Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am a Linux newbie - so excuse me if this question seems simplistic although I believe it to be a problem.
I have been reviewing my Apache logs and for the last few weeks I have seen some unusual traffic in those logs. I am running Webalizer on those logs to produce usage graphs. In the section of Webalizer that shows "Top x of xx Total URLs" I see URLs that have nothing to do with my domain. In fact the Webablize default is to show the top 30 and my domain pages are no where to be seen. I see top domain is log icq com with 593,000 hits! The other domains listed are all foreign to me as well.
This server is just a test/development server that I test code on at my house. It is attached to the Internet via a cable modem and is (supposed to be at least) behind a firewall.
What can cause these log entries? Am I somehow on the Internet in a configuration that I shouldn't be? Please - any advise would be most appreciated.
Could you post some of the entries as well as any pertainant info like: What distro/version are you using, Apache version, any modifications to the default Apache conf file, any content (images) on your site that someone would want to "borrow", etc?
--EDIT---
Make sure to remove/mask any identifiable IPs from the log files before posting
Last edited by Capt_Caveman; 04-15-2004 at 02:41 PM.
I am running Redhat 9 - fully patched (as far as the red hat up2date utility is concerned.)
Apache version - httpd-2.0.40-21.9 link to webalizer
This shows some of the most used log entries via webalizer. As you can see these are not my domains.
As I mentioned earlier this is a test/development machine at home via a cable modem connection. The only content are some family photos.
I also see LOTS of traffice coming across my cable modem. I installed a free sniffer last night and plugged it behind my firewall, turned off all the other machines in the house and sniffed lots of packets. Mostly porn stuff.
Any ideas - is my firewall somehow messed up and letting everything through? or am I reaching with that explanation?
On your box or router: log and drop all inbound access to the box except for "known good" addresses. Then review your setup to make sure your Apache doesn't proxy requests.
Thanks - the problem was that Apache was setup to accept proxy requests. This was the default behavior because I didn't change it although from what I have read the default is supposed to be OFF not ON.
I changed it to off and that stops the server from acting as a proxy. The next problem is to stop traffic at the firewall level for anyone trying to use it as a proxy.
I want to allow port 80 through (my firewall is another box) if intended for my server but, per your suggestion, stop it at the firewall if someone is trying to use me as a proxy. I am unsure how to write the firewall rule to stop that though.
Thanks - the problem was that Apache was setup to accept proxy requests. This was the default behavior because I didn't change it although from what I have read the default is supposed to be OFF not ON.
ok, how do you adjust that. im running same RH9 and default on the apache. if this is the case, then i want to disable this feture before i move the DNS records over to my server.
This is what I did:
I changed the httpd.conf file.
(vi /etc/httpd/conf/httpd.conf)
I made sure the following lines looked like this;
ProxyRequests Off
ProxyBlock *
So my entire proxy section looks like this;
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyBlock *
# <Directory proxy:*>
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
# </Directory>
#
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from .your-domain.com
#</Proxy>
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
ProxyVia Block
#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
#CacheRoot "/etc/httpd/proxy"
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a-domain.com another-domain.edu joes.garage-sale.com
Was it actually set to on before? or was it set to on but commented like this:
Code:
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Proxy>
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
#ProxyVia On
The default Redhat httpd.conf should look like the above (at least for the standard Apache included with RHs 8+), with the default being that proxying is off. I'm saying this, because if you didn't modify it, then something abnormal is going on.
Capt,
I guess anything is possible. I tracked through logs that the first time I was used as a proxy was in October 2003. It is possible I activated without knowing its purpose. I have bumbled around Linux for some time now and I haven't logged what I have done.
I think it safe to modify my root's password. I assume root is the only one that can modify that config file? Let me know if I am incorrect about that.
I think it safe to modify my root's password. I assume root is the only one that can modify that config file? Let me know if I am incorrect about that.
Yes, root should be the only one that can modify it.
Just to be one the side of caution, I would go through and make sure that nothing else appears abnormal: take a look at the /etc/passwd file to see if you see any odd looking users or users besides root with a UID of 0, verify the RPMs (use rpm -Va), as well as look for any other anomalies. You might want to take a look at the cert intrusion detection checklist for guidelines. You don't need to be overly paranoid, just thorough if you are unsure of how the modification occurred.
Capt,
Thanks a bunch. I didn't know such a checklist existed. That was great to know it was out there. I'll start digging through my system to see if I can find any other anomalies.
I hope I did this to myself without knowing better.
Originally posted by mdavis Capt,
Thanks a bunch. I didn't know such a checklist existed. That was great to know it was out there. I'll start digging through my system to see if I can find any other anomalies.
I hope I did this to myself without knowing better.
thanks again,
Michael
Take a look at unSpawn's security references thread at the top of the security forum. There is an entire section of links there regarding intrusions.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.