: Disadvantages of a fake phpMyAdmin honeypot that causes ip blacklisting and robots.txt disallow/exclusion of the honeypot? I'm trying to figure out whether I should set up a honeypot system with
I'm trying to figure out whether I should set up a honeypot system with a fake phpMyAdmin (site gets hits all the time with people spidering for insecurities with that app).
My thought was to create a honeypot php script that would mimic a phpMyAdmin login, and then blacklist ips that hit that url (and aren't already whitelisted). I would then add the appropriate urls to the robots.txt so that spiders that actually respect my robots.txt wouldn't be caught by the blacklist.
Are there disadvantages to this approach, do legit robots sometimes not respect robots.txt in certain circumstances, are there any problems with this that I should consider in advance?
More posts by @Shanna517
3 Comments
Sorted by latest first Latest Oldest Best
Are there disadvantages to this approach
Yes. A malicious party could be using a proxy IP. You could end up blacklisting legitimate users with the same IP, and the malicious user may just change their IP if blacklisted.
Obvious disadvantage of blacklisting is blocking valid users sharing NAT with machines you want to blacklist (think: big corporations with VPN and only few external IPs or universities with similar setups, maybe even some ISPs).
In particular case of worms, such as the one trying to propagate through bugs in phpMyAdmin, that would mean you blacklist infected machines. They would remain blacklisted even after they have been cleaned up using anti-virus software. That's also not something what you want.
Robots.txt is an advisory protocol; no-one has to follow it, and several spiders don't (e.g. those used by Internet archivists like the archive team.)
As such, you might like to consider whitelisting the IP addresses that will be accessing your real phpMyAdmin area and excluding all others, rather than blacklisting all those who hit your honeypot. The simplest way to do this if you have access to the phpMyAdmin directory is by including a .htaccess file with the following rules:
order deny,allow
deny from all
# allow my home IP address
allow from XX.XX.XXX.XXX
# allow my work IP address
allow from XX.XX.XXX.XXX
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.