Gosh, I have published my dyndns website name name to just one person so far, and I have a dynamic ip address.
And I still get somebody (probably somebodies) trying to break into the machine.
The web access log shows somebody is trying very hard to play with the mysql server.
218.149.84.18 – – [18/Jul/2009:18:12:05 +1200] “GET /admin/phpmyadmin/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:06 +1200] “GET /admin/mysql/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:06 +1200] “GET /phpmyadmin2/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:07 +1200] “GET /mysqladmin/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:07 +1200] “GET /mysql-admin/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:08 +1200] “GET /main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:08 +1200] “GET /phpMyAdmin-2.5.6/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:09 +1200] “GET /phpMyAdmin-2.5.4/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:09 +1200] “GET /phpMyAdmin-2.5.1/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:10 +1200] “GET /phpMyAdmin-2.2.3/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:10 +1200] “GET /phpMyAdmin-2.2.6/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:11 +1200] “GET /myadmin/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:11 +1200] “GET /phpMyAdmin-2.6.0/main.php HTTP/1.0” 404 1011 “-” “-”
218.149.84.18 – – [18/Jul/2009:18:12:12 +1200] “GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0” 404 1011 “-” “-”
ETC
And I don’t know what these are, I assume opening port 80 for the web server allows this traffic in ????, but nothing from port 80 should be port scanning. Must investigate this further, as the source ip keeps changing I guess they are using ip spoofing.
Jul 20 20:00:50 osprey kernel: ABORTED IN=eth0 OUT= MAC=00:04:23:13:ce:85:00:1b:9e:da:2a:4c:08:00 SRC=130.161.131.20 DST=192.168.1.182 LEN=40 TOS=0x00 PREC=0x00 TTL=61 ID=56658 PROTO=TCP SPT=80 DPT=4696 SEQ=3944916085 ACK=46838702 WINDOW=65535 RES=0x00 ACK RST URGP=0
Jul 20 20:01:01 osprey kernel: ABORTED IN=eth0 OUT= MAC=00:04:23:13:ce:85:00:1b:9e:da:2a:4c:08:00 SRC=134.109.228.1 DST=192.168.1.182 LEN=40 TOS=0x00 PREC=0x00 TTL=61 ID=26195 PROTO=TCP SPT=80 DPT=4904 SEQ=2836782536 ACK=52944724 WINDOW=65535 RES=0x00 ACK RST URGP=0
Jul 20 20:01:03 osprey kernel: ABORTED IN=eth0 OUT= MAC=00:04:23:13:ce:85:00:1b:9e:da:2a:4c:08:00 SRC=134.109.228.1 DST=192.168.1.182 LEN=40 TOS=0x00 PREC=0x00 TTL=61 ID=20062 PROTO=TCP SPT=80 DPT=4905 SEQ=2875721879 ACK=69698362 WINDOW=65535 RES=0x00 ACK RST URGP=0
ETC
Can’t be bothered setting up a dedicated firewall server, which is what is really needed to protect from the later one.
(1) Might just change the internal network back to a seperate ip range and block all traffic from any other range (unrequested traffic anyway) on each individual internal server; which would have to be done anyway as you can’t always rely on the firewall being correct (not if I set it up anyway).
(2) Might investigate fwbuilder further, I have unique ‘port’ rules for every server on the internal network anyway; but it may be able to perform the fine tunining in iptables that is beyond me (it certainly seems complicated enough)
And in the meantime, just continue as I have been doing by kickstarting updates into the web server each weekend, so at least I know thats a clean system as the disks are formatted and everything re-installed regularly.
