Ok ppl....

i have got my apache server up and operational, i am now in the process of securing my system.

I am wondering if anyone can shed some light on these log (http logs) entries

1)

199.0.42.10 - - [15/Jul/2002:01:51:12 +1000] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

2)

adsl-66.110.147-167.globetrotter.net - - [15/Jul/2002:13:53:19 +1000] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 357


Also i am wondering how i can stop a person viewing my website by blocking their ip address? is this possible and how?ANy information regarding the securing of a apache webserver would also be helpful!!

by the way, it is apache 1.3 on a redhat 7.3 kernel 2.4.18-3 system


thanx

As for logs, you can just laugh at them - some scrip-kiddie is trying IIS tricks on your linux box - he/she is trying to get a DOS prompt with administrator privileges if possible but he/she is stupid enough to do social engineering first - to find out what OS is running and what is the webserver. As for blocking IP and securing your box I suggest browse http://www.linuxsecurity.org http://www.securityfocus.com esspaciallly their bugtraq section, and many many other web security related sites - means do some googling.
Cheers

ok cool......

another quick question:

does the host.deny file stop people from accessing ur machin (and webserver)????


also what is the format for the host.deny file....

i know DENYENY ALL....

any help is much appreciated!!!

You have file /etc/httpd/conf/httpd.conf
There you should search for your domain options
something like this:
<Directory /home/*/public_html>
.
.
.
Allow from <addresses that should be allowed>
Deny from <ip addresses that should be denied>
.
.
.
</Directory>

cheers bro for that response....just what i needed!!!
thanx for ur time!

I forgot to tell you that you have to restart your Apache after these modifications (not computer). So, you have to search for the script httpd and execute with parameter stop then with parameter start (also you can do it by once with parameter restart).

It is up to your system where is that file, but you should search in /etc/rc.d/*

One more thing, when you find that script run is like /etc/rc.d/*/httpd <restart> not just like httpd <restart> because this will probably start httpd from your "path" and nothings happen (that is case in Red Hat I don't know is it like that in other distros but it is easyer just to do right thing).

HUH! I'm tyred now from all these words...

Just so you know, those messages you described are not really script kiddies, but are actually computers infected with Code Red or Nimda or some variant thereof trying ot spread themselves around.. There's no point trying to block the IP addresses, you'll die of old age before you stem the flood.

It does, however, become important to have a logrotate routine properly configured, otherwise, log files now become uncomfortably large.

hmmm...thanx...would never of thought of that!!!1

I had the same problme, as far as my apache log file filling up with hits from unsecure IIS boxes...

I created WormBlock for my personal use, if you think it could benefit from it as well, then by all mean use it. I was sick and tired (to say the least) of all the crap I was getting in my apache log file from unsecured boxes on the internet, mostly home uses on DSL or Cable Modems. I was getting around 25M of log files every 3 days, and this is not a public site... just my personal space. Im thinking about posting all the IP's of the infected computers, and having a way so you can post yours so we could all share the IP's ... theirfor we would not have to wait till they pollute the log files before we block them.

if you would likt to check it out at:

http://wormblock.sourceforge.net

Ok, is that safe? I don't want to have a 25M iptables script instead of a 25M apache log.

That has not happened...
I have about 320 address causing all the problems... each time one of the address hit my box.. its usually about 20 -30 hits depending on the version of the worm, and multiple times a day, on a avg. about 5 times a day per address. You add that up.. 32,000 - 48,000 hits a day that it is blocking.

WOW...
Thanx BaerRS I will try it