LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-11-2010, 02:59 AM   #1
fordwrench
LQ Newbie
 
Registered: Nov 2006
Location: Cleveland, Tx
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15

Rep: Reputation: 1
how do I block this type of traffic and prevent my site getting hacked.


www.mydomain.com||||10225||||68.196.158.210 - - [11/Sep/2010:00:06:28 -0500] "GET /image.php?type=hv&hash=0eadb644e0e9e7318cd55682b39e9fbd HTTP/1.0" 200 10225 "http://www.mydomain.com/register.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC"
www.mydomain.com||||1181||||67.142.166.21 - - [11/Sep/2010:00:06:29 -0500] "POST /.cod6xo/?action=fbgen&v=125&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
www.mydomain.com||||20993||||68.196.158.210 - - [11/Sep/2010:00:06:29 -0500] "POST /register.php?do=addmember HTTP/1.0" 200 20993 "http://www.mydomain.com register.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC"
www.mydomain.com||||1181||||120.140.74.198 - - [11/Sep/2010:00:06:32 -0500] "GET /.cod6xo/?action=captcha&a=get&i=45069&v=21 HTTP/1.0" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"

The previous if from my httpd access log. This happens few times every second. They are trying to exploit something and I dont know what it is. How can I block this type of traffic completely just short of taking down the whole domain.

Any help is appreciated. TIA

mrfordwrench
 
Old 09-11-2010, 03:09 AM   #2
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 248Reputation: 248Reputation: 248
Greetingz!

If those access_log entries spawn a 404 error in your error_log, then there's a tool called blockhosts you can use to ban any IP that causes more than X-number of 404 errors in a given time period.
(Note: you will *have* to make sure you're website contains no broken links from this point on.)

Note that by default, blockhosts will just watch your syslog output, and depends on iptables being installed and running. There's a few usage examples on the website, specifically regarding apache log files.

It's also great for banning IPs of people that keep knocking on your SSH port.

Last edited by xeleema; 09-11-2010 at 03:10 AM.
 
Old 09-11-2010, 11:49 AM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
@fordwrench: what sort of web service(s) are you running? A cursory look (i.e. without research) shows that someone is perhaps trying to replay authenticated sessions, and/or take advantage of broken web app audits to perform an action.

Short of a reactive utility (as described in the previous post), you can:
  • Keep Apache web server and (especially) your web apps up to date.
  • Maintain a secure web server configuration.
  • Employ an application (layer 7) firewall, like mod_security.
  • Continue to monitor your logs.
 
1 members found this post helpful.
Old 09-11-2010, 02:04 PM   #4
fordwrench
LQ Newbie
 
Registered: Nov 2006
Location: Cleveland, Tx
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15

Original Poster
Rep: Reputation: 1
anomie,

I am running ispconfig web hosting software on debian 4. http,ftp,dns,ssh,smtp, and imap. The particular site they are trying to hit has a phpbb forum. Ever since this server has been up I have been getting battered and none of the other domains on the same server get this type of traffic.
The first few days I had it up I was getting pummeled on ssh and I installed fail2ban and stopped those attempts. Now I am getting hit on the http and mail services. I get random attempts on the mail server with someone always trying to send mail to unknown recepients on the particular domain, but no others.


mrfordwrench
 
Old 09-11-2010, 04:12 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,277
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
@anomie: spot on I'd say. The OP quote of "Ever since this server has been up I have been getting battered" actually translates as "they have succeeded before and put hidden folders in my web that have xml exploits" (posted elsewhere).
 
Old 09-11-2010, 05:08 PM   #6
fordwrench
LQ Newbie
 
Registered: Nov 2006
Location: Cleveland, Tx
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15

Original Poster
Rep: Reputation: 1
unSpawn, spot on is correct! But that is why I am here. I keep my dist up to date as much as possible. I monitor logs. And I am trying to implement some better security measures. So if you dont have anything to help then dont say nothing. Yes I am a newbie of sort. I am not a linux GURU? I spend most of my time reading forums and such. I am trying everything I can, that is why I ask the question here.

