Stopping Script Kiddies

One on the things we get a lot on our web servers is people trying to get into our web sites. They do this by trying lots of known vulnerabilities in existing software like phpMyAdmin and they use a script - hence the name "script kiddies". They will typically hit our server with a lot of page requests, for example we had one recently who made over 6,000 page request is 50 minutes.

It was that one that made me sit up and take this more seriously because I was annoyed. The reason I was annoyed was because the script managed to add about 60 blog comments to our opus.cx web site. It didn't do any real harm - the comments are held for moderation - but it did mean my mailbox was full of emails asking me to approve the posts.

Then I discovered that the IP address scanning opus.cx was McAfee and I was not best pleased. A long exchange of emails ensued. It turned out that the owners of the .cx top level domain have decided to change the registrant agreement (Adobe/PDF, 153KB) to say we have to allow such scanning. This came into effect on 24th November, not that they've actually told us or anything.

Anyway, it got me thinking about the whole business of script kiddie scanning and a little research lead me via this page to the discovery of fail2ban.

fail2ban is great. It's a daemon which sits there monitoring your log files for patterns and uses them to block IP addresses. So in my case it's sitting and monitoring apache's access.log for 404 errors. If it sees one and the request matches the regex pattern I've set up more than five times in ten minutes it then blocks that IP address from all access to the server for an hour.

It seems to work a treat. I've already seen four blocked (and a couple of false positives which I've had to tweak my regex to stop happening again).