ban: 0.9.6

Credits: