Below is a message I received from OSSEC that is obviously someone trying to scan for database management tools. Fortunately I don't use any on the address they were scanning, but I'd like to be able to have OSSEC automatically block that IPs attempts. Can HTTP requests block IPs using hosts.deny?
OSSEC HIDS Notification. 2011 May 07 03:17:27 Received From: (host) xxx.xxx.xxx.xxx->/var/log/httpd/access_log Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip." Portion of the log(s): 120.101.70.54 - - [07/May/2011:03:17:26 -0500] "GET /phpadmin/scripts/ setup.php HTTP/1.1" 404 303 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:26 -0500] "GET /typo3/phpmyadmin/ scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:25 -0500] "GET /mysqladmin/ scripts/setup.php HTTP/1.1" 404 305 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:25 -0500] "GET /mysql/scripts/ setup.php HTTP/1.1" 404 300 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:25 -0500] "GET /myadmin/scripts/ setup.php HTTP/1.1" 404 302 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:24 -0500] "GET /dbadmin/scripts/ setup.php HTTP/1.1" 404 302 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:24 -0500] "GET /db/scripts/ setup.php HTTP/1.1" 404 297 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:23 -0500] "GET /admin/phpmyadmin/ scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:23 -0500] "GET /admin/pma/scripts/ setup.php HTTP/1.1" 404 304 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:23 -0500] "GET /admin/scripts/ setup.php HTTP/1.1" 404 300 "-" "ZmEu" 120.101.70.54 - - [07/May/2011:03:17:22 -0500] "GET /scripts/setup.php HTTP/1.1" 404 294 "-" "ZmEu" --END OF NOTIFICATION
