Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
[Wed Mar 08 11:11:42 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/mambo
[Wed Mar 08 11:11:43 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/cvs
[Wed Mar 08 11:11:44 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/articles
[Wed Mar 08 11:11:46 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/cvs
[client 69.50.241.226] script '/var/www/html/xmlrpc.php' not found or unable to stat
[Wed Mar 08 11:11:49 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/blog
[Wed Mar 08 11:11:50 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/blog
[Wed Mar 08 11:11:52 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/blogs
[Wed Mar 08 11:11:53 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/drupal
[Wed Mar 08 11:11:57 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/phpgroupware
[Wed Mar 08 11:11:58 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/wordpress
[client 69.50.241.226] script '/var/www/html/xmlrpc.php' not found or unable to stat
[Wed Mar 08 11:12:01 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/xmlrpc
[Wed Mar 08 11:12:02 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/xmlsrv
This is not the first time...others did the same....so i'm wondering if there is a way to block an IP if he issued certain commands?? I can add this IP to my blocking list...but I want it to be done automatically...is this possible??
I've been using sshblack to block similar sorts of nonsense based on my Apache error_log. You just have to have it look at the proper log file and tell it which text strings to watch for. Works great.
I've been using sshblack to block similar sorts of nonsense based on my Apache error_log. You just have to have it look at the proper log file and tell it which text strings to watch for. Works great.
Thing that scares me with utils like that is possibility attacker will spoof one of your own IPs. I imagine having the web server block the IP of, say, your database server would be a bad thing. Little proggy like that makes it all too easy.
I agree that is a possibility, but it strikes me as an extremely remote possibility. The vast majority of the junk I see in my Apache and ssh logs are likely to be either zombies automatically looking for new machines to infect or dispstick script kiddies with no clue on how to spoof an IP address. I've never seen anyone attempt to use this against me, and even if they did, recovery would simply involve dropping a rule from iptables.
Thing that scares me with utils like that is possibility attacker will spoof one of your own IPs. I imagine having the web server block the IP of, say, your database server would be a bad thing. Little proggy like that makes it all too easy.
I think nowadays with linux kernel its not so easy to blind spoof. I guess this tool reacts on the data part.(*) So if it is HTTP/SSH/.. any TCP based protocol, he will need to do the 3way handshake and spoofing this is not that easy for the average joe.
If it is to block UDP then its a bad idea, it can turn against yourself.
(*)
If the tool blocks on an excessive amount of SYN (for example) which is only the first phase of 3way handshake (that is by definition "trivial" to spoof) then you are in trouble.
edit:
Anyway, your firewall SHOULD block incoming connections that have source ip=internal machine (database server). For this kind of architecture: database/webserver there are a lot more things to do like dmz, reverse proxy, 2 firewalls.
Thing that scares me with utils like that is possibility attacker will spoof one of your own IPs. I imagine having the web server block the IP of, say, your database server would be a bad thing. Little proggy like that makes it all too easy.
Is it possible to configure these programs to never block certain IP addresses (such as your administrative IP address?)
Actually yes. SSHblack has a whitelist function and you simply add IP addresses that you never want blocked to that list. I completely spaced about this function in my earlier posts, but it does prevent someone from pulling the stunt Crito pointed out.
You may also try the iptables recent module and add some rules to slow down alot of those auto scripts, after a certain amount of connection attemps the ip-address is added to a list for a certain amount of time before being allowed to connect again, this is good if they spoof critical ip-address it won't kill anything. Try some rules like:
iptables -I INPUT -p tcp -i eth0 -m multiport --dport 80,443 -m state --state NEW -m recent --name webprobe --set -j ACCEPT
iptables -I INPUT -p tcp -i eth0 -m multiport --dport 80,443 -m state --state NEW -m recent --name webprobe --update --seconds 60 --hitcount 3 --rttl -j DROP
Thnx....I think someone in the past made a patch similar to this (reported in his blog) and we were supposed to patch the iptables first...Do you mean this module became standard now??? And if so, in which version???
Thnx for the tip, where can I have more info about this??
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.