LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Apache server being probed for possible vulnerabilities (http://www.linuxquestions.org/questions/linux-security-4/apache-server-being-probed-for-possible-vulnerabilities-644223/)

crazyivan 05-23-2008 03:43 AM

Apache server being probed for possible vulnerabilities
 
Crew,

Every morning I start my day browsing the logs of my server. Mainly by just reading the summary sent by logwatch. If anything there concerns me I'll do a broader browse/search.

Something I encounter almost every morning are the traces of someone bored looking for certain software on my server. phpMyAdmin is a good example.

Code:

      ...
      /phpMyAdmin-2.2.0-pl1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.0-pl2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.0-pl3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.0-rc1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.0-rc2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.0-rc3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.0/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.1-pl1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.1-pl2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.1-pl3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.1-rc1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.1-rc2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.1-rc3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.2-pl1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.2-pl2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.2-pl3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.2-rc1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.2-rc2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.2-rc3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.3-pl1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.3-pl2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.3-pl3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.3-rc1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.3-rc2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.3-rc3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.4-pl1/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.4-pl2/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.4-pl3/main.phpmain.php: 1 Time(s)
      /phpMyAdmin-2.2.4-rc1/main.phpmain.php: 1 Time(s)
      ...

All these request generate a 400 Bad Request within Apache.

For me it is obvious these people trying to discover what software I have installed do not have the right intentions. Can I automatically grey- or blacklist these requests?

I'm aware there are packages available like snort, tripwire and others but that is somewhat like prescribing prednisone for a simple cold.

Any help is appreciated!

unSpawn 05-23-2008 06:47 AM

Quote:

Originally Posted by crazyivan (Post 3162160)
I'm aware there are packages available like snort, tripwire and others but that is somewhat like prescribing prednisone for a simple cold.

With all due respect I suggest you read up on and familiarise yourself with those tools before having an opinion like that.


Quote:

Originally Posted by crazyivan (Post 3162160)
Can I automatically grey- or blacklist these requests?

Apart from those requests not accomplishing anything (being blocked already) you should be careful about blocking without logging because then you loose all indication of perceived bad or hostile activity, and blocking without logging may also impede troubleshooting. First making sure your webserver and hosted applications are up to date, secured and hardened goes without saying. That said the system allows you to log and block at different levels, depending on whatever your requirements are. In general I think it is preferable to restrict access as soon as possible but be careful about performance implications, spoofing attacks and what criteria you block on and not rely on a single application or method but a combination of.

First one up is Snort for the simple reason it's way down the stack, specialises in logging anomalies and attacks and has blocking capabilities through third party utilities like Guardian which does "aging" and can hand off blocking to iptables, route and whatever you can script. One level up it's Netfilter with modules (search some listings) like "recent" and "tarpit". Applying "aging", its more used with general criteria for blocking like rate because using signature matching *will* have performance implications. Finally for the webserver itself you should have mod_security running anyway and a choice of tools like mod_evasive, one of the log-reading ssh-blocking tools (some work for anything they can read logs from) or the apachesecurity tools.
That's about it, anything I forgot I hope somebody else will chip in or correct me on.

unixfool 05-24-2008 12:04 AM

Open source web application firewall

unSpawn 05-24-2008 06:19 AM

No, I *did* mention mod_security, but I forgot to add about proxy (reverse).

unixfool 05-24-2008 02:46 PM

Sorry about that...that's what I get for reading and posting at so late an hour. :)

Yeah, the reverse proxy functionality appears to be relatively recent.


All times are GMT -5. The time now is 09:45 PM.