LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 04-18-2004, 10:36 AM   #1
plisken
Member
 
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1/11/13.37/14 RedHat 6.2/7 SuSE 8.2/11.1
Posts: 418

Rep: Reputation: 30
httpd attacks


I'm running Slackware with Apache 1.3 and have been checking through my logs for the past week or so and have seen 1000's of username/password guesses, obviously from a word list or similar. what I did initially was to use the IP address and add it to the DENY from feature in the httpd.conf file, but only this morning, I have seen the same thing happen again, this time it would seem that the IP addresses are completely random and as such forged, how would you go about combating such attempts to gain access to restricted areas?

Thanks in advance...

Last edited by plisken; 04-18-2004 at 06:57 PM.
 
Old 04-18-2004, 02:34 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Could you post an example from your apache logs? If you think about it, using packet spoofing isn't going to do someone much good for brute-forcing passwords. They would send the initial connection attempt with a forged address, to which your system would reply with the authentication challenge (but it would go to the forged address not to evil.hacker!!), they would then send random username/password combos, but since any sucess/failure replies would go to the forged address, they would never know if they guessed correctly or not. On top of that, there is also an underlying issue of TCP sequence numbering that adds a second layer of difficulty in doing that (the TCP protocol uses a very rudimentary form of spoofing protection through the numbering of packets).

If you are seeing a truckload of packets, it's possible that you are seeing a mixture of spoofed and live packets. The logic being that if you mix in enough fake packets, you can hide legitimate ones in the noise.
 
Old 04-18-2004, 03:29 PM   #3
plisken
Member
 
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1/11/13.37/14 RedHat 6.2/7 SuSE 8.2/11.1
Posts: 418

Original Poster
Rep: Reputation: 30
Hi there, please find below, extracts from my error_log

[Sun Apr 18 10:37:36 2004] [error] [client 207.141.37.198] user bigddd not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 68.152.174.70] user bigken not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 210.69.128.252] user bigjim5 not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 168.243.250.57] user benson not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 203.151.40.252] user bigbad not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 80.58.23.235] user beber6 not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 80.58.15.235] user beffy1 not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 202.175.238.202] user bigjim not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 203.198.42.21] user bigens not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 203.154.153.59] user bigboper not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 213.68.127.140] user bigtee not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 202.163.228.90] user bignub7 not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 217.117.14.167] user bigmel28 not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 80.11.158.29] user bigstep not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 219.145.130.118] user bigmixx not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 80.58.2.44] user bemaking not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 217.99.47.167] user biffxxx not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 217.194.152.130] user bigclit1 not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 210.23.115.66] user bigmans not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 69.0.87.85] user bigfish not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 213.94.231.131] user bigtuna1 not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 213.177.64.182] user bigsix not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 213.154.70.121] user bigguy not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 200.61.183.162] user bevoone not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 62.72.116.93] user billbill not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 80.58.3.172] user bigsal not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 140.131.117.6] user bigjoe not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 80.58.47.44] user bedbur not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 61.11.26.150] user barter not found: /members/


This particular attack went on for 8 minutes or so...

Below, is an exctract from a previous attack, note though the IP address is the same in each instance below, unlike the log from above.

[Mon Apr 12 13:41:32 2004] [error] [client 217.224.47.247] user jamesch not found: /members/
[Mon Apr 12 13:41:32 2004] [error] [client 217.224.47.247] user jim not found: /members/
[Mon Apr 12 13:41:32 2004] [error] [client 217.224.47.247] user johnnyb not found: /members/
[Mon Apr 12 13:41:32 2004] [error] [client 217.224.47.247] user KCRandy not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user kwisatz not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user lee555 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user max7 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user mcgaryb not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user me2001 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user Mike8b not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user njken63 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user ososito not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pass2 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pker not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pootz not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pred not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pwright not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user Rover2 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user schaepper not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user sexmetv not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user shaggydo1 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user smur4321 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user solidous not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user splippy1 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user Sponsor not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall12343 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall222 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall434 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall444 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall4444 not found: /members/
[Mon Apr 12 13:41:34 2004] [error] [client 217.224.47.247] user telepath1 not found: /members/
[Mon Apr 12 13:41:34 2004] [error] [client 217.224.47.247] user The1saint not found: /members/
[Mon Apr 12 13:41:34 2004] [error] [client 217.224.47.247] user tnguy not found: /members/

One thing that really surprises me is the amount of guesses per second that is achieved.

all help and comments in this matter are appreciated!
 
Old 04-18-2004, 04:12 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,532
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
this time it would seem that the IP addresses are completely random and as such forged, how would you go about combating such attempts to gain access to restricted areas?
Depends on who needs access to it and what it's worth protecting. First thing I think is just like with other vulnerable services like for instance FTP would be to make sure you never use system authentication databases as underlying auth db. Use separate ones even if it puts a burden managing it (depends on what restriction is worth of course). If your userbase is distinct and small, additional TCP wrappers plus firewall access restrictions could work. If your userbase is like world, then you could try rate limit access: check iplimit from Iptable's POM and check if mod_throttle or mod_dosevasive does provide rate limiting.

Nice IP listing BTW. At least half of them are open proxies.
The dictionary I do question, because the names don't seem that generic to me. Are you by any chance running a shell server?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Attacks with UDP.PL, Help. LittleEvilBunny Linux - Security 4 12-15-2004 09:21 AM
Security Attacks LinuxRam Linux - Security 2 08-24-2004 03:14 AM
Attacks : 80% from the inside? iainr Linux - Security 2 04-25-2004 04:02 PM
Hack attacks? satwar Linux - General 2 07-03-2003 02:44 PM
IP attacks sundarrnathan Linux - Security 1 06-04-2003 05:33 AM


All times are GMT -5. The time now is 04:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration