Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Also i am wondering how i can stop a person viewing my website by blocking their ip address? is this possible and how?ANy information regarding the securing of a apache webserver would also be helpful!!
by the way, it is apache 1.3 on a redhat 7.3 kernel 2.4.18-3 system
As for logs, you can just laugh at them - some scrip-kiddie is trying IIS tricks on your linux box - he/she is trying to get a DOS prompt with administrator privileges if possible but he/she is stupid enough to do social engineering first - to find out what OS is running and what is the webserver. As for blocking IP and securing your box I suggest browse http://www.linuxsecurity.orghttp://www.securityfocus.com esspaciallly their bugtraq section, and many many other web security related sites - means do some googling.
Cheers
You have file /etc/httpd/conf/httpd.conf
There you should search for your domain options
something like this:
<Directory /home/*/public_html>
.
.
.
Allow from <addresses that should be allowed>
Deny from <ip addresses that should be denied>
.
.
.
</Directory>
I forgot to tell you that you have to restart your Apache after these modifications (not computer). So, you have to search for the script httpd and execute with parameter stop then with parameter start (also you can do it by once with parameter restart).
It is up to your system where is that file, but you should search in /etc/rc.d/*
One more thing, when you find that script run is like /etc/rc.d/*/httpd <restart> not just like httpd <restart> because this will probably start httpd from your "path" and nothings happen (that is case in Red Hat I don't know is it like that in other distros but it is easyer just to do right thing).
Just so you know, those messages you described are not really script kiddies, but are actually computers infected with Code Red or Nimda or some variant thereof trying ot spread themselves around.. There's no point trying to block the IP addresses, you'll die of old age before you stem the flood.
It does, however, become important to have a logrotate routine properly configured, otherwise, log files now become uncomfortably large.
Distribution: all.. but mainly SuSe--- looks like it changing to Red Hat
Posts: 119
Rep:
A little late.. but this should do what you need...
I had the same problme, as far as my apache log file filling up with hits from unsecure IIS boxes...
I created WormBlock for my personal use, if you think it could benefit from it as well, then by all mean use it. I was sick and tired (to say the least) of all the crap I was getting in my apache log file from unsecured boxes on the internet, mostly home uses on DSL or Cable Modems. I was getting around 25M of log files every 3 days, and this is not a public site... just my personal space. Im thinking about posting all the IP's of the infected computers, and having a way so you can post yours so we could all share the IP's ... theirfor we would not have to wait till they pollute the log files before we block them.
Distribution: all.. but mainly SuSe--- looks like it changing to Red Hat
Posts: 119
Rep:
That has not happened...
I have about 320 address causing all the problems... each time one of the address hit my box.. its usually about 20 -30 hits depending on the version of the worm, and multiple times a day, on a avg. about 5 times a day per address. You add that up.. 32,000 - 48,000 hits a day that it is blocking.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.