LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   HTTP access_log: security breach? (https://www.linuxquestions.org/questions/linux-security-4/http-access_log-security-breach-14149/)

lhoff 02-12-2002 07:32 PM

HTTP access_log: security breach?
 
I saw an entry in today's logs for a host that requested a GET http://192.168.x.x (i.e., a LAN IP address, though in the end not a working one). I hadn't seen anything like that before; usually I just see file requests. There was only one of these.

Is this a usual kind of request, or should I be concerned?

Seeing this prompted me to look for tcpd, but I couldn't find it. Strange. I had thought this was installed. I do have portsentry, though, and so put a new entry into my hosts.deny. I'm hoping portsentry refers to that file to make its decisions.

Advice welcome!

unSpawn 02-13-2002 01:13 AM

Block the ranges off at the fw. 192.0.0.0/8, just like the 127.0.0.0/8 IANA ranges aren't sposed to be routable on the net, and any outside request for an address like these should be dropped.

Portsentry has it's own allow/deny tables, but dumping an address to any other app like Tcpwrappers or fw is easy, the cmd is in the config. With a little bit of work you could make a shell script that would tally IP's, and beyond a certain treshold block just their offending /24, /16 or /8 :-]

Maybe unwanted advice, but Portsentry by now isn't considered very effective, using Snort would be better. Why? Because Portsentry only *listens* for connections made to a port, not classifying traffic. So it's easy to trip it by just using a scanner or packet mangler and try to feed it bogus addresses that will be blocked.
Snort OTOH examines packets for "bad" contents based on content rules and raises alerts for those (--with-flexresp), that can be handed off to any other app using the distributed 3rd party apps that come with the tarball. Just like with AV software you'll be able to regularly update the rules bases, and you get the ability to write your own rules.

lhoff 02-14-2002 10:23 AM

Quote:

Originally posted by unSpawn
Block the ranges off at the fw. 192.0.0.0/8, just like the 127.0.0.0/8 IANA ranges aren't sposed to be routable on the net, and any outside request for an address like these should be dropped.
Where do I find this? I've configured a firewall using the Mandrake GUI. But, it's not that I don't trust it, it just leaves me uninformed as to what's going on. I need to start viewing the actual files for this stuff.

And re: Portsentry...

Quote:

using Snort would be better. Why? Because Portsentry only *listens* for connections made to a port, not classifying traffic. So it's easy to trip it by just using a scanner or packet mangler and try to feed it bogus addresses that will be blocked.
Snort OTOH examines packets for "bad" contents based on content rules and raises alerts for those (--with-flexresp), that can be handed off to any other app using the distributed 3rd party apps that come with the tarball. Just like with AV software you'll be able to regularly update the rules bases, and you get the ability to write your own rules.

Where can i find out more about Snort?

Tx.

voodoochild7 02-16-2002 11:10 AM

www.snort.org.

If you read the called the Honeynet project it explains alot.


All times are GMT -5. The time now is 07:38 AM.