> Was hastn wieder angestellt? Aus Versehen in die Logfiles geschaut... - [fwblock4time](https://code.fastix.org/showFile.php?file=Projekte/Apache%2Cmod_evasive%2Ciptables%3AHelfer-Skripte%20zum%20%28zeitweisen%29%20Blockieren%20von%20IP-Adressen/fwblock4time) Apche-Config (.htacces) des Default-Hosts: (Aufruf mit IP...) ~~~ ErrorDocument 404 /404.php RewriteEngine on RewriteRule ^/login\.cgi /404.php ~~~ 404.php: ~~~php <?php $noblocks = [ '192.168.1.', '127.' ]; $blocktime = 60; # Minuten $angriffe=explode( "\n", '/a2billing/ /adm/ /admin/ /administrator.php /backup/ /composer.php /data.php /db/ /dbadmin /db.init.php /db.php /db_pma.php /dmpr/ /drupal.php /editor.php /horde/ /login.cgi /manager/ /msd/ /muhstik/ /mx.php /myadmin/ /MyAdmin/ /myadmin2/ /mysql /mysql/ /mysql_admin/ /mysql-admin/ /mysqladmin/ /mysqldump /mysqldumper/ /mysqlmanager/ /mysql.php /noxdir/ /.php/ /phpadmin/ /phpma/ /phpmy/ /phpmyadmin/ /phppma/ /pma/ /pma2/ /setup.php /shell.php /solstice /spider.php /sqlmanager/ /sqlweb/ /system.php /thinkphp /tomcat.php /toor.php /typo3/ /vhcs/ /vhcs2/ /webdav/ /websql/ /wp-admin/ /wp-admin.php /wp-config.php /wp-content/ /xampp/ HelloThinkPHP '); if ( empty( $_SERVER['REMOTE_ADDR'] ) ) { echo __FILE__ . " executed in CLI: Nothing to do." . PHP_EOL; exit; } foreach ( $noblocks as $noblock ) { if ( false !== strpos( $_SERVER['REMOTE_ADDR'], $noblock ) ) { echo '<p>REMOTE_ADDR "' . $_SERVER['REMOTE_ADDR'] . '" matching "' . $noblock . '" : Nothing to do!</p>'; iLoveSkriptKiddies(); exit; } } $flagFound = false; $haystack = strtolower( $_SERVER['REQUEST_URI'] ); foreach ( $angriffe as $s ) { $needle = strtolower( trim( $needle ) ); if ( $needle && ! false === strpos( $haystack, $needle ) ) { $flagFound = true; break; } } if ( $flagFound ) { http_response_code(403); ?><!DOCTYPE html> <html lang="en"> <head> <title>403 Forbidden</title> </head> <body> <h1>403 Forbidden</h1> <p>Nice try! Requests from <?=$_SERVER['REMOTE ADDR']; ?> are blocked now.</p>'; <?php iLoveSkriptKiddies(); echo '</body> </html>'; $cmd = '/usr/bin/sudo /usr/sbin/fwblock4time ' . $_SERVER['REMOTE_ADDR'] . ' ' . $blocktime . '; echo $? | tail -n1'; $result = intval(`$cmd`); if ( 0 == $result ) { error_log('Angriffsversuch: ' . $_SERVER['REMOTE_ADDR'] . " wurde fuer $blocktime Minuten in der Firewall blockiert."); } else { error_log( "Error $result from execute $cmd" ); } } else { http_response_code( 404 ); echo '<h1>Not found</h1><p>Warning: This is a honeypot...</p>'; } function iLoveSkriptKiddies() { ## sed a nice greeting image } ~~~ Läuft. Wirft Angreifer für eine Stunde bei IP-Tables ein. Wer es testen will: http://77.180.117.82/myadmin/ (nur heute erreichbar)

> Was hastn wieder angestellt? Aus Versehen in die Logfiles geschaut... - [fwblock4time](https://code.fastix.org/showFile.php?file=Projekte/Apache%2Cmod_evasive%2Ciptables%3AHelfer-Skripte%20zum%20%28zeitweisen%29%20Blockieren%20von%20IP-Adressen/fwblock4time) Apche-Config (.htacces) des Default-Hosts: (Aufruf mit IP...) ~~~ ErrorDocument 404 /404.php RewriteEngine on RewriteRule ^/login\.cgi /404.php ~~~ 404.php: ~~~php <?php $noblocks = [ '192.168.1.', '127.' ]; $blocktime = 60; # Minuten $angriffe=explode( "\n", '/a2billing/ /adm/ /admin/ /administrator.php /backup/ /composer.php /data.php /db/ /dbadmin /db.init.php /db.php /db_pma.php /dmpr/ /drupal.php /editor.php /horde/ /login.cgi /manager/ /msd/ /muhstik/ /mx.php /myadmin/ /MyAdmin/ /myadmin2/ /mysql /mysql/ /mysql_admin/ /mysql-admin/ /mysqladmin/ /mysqldump /mysqldumper/ /mysqlmanager/ /mysql.php /noxdir/ /.php/ /phpadmin/ /phpma/ /phpmy/ /phpmyadmin/ /phppma/ /pma/ /pma2/ /setup.php /shell.php /solstice /spider.php /sqlmanager/ /sqlweb/ /system.php /thinkphp /tomcat.php /toor.php /typo3/ /vhcs/ /vhcs2/ /webdav/ /websql/ /wp-admin/ /wp-admin.php /wp-config.php /wp-content/ /xampp/ HelloThinkPHP '); if ( empty( $_SERVER['REMOTE_ADDR'] ) ) { echo __FILE__ . " executed in CLI: Nothing to do." . PHP_EOL; exit; } foreach ( $noblocks as $noblock ) { if ( false !