Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
If it doesn't return an error (I'd prefer using a CLI tool like cURL for the details it shows) then it may have some redirect or rewrite configured. BTW the mod_proxy line may indicate you're running Apache with all default modules enabled. Please review your configuration and only load what's absolutely necessary.
I have google and found this link for the curl http://www.thegeekstuff.com/2012/04/curl-examples/. So which commands do you recommend in order to diagnose this problem? For the mod_proxy what do you recommend to be shut off in the Apache for security purpose should I send you an email on this? with Apache conf file?
The 13 lines described as successful all contain "/winnt/". Look for these in your logs so you can see what logwatch is looking at and form your own view on whether it was successful.
My preferred configuration for webservers is that they are firewalled so they cannot originate outbound traffic but only do the return half of HTTP(S) and SSH connections. With that in force your server wouldn't be scanning www.fbi.gov whatever your httpd.conf said.
Yes I tried with my page htpp://myip//_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir%20c: it just give me an empty page that is my index.php. Yes the server is firewall and only port 80 is port to this server for web communication. I am not clear on this "With that in force your server wouldn't be scanning www.fbi.gov whatever your httpd.conf said."? What should I be doing my server is centos.
Both sets of these entries look like attempts to probe your web server for exploits. Most of them look like they are probes for a Windows server running IIS, as indicated by the .exe, config.sys c:\, etc.
The latter ones look like exploit attempts to escape the directory tree and gain a shell, the cmd.exe, with the directory c:\. As far as the response goes for the latter ones giving you the plain index, html, that is exactly what my system does too in response to one of these redirect attempts. For example, I used the last one on the list, testing it with cURL (curl <my.domain>/msadc/..) and I received the index.html, indicative of the response code 200, and received the following line in my access log.
Actually I purposely change the index page which describes about server to an empty page to hide whatever possible. So what should I do to improvise further. Regarding the mod_proxy what is your suggestion there? Thank you.
which commands do you recommend in order to diagnose this problem?
This and which modules to load is probably easier to answer by you 0) attaching your httpd.conf and any configuration files in conf.d that don't have only commented out lines and telling us 1) what you exactly run in your web stack.
*Also please note that, like the others conveyed, these are automated tests against an OS you don't use. So it's not really a problem and if you can live with a 200 response code, fine.
The httpd.conf is quite long. I have also install mod_security Should I post it here or should I email it over? The server purely just run .php codes that about it nothing else is running except for some other services running based on other language but not web based stuff.
You run Apache with a stock configuration. I suggest you start with (making a backup and then) the includes sections at the bottom of httpd.conf and work your way up: disable negotiation, set default language to English, disable WebDAV, turn ServerSignature off, and check the directory in the Include statement for any active configuration files as you didn't attach any /etc/httpd/conf.d/ contents. IIRC for your purpose you won't need some of the "advanced" auth* modules as well as *dav*, usertrack, speling, substitute and related and the proxy* modules. Disable them. Then restart Apache and follow any warnings it throws. Look at http://httpd.apache.org/docs/2.2/mod/ what the module in question does and then decide if you need it or not. If unsure post the actual errors plus what you learned about the module in question.
*IIRC, and unless things changed since we last helped you secure your machines, access to your web server should have already been limited by the host firewall and the hardware firewall the hosts are behind.
I have attached the changes you suggested to my httpd.conf and attached in here. I have also attached the files in conf.d (mod_security.conf and php.conf). I only attached 2 as the rest are the README and welcome.conf which I did not upload. Yes my machine is behind a firewall and all the access to it is via vpn tunnel but I had trouble setting up key authorization but its working now.