what should be limit to use for IPTABLE rate limiting for a webserver

Posted by Registered User on Server Fault See other posts from Server Fault or by Registered User
Published on 2011-02-04T07:16:55Z Indexed on 2011/02/04 7:27 UTC
Read the original article Hit count: 653

Filed under:

hardening

I see on my webserver some logs as follows

203.252.157.98 -   :25:02    "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:03    "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:03    "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:04    "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:05    "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:06    "GET //phppgadmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:06    "GET //PMA/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:07    "GET //admin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:08    "GET //MyAdmin/ HTTP/1.1" 404 392 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :27:36    "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :27:42    "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :27:42    "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :27:43    "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - -    "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

and some more as follows

118.219.234.254 - - [19/Oct/2010:22:57:41    "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:41    "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:42    "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:42    "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:43    "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:44    "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:44    "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:45    "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:45    "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:51    "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 407 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:52    "GET /admin/pma/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:52    "GET /admin/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:53    "GET /db/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:54    "GET /dbadmin/scripts/setup.php HTTP/1.1" 404 402 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:54    "GET /myadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:55    "GET /mysql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:55    "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:56    "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:56    "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:57    "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:57    "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:58    "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:58    "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:59    "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:59    "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:00    "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:01    "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:01    "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:02    "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

I have 2 questions
1) When such an attack happens on my site then while such scanning is going on how do I detect it? (In a very less time)
2)I have decided to rate limit the IPTABLES so as to reduce such DOS attacks by some script kiddies (to scan for vulnerabilities in phpmyadmin or some other script) to some extent.So how much should it be limited so that genuine users do not get kicked out.What is the best practise for question 2?

Developer IT

what should be limit to use for IPTABLE rate limiting for a webserver - Developer IT

what should be limit to use for IPTABLE rate limiting for a webserver

webserver

iptables

linux-server

denial-of-service

hardening

Related posts about webserver

Headers to set for AJAX calls in a custom webserver

Erlang: 2 database on 2 webserver ??

Why is this mod_rewrite RewriteRule directive not working in the .htaccess file?

Why is this mod_rewrite RewriteRule directive not working in the .htaccess file?

How ISP or dns server find the nameserevr [on hold]

Related posts about iptables

Sometimes this script fails to update the iptables

My current iptable configuration doesn't work [on hold]

L2TP iptables port forward

iptables -P FORWARD DROP makes port forwarding slow

IPtables AWS EC2 NAT/Reverse NAT - For Reverse Proxy style setup but with IPtables

Categories cloud