noob with httpd-access.log (Attempting to Crack me?)
 

Concerned w/ security, I read my logs with a compulsive fervor. Usually in the httpd-access.log I see things like:

Today I noticed oddities like:

And,

In my doc-root I have no such folders as 'bin','scripts','cgi-bin'. Is this an attempt to crack into my system? I run a (very) slightly configured-from-default install of Apache 1.3x, and I've tentatively looked into running httpd in a chroot sandbox (jail?, unsure which applies if not both), but have yet to fully investigate its machinations.

If required, I'd be happy to furnish more info.


Thank You Kindly.

The first one is looking for webservers running vulnerable versions of awstats which had a significant vulnerability several months ago. If you don't have awstats installed, then you don't have anything to worry about (the 4XX http status codes would suggest that you don't have it installed).

The second one I believe is an older WebDAV exploit for Windows IIS webservers and doesn't affect linux.

So I don't think you have anything to worry about. It's a good thing that you're vigillant about keeping up with your logs though.

Thank you Oh Captain, My Captain, for the reply. Being new to serving a web-page I'd like to know, in your opinion, if I should block the offending IP address via firewall, or if this would only be the first in a multitude of attempts, and therefore a waste of time?

It's a waste of time. Some script kiddie is playing. There will be others. The idiot is likely on a dynamic IP so block the nitwit today, he'll be back again two days from now scanning you again when his IP address changes.

I'd have agree. If you start adding iptables rules for everyone who scans you, you'll have an extremely long blacklist which can actually degrade network performance (i.e. if every packet has to traverse several thousand iptables rules, it can eventually become noticeable). I usually reserve bannination for persistant abusers or probes that don't look particularly automated.

If you have not already done these, then you should do them now...

Firsts, run the webserver in a "chroot jail", meaning that it can only access filesystem below the jail directory. Apache has at least two modules with which you can put it to run inside a jail: mod_security and mod_chroot. I might remember the names wrong...

Second, remove ALL unneeded modules from the webserver. Those that can't be uninstalled should be disabled, if at all possible.

Third, check manual regarding securing your webserver. There are lots of useful manuals and howtos for Apache.

Merci Beaucoup, My Friends for the input. I'll track for persistant consistant IPs and try to block only those. For the Jail will I have to recompile, and also change the BASEDIR in order to do so? or can i Jail this server on-the-fly? Again, Much Thanks.