Brute Force Monitor doesn't work

[Dettol]

I seem a lot of this kind of log everyday, but Brute Force Monitor never ban them for trying to get in my phpmyadmin...
any can help me any solution to stop they trying to get in my phpmyadmin? thank you

152.136.33.12 - - [28/Sep/2022:22:42:25 +0800] "GET /phpmyadmin4/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:26 +0800] "GET /1phpmyadmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:26 +0800] "GET /sql/phpmyadmin5/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:27 +0800] "GET /phpmyadmin2016/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:27 +0800] "GET /admin/sqladmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:28 +0800] "GET /db/dbadmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:28 +0800] "GET /phpMyAdmin1/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:29 +0800] "GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:29 +0800] "GET /administrator/phpMyAdmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:30 +0800] "GET /administrator/db/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:30 +0800] "GET /phpMyAdmin2/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:31 +0800] "GET /mysql/sqlmanager/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:31 +0800] "GET /sql/webadmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:31 +0800] "GET /db/webdb/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:32 +0800] "GET /phpmyadmin5/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:32 +0800] "GET /mysql/admin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:33 +0800] "GET /db/phpMyAdmin-5/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:33 +0800] "GET /db/phpmyadmin4/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:34 +0800] "GET /mysql/pma/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:34 +0800] "GET /sql/websql/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:35 +0800] "GET /phpMyAdmin-5.1.0/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:35 +0800] "GET /administrator/phpmyadmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:36 +0800] "GET /database/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:36 +0800] "GET /phpmyadmin2017/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:37 +0800] "GET /sql/phpmyadmin3/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:37 +0800] "GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:37 +0800] "GET /phpMyAdmin-5.1.2/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:38 +0800] "GET /admin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:38 +0800] "GET /_phpMyAdmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0;

and more... only this ip... over 500 log in same day

 

[Ohm J]

if you meant, you use mod_security to block them. so it must 50 count before it triggered block. you can low this count by setting in
Admin -> Server Manager -> Administrator Settings -> Security Tab -> Notify Admins after an IP has

Default value will be 100, it meant 1/2 of this setting to triggered Mod_security blocked.

 

[Dettol]

if you meant, you use mod_security to block them. so it must 50 count before it triggered block. you can low this count by setting in
Admin -> Server Manager -> Administrator Settings -> Security Tab -> Notify Admins after an IP has

Default value will be 100, it meant 1/2 of this setting to triggered Mod_security blocked.

Thank you, but this ip has over 500 fail.

 

[Ohm J]

Could you confirm it 500 fail within one day ? because it reset count every day.

 

[Dettol]

Could you confirm it 500 fail within one day ? because it reset count every day.

yes, that all in same day, same ip and 1 sec 2 or 3 request....

this is why I say Brute Force Monitor doesn't work

 

[BillyS]

Do you have CSF installed?

 

[Dettol]

Do you have CSF installed?

Yes, also with Comodo Waf too, but don't know why they can bypass or make csf and Brute Force Monitor not working, untill they finish their this wave of scaning..

 

[Ohm J]

look like you have wrong regex rules, because it not filter by mod_security see your logs

HTTP/1.1" 301 519

it http code 301, it must 404, or 403 or something else

did your trying with yourself to see it throw http code 404, 403 ? and the logs should log with same code

 

[Dettol]

look like you have wrong regex rules, because it not filter by mod_security see your logs

it http code 301, it must 404, or 403 or something else

did your trying with yourself to see it throw http code 404, 403 ? and the logs should log with same code

Thank you for keep helping, I think it's because I have remove these "Redirects" via alias

but they always try to scan my server, so I use modsec's rule to deny them now:
Secrule REQUEST_URI "^.*(/pma|/dbadmin|/phpMyAdmin).*$" "phase:1,id:728277,severity:'CRITICAL',log,deny,status:406,msg:'Forbidden'"

if they try to scan/use server will deny them, hope this will work