Thanks xeleema and anomie for your excellent input.

Fordwrench
 
1 members found this post helpful.
Old 09-11-2010, 07:15 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,277
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
Quote:
Originally Posted by fordwrench View Post
So if you dont have anything to help then dont say nothing.
Until you have acclimatized and know my intentions please refrain from pulling ones like that.
 
1 members found this post helpful.
Old 09-11-2010, 07:35 PM   #8
joec@home
Member
 
Registered: Sep 2009
Location: Houston Tx
Posts: 89

Rep: Reputation: 29
Quote:
Originally Posted by fordwrench View Post
anomie,

I am running ispconfig web hosting software on debian 4. http,ftp,dns,ssh,smtp, and imap. The particular site they are trying to hit has a phpbb forum. Ever since this server has been up I have been getting battered and none of the other domains on the same server get this type of traffic.
The first few days I had it up I was getting pummeled on ssh and I installed fail2ban and stopped those attempts. Now I am getting hit on the http and mail services. I get random attempts on the mail server with someone always trying to send mail to unknown recepients on the particular domain, but no others.


mrfordwrench

You might check the website itself for any premade applications such as Word Press or Jummla for the product version. There are many Internet worms that will scan for product versions and if they are not kept up to date then they will start slamming the site with scripts of known exploits.
 
Old 09-11-2010, 10:28 PM   #9
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 248Reputation: 248Reputation: 248
@fordwrench
Quote:
Originally Posted by fordwrench View Post
...I keep my dist up to date as much as possible. I monitor logs. And I am trying to implement some better security measures.
That's great! I wish more admins would do the same!
Quote:
Originally Posted by fordwrench View Post
So if you dont have anything to help then dont say nothing. Yes I am a newbie of sort.
Hold yer horses there. No need to get on UnSpawn about that, he was talking to anomie.
UnSpawn's one of our trusted moderators, and a fair one at that. He wasn't taking a punch at you.
Quote:
Originally Posted by fordwrench View Post
I am not a linux GURU? I spend most of my time reading forums and such. I am trying everything I can, that is why I ask the question here.
That's awesome, keep that up and never stop learning.
Quote:
Originally Posted by fordwrench View Post
Thanks xeleema and anomie for your excellent input.
No problem, let us know what you try and how it works out for you!

EDIT: Also, if you could note which posts you find helpful, that might help the many, many people that have viewed this thread so far (over 100!).

Last edited by xeleema; 09-11-2010 at 10:30 PM.
 
Old 09-11-2010, 10:49 PM   #10
fordwrench
LQ Newbie
 
Registered: Nov 2006
Location: Cleveland, Tx
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15

Original Poster
Rep: Reputation: 1
Sorry unSpawn but your comments came to me negatively. And I dont know your intentions. So I had to take what I got from the post. I have been reading these forums since before 2006 when I finally signed up. I know you are a mod. Again Sorry.

Now back to the problem, I have had this domain since 2000 and have run it on several different servers. I started it on ensim at ev1. I gave up on EV1 when I had a problem and called them for support and they were no help so I had to start my own support system. When I first started hosting this myself is when I noticed the ssh hits. I know now that they are trying cross-site scripting to exploit my system. I have installed mod_security and am now trying to configure it properly to catch and thwart the http hacking. I havent even started on the mail situation.
I have no mail users on the domain so any email address they try gets rejected.

Fordwrench
 
Old 09-12-2010, 12:03 AM   #11
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 248Reputation: 248Reputation: 248
@fordwrench
Okay, let me make sure I understand the scope of the problem;

You have remote IPs hitting the following services;
HTTP - Port 80 - XSS (Cross-Site Scripting) attacks hitting your system.
SMTP - Port 25 - Attempting to email anyone within your domain, but there are currently no valid @yourdomain.com email addresses configured.

Current problem: the HTTP XSS attacks.

It doesn't really sound like 'fail2ban' is going to help you knock-out as many of these problem areas as needed. According to a tutorial from unix-tutorials, it's great for spotting failed login attempts, but doesn't look like it's configurable to trap any error from any log file, and ban the responsible IP.

