Mobile app version of vmapp.org
Login or Join
Shanna517

: Disadvantages of a fake phpMyAdmin honeypot that causes ip blacklisting and robots.txt disallow/exclusion of the honeypot? I'm trying to figure out whether I should set up a honeypot system with

@Shanna517

Posted in: #Blacklist #IpAddress #Security #WebCrawlers

I'm trying to figure out whether I should set up a honeypot system with a fake phpMyAdmin (site gets hits all the time with people spidering for insecurities with that app).

My thought was to create a honeypot php script that would mimic a phpMyAdmin login, and then blacklist ips that hit that url (and aren't already whitelisted). I would then add the appropriate urls to the robots.txt so that spiders that actually respect my robots.txt wouldn't be caught by the blacklist.

Are there disadvantages to this approach, do legit robots sometimes not respect robots.txt in certain circumstances, are there any problems with this that I should consider in advance?

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Shanna517

3 Comments

Sorted by latest first Latest Oldest Best

 

@BetL925

Are there disadvantages to this approach


Yes. A malicious party could be using a proxy IP. You could end up blacklisting legitimate users with the same IP, and the malicious user may just change their IP if blacklisted.

10% popularity Vote Up Vote Down


 

@Shanna517

Obvious disadvantage of blacklisting is blocking valid users sharing NAT with machines you want to blacklist (think: big corporations with VPN and only few external IPs or universities with similar setups, maybe even some ISPs).

In particular case of worms, such as the one trying to propagate through bugs in phpMyAdmin, that would mean you blacklist infected machines. They would remain blacklisted even after they have been cleaned up using anti-virus software. That's also not something what you want.

10% popularity Vote Up Vote Down


 

@Heady270

Robots.txt is an advisory protocol; no-one has to follow it, and several spiders don't (e.g. those used by Internet archivists like the archive team.)

As such, you might like to consider whitelisting the IP addresses that will be accessing your real phpMyAdmin area and excluding all others, rather than blacklisting all those who hit your honeypot. The simplest way to do this if you have access to the phpMyAdmin directory is by including a .htaccess file with the following rules:

order deny,allow
deny from all
# allow my home IP address
allow from XX.XX.XXX.XXX
# allow my work IP address
allow from XX.XX.XXX.XXX

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme