Seguramente más de una vez os habréis encontrado los registros (LOGs) de Apache u otros servicios con intentos de acceso a paneles. Esto es debido a bots que escanean IP a IP y analizan los puertos más usados para buscar e intentar obtener acceso a paneles, bases de datos o incluso buscar alguna vulnerabilidad para obtener acceso al servidor. Normalmente estos bots proceden de países como China o Rusia.

LOG de Apache

213.0.180.23 – – [30/Jun/2013:11:02:51 +0200] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 238
213.0.180.23 – – [30/Jun/2013:11:02:52 +0200] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 238
213.0.180.23 – – [30/Jun/2013:11:02:52 +0200] “GET /pma/scripts/setup.php HTTP/1.1” 404 233
213.0.180.23 – – [30/Jun/2013:11:02:52 +0200] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 237
213.0.180.23 – – [30/Jun/2013:11:02:52 +0200] “GET /MyAdmin/scripts/setup.php HTTP/1.1” 404 237
66.249.78.81 – – [30/Jun/2013:13:26:41 +0200] “GET /robots.txt HTTP/1.1” 404 224
66.249.78.81 – – [30/Jun/2013:13:26:42 +0200] “GET / HTTP/1.1” 404 217
62.117.82.7 – – [30/Jun/2013:15:04:00 +0200] “GET /phppath/php HTTP/1.0” 404 271
95.169.240.49 – – [30/Jun/2013:17:12:29 +0200] “GET / HTTP/1.1” 404 217
95.169.240.49 – – [30/Jun/2013:17:12:30 +0200] “GET /favicon.ico HTTP/1.1” 404 225
82.106.241.43 – – [30/Jun/2013:17:45:28 +0200] “\xc9\x82[\xf8Km[\xe2” 501 272
198.20.69.74 – – [30/Jun/2013:18:13:21 +0200] “GET / HTTP/1.1” 404 261
198.20.69.74 – – [30/Jun/2013:18:13:22 +0200] “GET /robots.txt HTTP/1.1” 404 271
91.121.86.13 – – [30/Jun/2013:18:46:33 +0200] “GET /nosuichfile.php HTTP/1.1” 404 276
91.121.86.13 – – [30/Jun/2013:18:46:33 +0200] “GET /noxdir/nosuichfile.php HTTP/1.1” 404 283
91.121.86.13 – – [30/Jun/2013:18:46:34 +0200] “GET /phppath/php HTTP/1.1” 404 272
222.36.0.46 – – [30/Jun/2013:20:37:34 +0200] “GET /phpmyadmin/ HTTP/1.1” 404 272
222.36.0.46 – – [30/Jun/2013:20:37:35 +0200] “GET /phpMyAdmin/ HTTP/1.1” 404 272
222.36.0.46 – – [30/Jun/2013:20:37:35 +0200] “GET /PMA/ HTTP/1.1” 404 265
222.36.0.46 – – [30/Jun/2013:20:37:36 +0200] “GET /pma/ HTTP/1.1” 404 265
222.36.0.46 – – [30/Jun/2013:20:37:37 +0200] “GET /admin/ HTTP/1.1” 404 267
222.36.0.46 – – [30/Jun/2013:20:37:38 +0200] “GET /dbadmin/ HTTP/1.1” 404 269
222.36.0.46 – – [30/Jun/2013:20:37:39 +0200] “GET /sql/ HTTP/1.1” 404 265
222.36.0.46 – – [30/Jun/2013:20:37:40 +0200] “GET /mysql/ HTTP/1.1” 404 267
222.36.0.46 – – [30/Jun/2013:20:37:40 +0200] “GET /myadmin/ HTTP/1.1” 404 269
222.36.0.46 – – [30/Jun/2013:20:37:41 +0200] “GET /phpmyadmin2/ HTTP/1.1” 404 273
222.36.0.46 – – [30/Jun/2013:20:37:42 +0200] “GET /phpMyAdmin2/ HTTP/1.1” 404 273
222.36.0.46 – – [30/Jun/2013:20:37:43 +0200] “GET /phpMyAdmin-2/ HTTP/1.1” 404 274
222.36.0.46 – – [30/Jun/2013:20:37:44 +0200] “GET /php-my-admin/ HTTP/1.1” 404 274
222.36.0.46 – – [30/Jun/2013:20:37:44 +0200] “GET /sqlmanager/ HTTP/1.1” 404 272
222.36.0.46 – – [30/Jun/2013:20:37:45 +0200] “GET /mysqlmanager/ HTTP/1.1” 404 274
222.36.0.46 – – [30/Jun/2013:20:37:46 +0200] “GET /p/m/a/ HTTP/1.1” 404 267
222.36.0.46 – – [30/Jun/2013:20:37:47 +0200] “GET /php-myadmin/ HTTP/1.1” 404 273
222.36.0.46 – – [30/Jun/2013:20:37:48 +0200] “GET /phpmy-admin/ HTTP/1.1” 404 273
222.36.0.46 – – [30/Jun/2013:20:37:49 +0200] “GET /webadmin/ HTTP/1.1” 404 270
222.36.0.46 – – [30/Jun/2013:20:37:50 +0200] “GET /sqlweb/ HTTP/1.1” 404 268
222.36.0.46 – – [30/Jun/2013:20:37:51 +0200] “GET /websql/ HTTP/1.1” 404 268
222.36.0.46 – – [30/Jun/2013:20:37:51 +0200] “GET /webdb/ HTTP/1.1” 404 267
222.36.0.46 – – [30/Jun/2013:20:37:52 +0200] “GET /mysqladmin/ HTTP/1.1” 404 272
222.36.0.46 – – [30/Jun/2013:20:37:53 +0200] “GET /mysql-admin/ HTTP/1.1” 404 273
222.36.0.46 – – [30/Jun/2013:20:37:54 +0200] “GET /scripts/setup.php HTTP/1.1” 404 278
222.36.0.46 – – [30/Jun/2013:20:37:55 +0200] “GET /admin/scripts/setup.php HTTP/1.1” 404 284
222.36.0.46 – – [30/Jun/2013:20:37:55 +0200] “GET /admin/pma/scripts/setup.php HTTP/1.1” 404 288
222.36.0.46 – – [30/Jun/2013:20:37:56 +0200] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1” 404 295
222.36.0.46 – – [30/Jun/2013:20:37:57 +0200] “GET /db/scripts/setup.php HTTP/1.1” 404 281
222.36.0.46 – – [30/Jun/2013:20:37:58 +0200] “GET /dbadmin/scripts/setup.php HTTP/1.1” 404 286
222.36.0.46 – – [30/Jun/2013:20:37:59 +0200] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 286
222.36.0.46 – – [30/Jun/2013:20:37:59 +0200] “GET /mysql/scripts/setup.php HTTP/1.1” 404 284
222.36.0.46 – – [30/Jun/2013:20:38:02 +0200] “GET /mysqladmin/scripts/setup.php HTTP/1.1” 404 289
222.36.0.46 – – [30/Jun/2013:20:38:02 +0200] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1” 404 295
222.36.0.46 – – [30/Jun/2013:20:38:03 +0200] “GET /phpadmin/scripts/setup.php HTTP/1.1” 404 287
222.36.0.46 – – [30/Jun/2013:20:38:04 +0200] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 289
222.36.0.46 – – [30/Jun/2013:20:38:05 +0200] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 289
222.36.0.46 – – [30/Jun/2013:20:38:06 +0200] “GET /phpmyadmin1/scripts/setup.php HTTP/1.1” 404 290
222.36.0.46 – – [30/Jun/2013:20:38:07 +0200] “GET /phpmyadmin2/scripts/setup.php HTTP/1.1” 404 290
222.36.0.46 – – [30/Jun/2013:20:38:07 +0200] “GET /pma/scripts/setup.php HTTP/1.1” 404 282
222.36.0.46 – – [30/Jun/2013:20:38:08 +0200] “GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1” 404 293
222.36.0.46 – – [30/Jun/2013:20:38:09 +0200] “GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1” 404 295
222.36.0.46 – – [30/Jun/2013:20:38:10 +0200] “GET /web/scripts/setup.php HTTP/1.1” 404 282
222.36.0.46 – – [30/Jun/2013:20:38:11 +0200] “GET /php-my-admin/scripts/setup.php HTTP/1.1” 404 291
222.36.0.46 – – [30/Jun/2013:20:38:12 +0200] “GET /websql/scripts/setup.php HTTP/1.1” 404 285
222.36.0.46 – – [30/Jun/2013:20:38:12 +0200] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 289
222.36.0.46 – – [30/Jun/2013:20:38:13 +0200] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 289
222.36.0.46 – – [30/Jun/2013:20:38:14 +0200] “GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1” 404 291
222.36.0.46 – – [30/Jun/2013:20:38:15 +0200] “GET /php-my-admin/scripts/setup.php HTTP/1.1” 404 291
222.36.0.46 – – [30/Jun/2013:20:38:16 +0200] “GET /sqlmanager/scripts/setup.php HTTP/1.1” 404 289
222.36.0.46 – – [30/Jun/2013:20:38:16 +0200] “GET /mysqlmanager/scripts/setup.php HTTP/1.1” 404 291
222.36.0.46 – – [30/Jun/2013:20:38:17 +0200] “GET /p/m/a/scripts/setup.php HTTP/1.1” 404 284
222.36.0.46 – – [30/Jun/2013:20:38:18 +0200] “GET /PMA2005/scripts/setup.php HTTP/1.1” 404 286
222.36.0.46 – – [30/Jun/2013:20:38:19 +0200] “GET /pma2005/scripts/setup.php HTTP/1.1” 404 286
222.36.0.46 – – [30/Jun/2013:20:38:20 +0200] “GET /phpmanager/scripts/setup.php HTTP/1.1” 404 289
222.36.0.46 – – [30/Jun/2013:20:38:21 +0200] “GET /php-myadmin/scripts/setup.php HTTP/1.1” 404 290
222.36.0.46 – – [30/Jun/2013:20:38:21 +0200] “GET /phpmy-admin/scripts/setup.php HTTP/1.1” 404 290
222.36.0.46 – – [30/Jun/2013:20:38:22 +0200] “GET /webadmin/scripts/setup.php HTTP/1.1” 404 287
222.36.0.46 – – [30/Jun/2013:20:38:23 +0200] “GET /sqlweb/scripts/setup.php HTTP/1.1” 404 285
222.36.0.46 – – [30/Jun/2013:20:38:24 +0200] “GET /websql/scripts/setup.php HTTP/1.1” 404 285
222.36.0.46 – – [30/Jun/2013:20:38:25 +0200] “GET /webdb/scripts/setup.php HTTP/1.1” 404 284
222.36.0.46 – – [30/Jun/2013:20:38:26 +0200] “GET /mysqladmin/scripts/setup.php HTTP/1.1” 404 289
222.36.0.46 – – [30/Jun/2013:20:38:26 +0200] “GET /mysql-admin/scripts/setup.php HTTP/1.1” 404 290

Para evitar esto hemos desarrollado un script en Bash para crear varias reglas en iptables y de esta forma solo permitir el acceso a nuestros servidores a conexiones desde España, de esta forma evitaríamos la gran mayoría de bots.


¿Qué es iptables?

Iptables es un componente de NetFilter, framework incluido dentro del núcleo de Linux para interceptar y manipular paquetes de red, que permite filtrar paquetes, traducir direcciones de red (NAT), reenviar paquetes a otra red o redirección de puertos (port forward)…


Script para Linux

#!/bin/bash

# APP info
app_name="Block IPs"
app_version="1.0.0"
app_author="Security Null"
app_last_update="2014-01-31"
app_usage="Usage: ./firewall.sh <ips file path>"

NET_INTERFACE=eth0

# Check params
if [ $# -ge 1 ]; then
	ips_db_file=$1
else
	echo $app_name $app_version - $app_author [$app_last_update]
	echo
	echo $app_usage
	exit 1
fi

# Delete All Rules
iptables -F
iptables -X

# Default Rules
iptables -P INPUT DROP 

# LoopBack
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept Local Network Traffic
iptables -I INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -I INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -I INPUT -s 172.16.0.0/20 -j ACCEPT
iptables -I INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -I INPUT -s 169.254.0.0/16 -j ACCEPT

# Accept Spanish IPs Only
IFS=$'\n'
for ip in $(cat $ips_db_file)
do
	if [ ${ip:0:1} != "#" ] && [ ${ip:0:1} != '\r' ] && [ ${ip:0:1} != '\n' ]; then
		iptables -I INPUT -s $ip -i $NET_INTERFACE -j ACCEPT
	fi
done

# Ping Input to Output
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT 
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 
  • 1º: Borramos todas las reglas de iptables, si no queremos borrar las que ya tengamos borrar la parte que dice “# Delete All Rules“.
  • 2º: Indicamos a iptables que todos los paquetes entrantes se descarten y de esta forma vamos añadiendo solo las IPs que queramos darles acceso.
  • 3º: Es importante permitir acceso a las IPs privadas y loopback para no causar problemas en los servicios internos del servidor y poder acceder desde nuestra red local (LAN).
  • 4º: Añadimos todas las IPs de España para permitir su acceso.
  • 5º: Por último permitimos realizar Ping desde dentro hacia fuera pero no al revés.

Ejecución

Para ejecutar el script primero debemos guardar la lista de IPs en un archivo (por ejemplo spanish_ips.db) y luego ejecutar el script de la siguiente forma:

chmod 777 firewall.sh # (Antes de nada le concedemos privilegios de ejecución)
./firewall.sh spanish_ips.db

Podemos ver las reglas introducidas con el comando “iptables -L -n” o “iptables –list -n”.

Descargar

blockips.zip (2 KB) -> https://mega.co.nz/#!clgB3IzJ!9UL7TiscOd12gkqINGwjKhbdBWe2t_lttr66oUwQ180

Listado de IPs de España

En esta lista aparecen los principales IPS más usados en España aunque existen muchos más…

# TELEFONICA
2.136.0.0/13
5.205.0.0/16
37.10.128.0/15
37.12.0.0/17
37.158.0.0/16
79.144.0.0/12
80.24.0.0/13
80.32.0.0/13
80.58.0.0/15
81.32.0.0/12
83.32.0.0/12
83.48.0.0/12
84.16.0.0/19
88.0.0.0/11
94.142.96.0/19
95.120.0.0/13
193.152.0.0/15
194.69.224.0/19
194.179.0.0/17
194.224.0.0/16
195.53.0.0/16
195.55.0.0/16
195.57.0.0/16
195.76.0.0/16
195.77.0.0/16
195.235.0.0/16
212.170.0.0/16
213.0.0.0/16
213.4.0.0/16
213.96.0.0/15
213.98.0.0/16
213.99.0.0/16
213.140.32.0/19
217.124.0.0/14

# VODAFONE
31.4.0.0/16
46.24.0.0/14
62.87.0.0/17
77.208.0.0/14
77.224.0.0/13
87.235.0.0/16
89.6.0.0/15
95.60.0.0/14
178.139.0.0/16
188.84.0.0/14
212.73.32.0/19
212.145.0.0/16
212.166.128.0/18
212.166.192.0/18
217.130.0.0/16

# ONO
2.152.0.0/14
62.100.96.0/19
62.42.0.0/16
62.43.0.0/16
62.57.0.0/16
62.81.0.0/16
62.82.0.0/16
62.83.0.0/16
62.100.96.0/19
62.101.160.0/19
62.117.128.0/19
62.117.160.0/19
62.117.192.0/18
62.174.0.0/15
79.108.0.0/15
80.173.0.0/16
80.174.0.0/16
80.224.0.0/16
81.60.0.0/15
81.172.0.0/17
81.184.0.0/16
81.202.0.0/15
82.158.0.0/15
82.198.32.0/19
82.213.128.0/18
83.138.192.0/18
83.173.128.0/18
84.120.0.0/13
85.136.0.0/15
85.155.0.0/16
85.219.0.0/17
85.251.0.0/16
89.140.0.0/15
95.39.0.0/16
188.95.216.0/21
194.106.0.0/19
194.140.128.0/19
194.140.160.0/19
194.149.192.0/19
195.60.81.64/26
212.21.224.0/19
212.22.32.0/19
212.40.224.0/19
212.78.128.0/19
212.79.128.0/19
212.95.192.0/19
212.97.160.0/19
212.122.96.0/19
212.183.192.0/18
213.37.0.0/16
213.201.0.0/17
213.227.0.0/18
213.231.64.0/18
213.254.64.0/18
217.216.0.0/15

# JAZZTEL
37.11.0.0/16
37.14.0.0/17
37.132.0.0/18
62.14.0.0/16
62.15.0.0/16
87.216.0.0/13
95.16.0.0/13
188.76.0.0/14
212.9.64.0/19
212.106.192.0/19
212.106.224.0/19
213.179.96.0/19

# ORANGE – FRANCE TELECOM
62.32.128.0/17
62.36.0.0/16
62.37.0.0/16
62.151.0.0/15
62.151.128.0/13
62.151.192.0/14
80.102.0.0/17
83.231.0.0/17
84.76.0.0/18
85.48.0.0/20
88.87.192.0/19
89.128.0.0/18
90.160.0.0/20
92.56.0.0/18
94.229.192.0/20
212.31.32.0/19
212.169.128.0/17
213.143.32.0/19
213.151.96.0/19
217.71.192.0/20

# EUSKATEL
37.218.0.0/15
62.99.0.0/17
82.130.128.0/17
83.213.0.0/16
85.84.0.0/14
212.8.64.0/18
212.55.0.0/19
212.142.128.0/17

# YA.COM
62.151.0.0/16
84.76.0.0/14
89.128.0.0/14
92.56.0.0/14

# R CABLE
77.26.0.0/15
83.165.0.0/16
91.116.0.0/15
178.60.0.0/16
212.51.32.0/19
213.60.0.0/16

# TELECABLE
81.9.128.0/17
83.97.128.0/17
85.152.0.0/16
93.156.0.0/16
188.171.0.0/16
212.89.0.0/19
213.141.32.0/19


Soporte

Para ayuda, reportar bugs, aportar ideas o mejoras contactar a: projects@securitynull.net


FUENTES

www.nirsoft.net
www.redeszone.net
www.cidr-report.org
www.cidr-report.org