Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
mitusf,
Just from the locations of the IP Addresses, I'd say that is exactly what the problem is. It appears as if you need to setup
some IP Firewall Rules (IPFW) Rules or install Fail2Ban to block those type of hacking attempts.
What ports are open on your Router to the WAN?
Have you scanned with nmap to verify the Open Ports on your Router, Server, Clients? That is where I'd suggest starting.
ie. nmap -sS 192.168.0.4
You can Terminate the WAN Access while you continue the LAN Access for your local Clients, until you have the Security implemented.
Be sure that root access IS NOT ENABLED.
Be sure that Password Access IS NOT ENABLED if you have WAN access ENABLED. Use Secure RSA or DSA Keys.
You can move the Router ports for SSH or FTP access to a Port higher than 10000 in your Router, to access Ports 21 or 22 on your LAN.
ie, FTP in on Router Port 49650 (which is forwarded to 21 on your LAN)
Be sure to keep an eye on your Logs daily, to make sure you are the only one accessing your Server, until you are 100% sure.
I'd suggest that you stop all Port Forwarding, or take your Server offline until you get tighter security implemented, as per
the suggested Documents below.
There are other documents as well, discussing using FTP transfers and using SSH with DSA Keys. It might be worth your while to read
those documents too.
I've got my doubts; while the general structure does look similar to an XSS, look at all those 501s, 400s and 408s. That suggests to me that your server is sending out something 'random' and a server at the other end is responding with some kind of error.
Just check that you aren't sending out something unexpected, on start up (ntp?, dns?, checking outdated/wrong locations being for software updates?, etc).
If that's not it, then go ahead and block while further investigation is ongoing, but while it is strange I'm not yet convinced of malicious.
@lkraemer
Quote:
Just from the locations of the IP Addresses...
The few that I looked at didn't have particularly suspicious origin locations, but looked to be close-by Middle-European states, so what were you seeing that raised suspicions?
I think these are all break-in attempts, but I do not really know what all these represent.
Maybe somebody else can but I haven't been able to decipher it.
Quote:
Originally Posted by mitusf
What do you think? Am I safe for this kind of requests?
While this is a very selective view of things, only a few access_log lines paint a different picture than posting all access_log and error_log entries for these hosts, you can see all these requests have return codes of 400 "Bad request", 408 "Request timeout" or 501 "Not implemented". "Safe" depends on what the web server, and whatever you run in your web stack, return. In this case the web server doesn't appear to yield anything making these requests not successful.
That suggests to me that your server is sending out something 'random' and a server at the other end is responding with some kind of error. Just check that you aren't sending out something unexpected, on start up (ntp?, dns?, checking outdated/wrong locations being for software updates?, etc).
salasi,
Some of the IP addresses I verified were from Athens, Greece & Budapest, Hungary. I just can't imagine his server contacting
these IP's when it's running, but I guess it's possible.
The 408 errors are for HTTP Request Timeout. ie........
The Web server (running the Web site) thinks that there has been too long an interval of time between 1) the establishment of an IP connection (socket) between the client (e.g. your Web browser) and the server and 2) the receipt of any data on that socket, so the server has dropped the connection. The request from the client must be repeated - in a timely manner.
It would be an interesting test to prevent WAN access, then restart his server to see what is logged. That would give us more
detail as to where the connections originate from, depending on the message log.
salasi,
Some of the IP addresses I verified were from Athens, Greece & Budapest, Hungary.
Yes, but he (and his server???) are in Bucharest, so they seem to be relatively local. I mean its not exactly the list of countries most noted for hacking attempts, even though you shouldn't draw hard and fast conclusions from the country alone.
Larry, thanks for the suggestions. I think they are valuable. About the firewall, I have it set up, no problem with that, I usually am not using my web server, but recently I need it for allowing someone quickly transfer a big file, and not using ftp/rsync. So I allowed access to it and these messages showed up, and this has happened before. So I'll need to make more tests with it, as salasi said it might be transferring something, to be sure that those messages were not generated from that file transfer, although in this situation I do not understand why there are different IPs from the IP which was transferring the file. BTW, I so not have a router, my server/workstation just acts like one (in the iptables), but this is something else of course.
It would be an interesting test to prevent WAN access, then restart his server to see what is logged. That would give us more
detail as to where the connections originate from, depending on the message log.
The server is always running but it is firewall-ed for outside access. So I do not get any messages at all.
What I can surely say is that those kind of messages did not appear all the time in history (when the server was opened), and they appeared suddenly, nothing triggered them. For example, right now it is opened and it's ok so far. But tomorrow, or some day after, it will show up again. Strange... I still think these are just break in attempts.
recently I need it for allowing someone quickly transfer a big file, and not using ftp/rsync.
The easiest way would have been to limit the firewall to only allow traffic between your web server and this persons address.
Quote:
Originally Posted by mitusf
I do not understand why (..) I still think
Instead start by having sufficient data logged: firewall, Snort for signature-based scrubbing, Wireshark for packet analysis. That may help you analyze things better.
I'm definitely not familiar enough with Linux shellcode to say whether that is part of valid shellcode, but the above are all very common instructions. As unSpawn was saying, it's hard to say much without more context...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.