Apache server being probed for possible vulnerabilities
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Every morning I start my day browsing the logs of my server. Mainly by just reading the summary sent by logwatch. If anything there concerns me I'll do a broader browse/search.
Something I encounter almost every morning are the traces of someone bored looking for certain software on my server. phpMyAdmin is a good example.
All these request generate a 400 Bad Request within Apache.
For me it is obvious these people trying to discover what software I have installed do not have the right intentions. Can I automatically grey- or blacklist these requests?
I'm aware there are packages available like snort, tripwire and others but that is somewhat like prescribing prednisone for a simple cold.
I'm aware there are packages available like snort, tripwire and others but that is somewhat like prescribing prednisone for a simple cold.
With all due respect I suggest you read up on and familiarise yourself with those tools before having an opinion like that.
Quote:
Originally Posted by crazyivan
Can I automatically grey- or blacklist these requests?
Apart from those requests not accomplishing anything (being blocked already) you should be careful about blocking without logging because then you loose all indication of perceived bad or hostile activity, and blocking without logging may also impede troubleshooting. First making sure your webserver and hosted applications are up to date, secured and hardened goes without saying. That said the system allows you to log and block at different levels, depending on whatever your requirements are. In general I think it is preferable to restrict access as soon as possible but be careful about performance implications, spoofing attacks and what criteria you block on and not rely on a single application or method but a combination of.
First one up is Snort for the simple reason it's way down the stack, specialises in logging anomalies and attacks and has blocking capabilities through third party utilities like Guardian which does "aging" and can hand off blocking to iptables, route and whatever you can script. One level up it's Netfilter with modules (search some listings) like "recent" and "tarpit". Applying "aging", its more used with general criteria for blocking like rate because using signature matching *will* have performance implications. Finally for the webserver itself you should have mod_security running anyway and a choice of tools like mod_evasive, one of the log-reading ssh-blocking tools (some work for anything they can read logs from) or the apachesecurity tools.
That's about it, anything I forgot I hope somebody else will chip in or correct me on.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
