Hello. I am a new member in this group, so forgive any faux-pas for now, please..

Although I am not new in Linux, I would say I am new in this system administration thing. What I want with this letter is to verify that I have taken all security steps that I could and to get any response on something that I have missed (or misunderstood). This message may end up being long, sorry about that, but I have seen really long messages posted here, so I think this will pass.

I have a home network of a few computers running WIndows (XP or 2000) and one running linux for which I allow access from the outside world. The way I did so was to set my router NAT to forward traffic to ports 22 (SSH V3.5p1) and 80 (HTTP) to that linux computer. A test I did through 'Shield UP' confirmed that only those ports were open.

Initially, I had the SSH pretty open. However, after noticing in my log files a number attempts using various usernames, I modified my /etc/hosts.allow and /etc/hosts.deny file to narrow down permitted sites; this way I eliminated the most attacking sites. I went one step further to modify my sshd_config file to allow specific users only. I use non standard names and of course no root, guest, and the like.

For the http service, I managed to create some subdirectories for which a specific userid/passwd and/or specific ip is required, and I think it works pretty well; not highly sensitive material, mind you. Similarly successful I was with creating a couple of virtual web sites.

Now, for security: I get one or two ssh attempts per day, but the connection is dropped, as it should. However, for the http I get a lot of the following messages in my log file:
These look like whoever sends these commands tries to get something from a Windows computer (apparently I am safe from them {?))

xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:26 -0500] "GET scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1018 "-" "-"
xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:29 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1018 "-" "-"
xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:32 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1018 "-" "-"
xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:35 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1018 "-" "-"
xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:38 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 951 "-" "-"
xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:42 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 951 "-" "-"

The ones I do not know what happens and I worry a bit are commands like the following:

xxx.xxx.xxx.xxx - - [05/Feb/2005:04:20:37 -0500] "GET /default.ida?XXXXXXXXXXXXXXXX……XXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

and watch this:

xxx.xxx.xxx.xxx - - [04/Feb/2005:13:21:25 -0500] "CONNECT smtp.xxx.xx:25 HTTP/1.0" 302 272 -" "-"

with this one someone from one point of the world tried to enter a mail service in another.


A regular connection to my site looks like this in my log file
xxx.xxx.xxx.xxx - - [05/Feb/2005:19:15:04 -0500] "GET / HTTP/1.1" 304 0

Both of the above have one entry only in my access_log file and nothing in the error_log. I do not know whether they were successful on what they tried to do. How could I know? Is there something I could try (a script, or a service like the Shields-Up) that I could try myself on my site?

(by the way, on my http config file, I have the ProxyRequests On line commented out (it should be off by default. If I understand correctly, this should have rejected the CONNECT command above.)

I think that’s all for now. Thanks in advance for your responses.

Nicos

PS. My Sygate firewall (on the XP) does not allow me to post this message to this site. It says "Code Red" attack detected. ?????????

These are all attempts from zombies checking for vulnerabilities on Microsoft Internet Information Server. Since you aren't runnig IIS don't worry about it. Everybody that runs a public web server gets a lot of these in their logs. If you are getting too many attempts from the same IP address then blacklist it in your firewall and that's the end of that.

Not sure what this is. I don't think I've ever heard of a SMTP connection over HTTP. I dunno. I can tell you that HTTP code 302 is "Moved Temporarily". Not sure how that fits in here.

This is 304 code, which means "Not Modified". Generally if a server sends this code to a browser, the browser will serve the page from cache instead.

Thank you very much for your comments. They are really very informative.
I hope someone will comment on this CONNECT directive.

thanks

That's a new method that spammers are using to relay off of certain vulnerable scripts/webservers. Sorry I don't remember any more details about it.

That's because your error log contains the contents of an attempted Code Red attack. The code red worm attempted to take over IIS webservers (and others, but unsuccessfully). In your case, the sygate firewall saw the worm-ish characters and stopped it.