As I mentioned before, blockhosts.py does behave like fail2ban in many ways, however, you can tell it what logfiles to watch, and what actions to look for (then watch/ban as configured). From the website, it covers the regexp needed for vsftp(/var/log/secure), apache/horde web-based email, and SSH or other login failures.

Now about these XSS attacks, even though they're showing up in your access_log, is anything showing up in your error_log?
If so, you could setup custom Error Pages to call a little PHP script that will trigger a blockhosts check (like in the apache+horde link above).
 
Old 09-12-2010, 10:14 PM   #12
fordwrench
LQ Newbie
 
Registered: Nov 2006
Location: Cleveland, Tx
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15

Original Poster
Rep: Reputation: 1
xeleema,

I have installed blockhosts and it is working for sshd and proftpd. I have read the link you noted and the pattern in the link does not match the pattern of the problem in my httpd log file. I need to match the following line with a pattern.


www.mydomain.com||||1181||||120.140.74.198 - - [11/Sep/2010:00:06:32 -0500] "GET /.cod6xo/?action=captcha&a=get&i=45069&v=21 HTTP/1.0" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"

the key is the "GET /.cod6xo/" If I can get a pattern that will search for that in the line and block based on that it will work.

Unfortunately the forum on Blockhosts is old and outdated. I have been doing searches for apache patterns but have not seen any different.

Fordwrench
 
Old 09-13-2010, 12:28 AM   #13
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 248Reputation: 248Reputation: 248
@fordwrench
Glad it's working for proftpd & ssh!

As for the "GET /.cod6xo/" requests in your access_log...if there's a DocumentRoot:/.cod6xo/ directory on your webserver, I can understand the frustration. I'm looking into a RegExp for the problem.

In the interim , consider a ReWrite Rule;
Code:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)(/.cod6x/)(.*) [NC]
RewriteRule .* - [F]
NOTE: Not tested, so you might have to tweak the bolded section.
 
Old 09-13-2010, 08:02 AM   #14
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,908

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
The correct rewrite should be:
Code:
RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)/.cod6x
RewriteRule (.*) - [F]

Quote:
www.mydomain.com||||1181||||120.140.74.198 - - [11/Sep/2010:00:06:32 -0500] "GET /.cod6xo/?action=captcha&a=get&i=45069&v=21 HTTP/1.0" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"

the key is the "GET /.cod6xo/" If I can get a pattern that will search for that in the line and block based on that it will work.
Mind that this request gives a 404 error, so it's not that important. What is important and strange is the format of host doing the request. (www.mydomain.com||||1181||||120.140.74.198). I've never seen something like that.
Anyway you can also use mod_rewrite to block such hosts:
Code:
RewriteEngine on

RewriteCond %{REMOTE_HOST} ^www.mydomain.com\| [OR]
RewriteCond %{REQUEST_URI} ^(.*)/.cod6x
RewriteRule (.*) - [F]
Regards
 
2 members found this post helpful.
Old 09-13-2010, 08:38 AM   #15
djsmiley2k
Member
 
Registered: Feb 2005
Location: Coventry, UK
Distribution: Home: Gentoo x86/amd64, Debian ppc. Work: Ubuntu, SuSe, CentOS
Posts: 343
Blog Entries: 1

Rep: Reputation: 72
You can calibrate fail2ban to ban on other events, however its slightly more difficult (lots of regex).

Once I return home I'll try and remember to post some examples for you to help you block these attemps.

The problem part is the fact currently they return a code 200 (successful) and so fail2ban wouldn't see these as any type of "bad" attempt.
 
  


Reply

Tags
modsecurity


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Want to block all website traffic for few IP but they will brows only 1 site aronnok Linux - Networking 1 05-22-2008 09:30 AM
Tweaking to prevent spambots at my site Whitestar General 5 07-19-2007 03:32 AM
Network Traffic problem..Being hacked? AmdMhz Linux - Networking 9 11-03-2004 11:02 PM


All times are GMT -5. The time now is 11:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration