LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 10-26-2005, 01:59 PM   #1
user1442
LQ Newbie
 
Registered: Oct 2005
Distribution: Slackware 10.2
Posts: 27

Rep: Reputation: 15
Script kiddies keep hitting my apache server


Tons of stuff in my log. Googling has told me that I can fix this my doing a redirect. I think I can take of that.

My question is it ethical to try to connect to their systems if I don't break anything? Two particular ips show up again and again. Remember, I am new, and this is all in the spirit of experimentation.


If this is an inappropriate question for this forum, let me know.
 
Old 10-26-2005, 02:20 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,950
Blog Entries: 11

Rep: Reputation: 860Reputation: 860Reputation: 860Reputation: 860Reputation: 860Reputation: 860Reputation: 860
Disallow those IPs in your /etc/hosts.deny
Quick and easy fix

I'm not sure I understand what you mean with a
redirect, and how you would get that to their machines?




Cheers,
Tink
 
Old 10-26-2005, 02:38 PM   #3
Jeebizz
Senior Member
 
Registered: May 2004
Distribution: Slackware 14.1 64-bit with multilib
Posts: 2,074

Rep: Reputation: 187Reputation: 187
You could also report them to their own isp, just get the names of the ip from a whois, like www.arin.net/whois , and make sure you supply a log with the information necessary, and then just email it to abuse@<offendersisp>.net/com
 
Old 10-26-2005, 03:02 PM   #4
Fritz_Monroe
Member
 
Registered: Nov 2004
Location: Maryland, USA
Distribution: Mint 13
Posts: 272

Rep: Reputation: 30
As much as I'd like to tell you to connect to their machine, it's probably illegal. Best to just report it to their ISP and let them cut them off.

F_M
 
Old 10-26-2005, 04:40 PM   #5
user1442
LQ Newbie
 
Registered: Oct 2005
Distribution: Slackware 10.2
Posts: 27

Original Poster
Rep: Reputation: 15
Thanks for the comments. I'll report them. That makes sense.

Tinkster: I found a how-to (I forgot to bookmark it; I'll find it and post it) that detailed editing one of your apache config files to redirects certain requests. Like this:

[ip of offending punk]- - [24/Oct/2005:05:21:04 -0400] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9 \xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\

I don't know if it works as I haven't tried it (and have been using apache for about a week)

And, Tinkster, my investigation of the things showing up in my log lead to research about security, and security tools. I am *sure* you know all this stuff, but if you want we can continue this in PM, because I don't want to clutter up your board with this crap.

EDIT: The link in question: http://aplawrence.com/Blog/B1234.html

Last edited by user1442; 10-26-2005 at 05:10 PM.
 
Old 10-26-2005, 05:01 PM   #6
netcrawl
Member
 
Registered: Jan 2004
Location: British Columbia
Distribution: Slackware64 14, m0n0wall
Posts: 142

Rep: Reputation: 20
It's just an attempt to use a Windows exploit... I expect they're getting a "404" type response and nothing more. It's easier to just ignore them; it's water off a ducks back, sorta'. They'll probably give up, and even if they don't, there's no harm done.

Logrotate is your friend.
 
Old 10-27-2005, 09:42 AM   #7
NeoNero
LQ Newbie
 
Registered: Oct 2005
Location: London, UK
Distribution: Slackware 10.2
Posts: 23

Rep: Reputation: 15
I've just installed an apache server on a spare pc to act as a low-grade web server just to learn new things. I'm a complete noob with linux and this thread has got me thinking... what if I'm hacked??

Can someone point me to a very step-by-step guide to ensuring apache security? I find the man pages quite intense sometimes.. though I do have a router as the first gateway in from the internet/world and it blocks all ports but 80.
 
Old 10-27-2005, 12:02 PM   #8
Harkov
Member
 
Registered: May 2004
Distribution: Ubuntu 10.04.1 LTS
Posts: 38

Rep: Reputation: 15
I don't know about a apache security how-to, but if you're just trying to learn something about apachetry running it on a different port than 80 or 8080. That way you won't show up people's scans when they're scanning an ip range for those ports

Last edited by Harkov; 10-27-2005 at 12:03 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache Virtual Host only hitting first entry, but why? ridertech Linux - Networking 4 06-18-2004 02:23 PM
Windows XP Not Hitting My Network.. sxa General 17 05-31-2004 09:58 PM
Pty's -- Hitting Limit! zepplin611 AIX 2 03-09-2004 08:48 AM
executing script via webpage through apache server feetyouwell Linux - Software 7 02-08-2004 03:23 PM
iptables and firewalls and script kiddies, oh my! murray_linux Slackware 3 11-12-2003 06:26 PM


All times are GMT -5. The time now is 08:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration