Banning phpMyAdmin bots using fail2ban
I've had it with those evil bots trying to exploit non-existing phpMyAdmin installations on anything webserverish, therefore I wrote up a small fail2ban rule to ban those bastards after the third attempt. Maybe it's of help to you too, thus here it is.
# Fail2Ban configuration file # # Bans bots scanning for non-existing phpMyAdmin installations on your webhost. # # Author: Gina Haeussge # [Definition] docroot = /var/www badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2 # Option: failregex # Notes.: Regexp to match often probed and not available phpmyadmin paths. # Values: TEXT # failregex = [client <HOST>] File does not exist: %(docroot)s/(?:%(badadmin)s) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
badadmin matchers will prolly be extended in the future, this was just what I found regarding trial-and-error-URLs after a quick scan through the logs of one of the servers at work.
I added this to
/etc/fail2ban/jail.conf to enable the rule:
[apache-phpmyadmin] enabled = true port = http,https filter = apache-phpmyadmin logpath = /var/log/apache*/*error.log maxretry = 3