Fail2ban blocked a local IP address yesterday, which belongs to an ordinary workstation because of failed “attempts against apache-auth”.
Httpd acces logs show this.
Do those logs show that something is trying to steal my http provisioning credentials and has someone else seen this GET /mnt/mtd/AVAST-HNS-SCAN-PROBE HTTP/1.1
before?
10.1.10.119 - user [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - user [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - user [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - user [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - webadmin [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - webadmin [08/Sep/2019:21:40:33 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - webadmin [08/Sep/2019:21:40:34 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - webadmin [08/Sep/2019:21:40:34 -0400] "GET / HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /etc/passwd HTTP/1.1" 401 477 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /language/Swedish${IFS}&&ping$IFS-c1$IFS-s41${IFS}10.1.10.119>/dev/null&&tar${IFS}/string.js HTTP/1.1" 404 384 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /language/Swedish${IFS}&&echo${IFS}AVAST-HNS-SCAN-PROBE>AVAST-HNS-SCAN-PROBE&&tar${IFS}/string.js HTTP/1.1" 404 389 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /mnt/mtd/AVAST-HNS-SCAN-PROBE HTTP/1.1" 404 302 "-" "-"
10.1.10.119 - - [08/Sep/2019:21:40:34 -0400] "GET /etc/passwd HTTP/1.1" 404 284 "-" "-"