== strpos( $_SERVER['REMOTE_ADDR'], $noblock ) ) { echo '<p>REMOTE_ADDR "' . $_SERVER['REMOTE_ADDR'] . '" matching "' . $noblock . '" : Nothing to do!</p>'; iLoveSkriptKiddies(); exit; } } $flagFound = false; $haystack = strtolower( $_SERVER['REQUEST_URI'] ); foreach ( $angriffe as $s ) { $needle = strtolower( trim( $needle ) ); if ( $needle && ! false === strpos( $haystack, $needle ) ) { $flagFound = true; break; } } if ( $flagFound ) { http_response_code(403); ?><!DOCTYPE html> <html lang="en"> <head> <title>403 Forbidden</title> </head> <body> <h1>403 Forbidden</h1> <p>Nice try! Requests from <?=$_SERVER['REMOTE ADDR']; ?> are blocked now.</p>'; <?php iLoveSkriptKiddies(); echo '</body> </html>'; $cmd = '/usr/bin/sudo /usr/sbin/fwblock4time ' . $_SERVER['REMOTE_ADDR'] . ' ' . $blocktime . '; echo $? | tail -n1'; $result = intval(`$cmd`); if ( 0 == $result ) { error_log('Angriffsversuch: ' . $_SERVER['REMOTE_ADDR'] . " wurde fuer $blocktime Minuten in der Firewall blockiert."); } else { error_log( "Error $result from execute $cmd" ); } } else { http_response_code( 404 ); echo '<h1>Not found</h1><p>Warning: This is a honeypot...</p>'; } function iLoveSkriptKiddies() { ## sed a nice greeting image } ~~~ Läuft. Wirft Angreifer für eine Stunde bei IP-Tables ein.

> Was hastn wieder angestellt? Aus Versehen in die Logfiles geschaut... - [fwblock4time](https://code.fastix.org/showFile.php?file=Projekte/Apache%2Cmod_evasive%2Ciptables%3AHelfer-Skripte%20zum%20%28zeitweisen%29%20Blockieren%20von%20IP-Adressen/fwblock4time) Apche-Config (.htacces) des Default-Hosts: (Aufruf mit IP...) ~~~ ErrorDocument 404 /404.php RewriteEngine on RewriteRule ^/login\.cgi /404.php ~~~ 404.php: ~~~php <?php $noblocks = [ '192.168.1.', '127.' ]; $blocktime = 60; # Minuten $angriffe=explode( "\n", '/a2billing/ /adm/ /admin/ /administrator.php /backup/ /composer.php /data.php /db/ /dbadmin /db.init.php /db.php /db_pma.php /dmpr/ /drupal.php /editor.php /horde/ /login.cgi /manager/ /msd/ /muhstik/ /mx.php /myadmin/ /MyAdmin/ /myadmin2/ /mysql /mysql/ /mysql_admin/ /mysql-admin/ /mysqladmin/ /mysqldump /mysqldumper/ /mysqlmanager/ /mysql.php /noxdir/ /.php/ /phpadmin/ /phpma/ /phpmy/ /phpmyadmin/ /phppma/ /pma/ /pma2/ /setup.php /shell.php /solstice /spider.php /sqlmanager/ /sqlweb/ /system.php /thinkphp /tomcat.php /toor.php /typo3/ /vhcs/ /vhcs2/ /webdav/ /websql/ /wp-admin/ /wp-admin.php /wp-config.php /wp-content/ /xampp/ HelloThinkPHP '); if ( empty( $_SERVER['REMOTE_ADDR'] ) ) { echo __FILE__ . " executed in CLI: Nothing to do." . PHP_EOL; exit; } foreach ( $noblocks as $noblock ) { if ( false !== strpos( $_SERVER['REMOTE_ADDR'], $noblock ) ) { echo '<p>REMOTE_ADDR "' . $_SERVER['REMOTE_ADDR'] . '" matching "' . $noblock . '" : Nothing to do!</p>'; iLoveSkriptKiddies(); exit; } } $flagFound = false; $haystack = strtolower( $_SERVER['REQUEST_URI'] ); foreach ( $angriffe as $s ) { $needle = strtolower( trim( $needle ) ); if ( $needle && ! false === strpos( $haystack, $needle ) ) { $flagFound = true; break; } } if ( $flagFound ) { http_response_code(403); ?><!DOCTYPE html> <html lang="en"> <head> <title>403 Forbidden</title> </head> <body> <h1>403 Forbidden</h1> <p>Nice try! Requests from <?=$_SERVER['REMOTE ADDR']; ?> are blocked now.</p>'; <?php iLoveSkriptKiddies(); echo '</body> </html>'; $cmd = '/usr/bin/sudo /usr/sbin/fwblock4time ' . $_SERVER['REMOTE_ADDR'] . ' ' . $blocktime . '; echo $? | tail -n1'; $result = intval(`cmd`); if ( 0 == $result ) { error_log('Angriffsversuch: ' . $_SERVER['REMOTE_ADDR'] . " wurde fuer $blocktime Minuten in der Firewall blockiert."); } else { error_log( "Error $result from execute $cmd" ); } } else { http_response_code( 404 ); echo '<h1>Not found</h1><p>Warning: This is a honeypot...</p>'; } function iLoveSkriptKiddies() { ## sed a nice greeting image } ~~~ Läuft. Wirft Angreifer für eine Stunde bei IP-Tables ein.

> Was hastn wieder angestellt? Aus Versehen in die Logfiles geschaut... - [fwblock4time](https://code.fastix.org/showFile.php?file=Projekte/Apache%2Cmod_evasive%2Ciptables%3AHelfer-Skripte%20zum%20%28zeitweisen%29%20Blockieren%20von%20IP-Adressen/fwblock4time) Apche-Config (.htacces): ~~~ ErrorDocument 404 /404.php RewriteEngine on RewriteRule ^/login\.cgi /404.php ~~~ 404.php: ~~~php <?php $noblocks = [ '192.168.1.', '127.' ]; $blocktime = 60; # Minuten $angriffe=explode( "\n", '/a2billing/ /adm/ /admin/ /administrator.php /backup/ /composer.php /data.php /db/ /dbadmin /db.init.php /db.php /db_pma.php /dmpr/ /drupal.php /editor.php /horde/ /login.cgi /manager/ /msd/ /muhstik/ /mx.php /myadmin/ /MyAdmin/ /myadmin2/ /mysql /mysql/ /mysql_admin/ /mysql-admin/ /mysqladmin/ /mysqldump /mysqldumper/ /mysqlmanager/ /mysql.php /noxdir/ /.php/ /phpadmin/ /phpma/ /phpmy/ /phpmyadmin/ /phppma/ /pma/ /pma2/ /setup.php /shell.php /solstice /spider.php /sqlmanager/ /sqlweb/ /system.php /thinkphp /tomcat.php /toor.php /typo3/ /vhcs/ /vhcs2/ /webdav/ /websql/ /wp-admin/ /wp-admin.php /wp-config.php /wp-content/ /xampp/ HelloThinkPHP '); if ( empty( $_SERVER['REMOTE_ADDR'] ) ) { echo __FILE__ . " executed in CLI: Nothing to do." . PHP_EOL; exit; } foreach ( $noblocks as $noblock ) { if ( false !== strpos( $_SERVER['REMOTE_ADDR'], $noblock ) ) { echo '<p>REMOTE_ADDR "' . $_SERVER['REMOTE_ADDR'] . '" matching "' . $noblock . '" : Nothing to do!</p>'; iLoveSkriptKiddies(); exit; } } $flagFound = false; $haystack = strtolower( $_SERVER['REQUEST_URI'] ); foreach ( $angriffe as $s ) { $needle = strtolower( trim( $needle ) ); if ( $needle && ! false === strpos( $haystack, $needle ) ) { $flagFound = true; break; } } if ( $flagFound ) { http_response_code(403); ?><!DOCTYPE html> <html lang="en"> <head> <title>403 Forbidden</title> </head> <body> <h1>403 Forbidden</h1> <p>Nice try! Requests from <?=$_SERVER['REMOTE ADDR']; ?> are blocked now.</p>'; <?php iLoveSkriptKiddies(); echo '</body> </html>'; $cmd = '/usr/bin/sudo /usr/sbin/fwblock4time ' . $_SERVER['REMOTE_ADDR'] . ' ' . $blocktime . '; echo $? | tail -n1'; $result = intval(`cmd`); if ( 0 == $result ) { error_log('Angriffsversuch: ' . $_SERVER['REMOTE_ADDR'] . " wurde fuer $blocktime Minuten in der Firewall blockiert."); } else { error_log( "Error $result from execute $cmd" ); } } else { http_response_code( 404 ); echo '<h1>Not found</h1><p>Warning: This is a honeypot...</p>'; } function iLoveSkriptKiddies() { ## sed a nice greeting image } ~~~ Läuft.