LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-01-2006, 05:21 PM   #1
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 141

Rep: Reputation: 15
Entries in hosts.deny file


I'm running Apache on a Debian Sarge server. Every day I check the log files and I see people trying to open directories I don't have in my web path. I take their IPs and add them to my hosts.deny file.

How much can this slow down your system? I have several entries in my hosts.deny file and they're growing almost daily. How much of a problem does this pose?

Thanks for any input you can offer.
 
Old 05-01-2006, 06:08 PM   #2
Emerson
Senior Member
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~
Posts: 3,177

Rep: Reputation: Disabled
I wouldn't bother loading up hosts.deny like that. You cannot kill every mosquito, can you?
 
Old 05-01-2006, 06:18 PM   #3
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 141

Original Poster
Rep: Reputation: 15
Can't swat every fly, but.

True, and I've wondered how futile is it to do this. But I really hate it when people try to get in and illegally mine data. It really gets to me. So putting their IPs in hosts.deny at least keeps them from coming back.

Do you recommend something else? I'm open to ideas. What's happening is I see in my apache2/error.log enteries like "<host IP> /www/php/sumthin.php 404 ...." and there will be dozens of attempts from the same IP. I'll take the IP and enter it into hosts.deny and they don't come back.

Is there a better way (there has to be!)

Thanks
 
Old 05-01-2006, 06:49 PM   #4
Emerson
Senior Member
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~
Posts: 3,177

Rep: Reputation: Disabled
Well, there is a method to add temporary rules to the firewall if there are to many failed attempts to log in. Won't work with a web server though, legit clients can make multiple requests too. I'd recommend you better get used to this. I was worried too when I saw the auth.log of my first server. Looong lists of dictionary hackers, daily. Now I don't care. I know they cannot get in and this is all that matters.
 
Old 05-01-2006, 06:57 PM   #5
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 141

Original Poster
Rep: Reputation: 15
auth.log files are okay

My auth.log files are okay. I run a program called authfail that automatically logs 3 failed attempts and adds them to iptables to drop their connection. It works great and keeps people out. I highly recommend it.

What concerns me are attacks on my web server. I've had it attacked and broken into twice in 2003 and I'm kinda paranoid about it. Anything I can do to keep them bastards out I will. When I trace down some of the IPs I notice that some are coming from .ro and I know no one legit is looking at my web server from there!

I just wanted to make sure I wasn't bulking down my server by having too many entries in hosts.deny. I am noticing less and less entries in my logs; it must be working to some degree.

Check out authfail -- it's almost perfectly automatic.
 
Old 05-01-2006, 11:17 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Note that Apache does not have support for host.deny (libwrap/tcp_wrappers) by default, so using it for access control does nothing. If you want to ban them use iptables or Apache's built-in access control features.

Adding huge numbers of hosts to iptables or hosts.deny will eventually slow the system down, so trying to ban IPs for random scanning is a lost cause IMHO. Save bannination for persistant abusers and spend the time hardening your system against exploitation and making sure it's updated with security patches.
 
Old 05-02-2006, 01:30 AM   #7
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 141

Original Poster
Rep: Reputation: 15
That answered my question

So using hosts.deny doesn't stop them from accessing Apache, so using it was futile anyway. And as you said, it will eventually slow the system down. That's what I wanted to know.

Looks like you're right -- there are other ways to police the system. Thanks to all for your thoughts.
 
Old 05-02-2006, 04:46 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by kuriharu
So using hosts.deny doesn't stop them from accessing Apache, so using it was futile anyway.
That's correct.

Take a look at mod_security if you are interested in implementing a little more preventative security measures for Apache. Creating custom filters to block typical PHP and XML-RPC scans that are common isn't very difficult and you can even create filters to block 0-day exploits that attempt code injection (like URLs containing the string "wget" or "/tmp").
 
Old 05-02-2006, 04:52 PM   #9
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 141

Original Poster
Rep: Reputation: 15
Thanks for the tip.

I'm always interested in new security techniques. I'll check out ModSecurity. Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/hosts and hosts.deny question ilan1 Linux - Networking 4 03-04-2006 05:28 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 09:41 PM
Hosts file unknown entries rabeea General 8 12-08-2004 01:21 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
SSH hosts.deny file WoodyH Linux - Security 1 10-11-2003 07:44 AM


All times are GMT -5. The time now is 12:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration