REDMINE COOKBOOK
Blog Hosting Contact Author
15-11-2016 Aleksandar Pavic

Hacking attempt, captured by Redmine's production log

One one test server, where Redmine is waiting to be configured with some plugins, just for testing purposes, and staying totally opened on US based IP address, Redmine's production log captured a hacking attempt to common software like phpMyAdmin etc... Take a look.

During its operation, Redmine produces more or less detailed logs. Everything about logs is described in the book, so please buy the book, so I can keep up this blog up and running...

So, this article is short, and I'm giving this Redmine's production log fully available to be downloaded and analysed by anyone...

Redmine is in this case configured through Ngnix and Puma where Ngnix is serving as a reserve proxy:

Started HEAD "/mysql/dbadmin/" for 127.0.0.1 at 2016-11-01 16:39:57 -0400
Started HEAD "/phpMyAdmin/" for 127.0.0.1 at 2016-11-01 16:39:57 -0400

To download this log file for reviewing, click here!

To view ngnix log file, see here: https://gist.github.com/acosonic/772971fee7b4b20c5ba3da7657a42430

If you are interested about my ngnix upstream to puma, it looks like this:

upstream puma_redmine {
  server        unix:/home/redmine/redmine/tmp/sockets/redmine.sock fail_timeout=0;
  #server        127.0.0.1:3000; #dev mode
}

server {
  server_name   8.8.8.8
  listen        0.0.0.0:80;
  root          /home/redmine/redmine;

  access_log    /var/log/nginx/redmine.log;
  error_log     /var/log/nginx/redmine.log;

  location / {
    try_files $uri @ruby;
  }

  location @ruby {
    #proxy_set_header X-Forwarded-Proto https; # unquote if you are in HTTPs
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_read_timeout 300;
    proxy_pass http://puma_redmine;
  }
}

Since Redmine is on Puma and behind ngnix, and we need to find what's the IP that performed attack, to find it, go to

cd /var/log/nginx
nano redmine.log

And there we find following (excerpt):
Ngnix security log

Let's foundout where from is this IP...

As expected it's from China...

Hack address from China

The proper way to protect agains such attacks would be to have an infrastructure and tools like on image below:
Protecting servers from chinese hackers

Ideally if a firewall is smart enough, it would alert it's central database, and other devices would instantly download new security rule and update their databases and become instnatly immune to such attacks.

Distribution of firewall rules and banned IP’s in real time across Sophos UTM devices worldwide

Conclusion:

Never leave software like phpMyAdmin on your server, but if you are already using it, make sure to change it's path from phpMyAdmin to something_else!!!