From the logs we see on our server that a plenty of requests comes to access upload.php (eg.: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php), or a plenty of varions for setup.php for phpMyAdmin.
These are 404 errors in the log, because we don't have these exact URLs, however, we would feel safer if we could deny all potential attack of this type.
So I would like to deny every requests which contains setup.php or upload.php on my Apache2 webserver.
We have several (hundreds) of VirtualHost, and I would prefer not to write hundreds of times the directive to deny these filenames in every VirtualHost.
Question: How can I do it the globally on the server?
you can install your rewrite rules for upload.php and setup.php in a directory context defined at serverconfig level. This should check the requests no matter what the vhost is. directory should match those applications paths only so you won't deny access to other scripts with the same name but installed within other applications
however, this is... global. if you later want to install a phpmyadmin and set it up you will have to disable the filters above or add rewriteconds for the hosts you don't want to forbid access. same if you want to have a tinybrowser within a vhost.
that is, for allowing setup.php requests for vhost blah.com you should add
I'd say the best thing to do is to ignore the 404 log entries and make sure you have no exploitable phpmyadmin or tinybrowser installs on your server. use a cron script to make sure you don't have any setup.php's forgotten in docroots, if you do then chmod them to 0 or remove them. make another cron to make sure you aren't running any exploitable phpmyadmin/tinybrowser versions. same can be applied for a wider range of apps.
on the other hand, if logging those bogus requests bothers you then you can do some custom logging. to skip logging the bogus requests: