LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-11-2015, 06:37 AM   #1
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 258

Rep: Reputation: Disabled
Hack attempt question


I have a personally written firewall monitor program that automatically drops any ip that gets a 404. I noticed something strange that I was wondering if anyone could explain. Here is a record that had been correctly dropped by my monitor program successfully:

91.238.134.99 - - [10/Jan/2015:21:54:07 +0000] "GET http://pl.wikipedia.org" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

However, this record somehow didn't get a 404, but got a code of 200:
173.44.134.140 - - [10/Jan/2015:16:00:35 +0000] "GET http://www.google.com" 200 4158 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

How is this google record getting a code of 200?
(I am now going to do a special search for 'GET http://www.google.com' and drop that ip.)

Thanks.
 
Old 01-11-2015, 09:01 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by battles View Post
I have a personally written firewall monitor program that automatically drops any ip that gets a 404.
Unless you're suffering from NIH syndrome: there's already tools that do that like fail2ban.


Quote:
Originally Posted by battles View Post
How is this google record getting a code of 200?
Since you haven't explained why it should drop on 404 (it could simply be a typo): what are you actually doing? Unless you're running some sort of open proxy you should not have accepted both queries in the first place as you unlikely are pl.wikipedia.org and certainly not www.google.com...
 
Old 01-11-2015, 12:08 PM   #3
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 258

Original Poster
Rep: Reputation: Disabled
NIH: not invented here? Don't know the term.

I am a software engineer and write a lot of my own programs. F2B is good, but it has some inabilities that I wanted to have.

Not an open proxy and the google ip didn't get into my machine, but all hits like the wikipedia one are always given the error code of 404. I just can't figure why google gets a code of 200. It should be a 404 also.
 
Old 01-11-2015, 05:21 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by battles View Post
NIH: not invented here? Don't know the term.
The fear of using software that isn't developed in house.


Quote:
Originally Posted by battles View Post
I am a software engineer and write a lot of my own programs. F2B is good, but it has some inabilities that I wanted to have.
Good to know. What inabilities? (Just curious.)


Quote:
Originally Posted by battles View Post
Not an open proxy
If you're not running a proxy then you should not answer such queries anyway.


Quote:
Originally Posted by battles View Post
I just can't figure why google gets a code of 200. It should be a 404 also.
Post complete config?
 
Old 01-12-2015, 09:18 AM   #5
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 258

Original Poster
Rep: Reputation: Disabled
Quote:
Good to know. What inabilities? (Just curious.)
I'm keeping that a military secret.

Post complete config?
Which config?

Thanks.
 
Old 01-12-2015, 12:38 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'd guess Apache but basically whatever populates that log file.
 
Old 01-12-2015, 03:12 PM   #7
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 258

Original Poster
Rep: Reputation: Disabled
I am still learning Linux and can be somewhat dense sometimes. I am using the small BOA server.

# Boa v0.94 configuration file
# File format has not changed from 0.93
# File format has changed little from 0.92
# version changes are noted in the comments
#
# The Boa configuration file is parsed with a custom parser. If it
# reports an error, the line number will be provided; it should be easy
# to spot. The syntax of each of these rules is very simple, and they
# can occur in any order. Where possible these directives mimic those
# of NCSA httpd 1.3; I saw no reason to introduce gratuitous
# differences.

# $Id: boa.conf,v 1.3.2.6 2003/02/02 05:02:22 jnelson Exp $

# The "ServerRoot" is not in this configuration file. It can be
# compiled into the server (see defines.h) or specified on the command
# line with the -c option, for example:
#
# boa -c /usr/local/boa


# Port: The port Boa runs on. The default port for http servers is 80.
# If it is less than 1024, the server must be started as root.

Port 80

# Listen: the Internet address to bind(2) to. If you leave it out,
# it takes the behavior before 0.93.17.2, which is to bind to all
# addresses (INADDR_ANY). You only get one "Listen" directive,
# if you want service on multiple IP addresses, you have three choices:
# 1. Run boa without a "Listen" directive
# a. All addresses are treated the same; makes sense if the addresses
# are localhost, ppp, and eth0.
# b. Use the VirtualHost directive below to point requests to different
# files. Should be good for a very large number of addresses (web
# hosting clients).
# 2. Run one copy of boa per IP address, each has its own configuration
# with a "Listen" directive. No big deal up to a few tens of addresses.
# Nice separation between clients.
# The name you provide gets run through inet_aton(3), so you have to use dotted
# quad notation. This configuration is too important to trust some DNS.

#Listen 192.68.0.5

# User: The name or UID the server should run as.
# Group: The group name or GID the server should run as.

User www-data
Group www-data

# ServerAdmin: The email address where server problems should be sent.
# Note: this is not currently used, except as an environment variable
# for CGIs.

#ServerAdmin root@localhost

# PidFile: where to put the pid of the process.
# Comment out to write no pid file.
# Note: Because Boa drops privileges at startup, and the
# pid file is written by the UID/GID before doing so, Boa
# does not attempt removal of the pid file.
# PidFile /var/run/boa.pid

# ErrorLog: The location of the error log file. If this does not start
# with /, it is considered relative to the server root.
# Set to /dev/null if you don't want errors logged.
# If unset, defaults to /dev/stderr
# Please NOTE: Sending the logs to a pipe ('|'), as shown below,
# is somewhat experimental and might fail under heavy load.
# "Usual libc implementations of printf will stall the whole
# process if the receiving end of a pipe stops reading."
#ErrorLog "|/usr/sbin/cronolog --symlink=/var/log/boa/error_log /var/log/boa/error-%Y%m%d.log"

ErrorLog /var/log/boa/error_log

# AccessLog: The location of the access log file. If this does not
# start with /, it is considered relative to the server root.
# Comment out or set to /dev/null (less effective) to disable.
# Useful to set to /dev/stdout for use with daemontools.
# Access logging.
# Please NOTE: Sending the logs to a pipe ('|'), as shown below,
# is somewhat experimental and might fail under heavy load.
# "Usual libc implementations of printf will stall the whole
# process if the receiving end of a pipe stops reading."
#AccessLog "|/usr/sbin/cronolog --symlink=/var/log/boa/access_log /var/log/boa/access-%Y%m%d.log"

AccessLog /var/log/boa/access_log

# CGILog /var/log/boa/cgi_log
# CGILog: The location of the CGI stderr log file. If this does not
# start with /, it is considered relative to the server root.
# The log file would contain any contents send to /dev/stderr
# by the CGI. If this is commented out, it defaults to whatever
# ErrorLog points. Set to /dev/null to disable CGI stderr logging.
# Please NOTE: Sending the logs to a pipe ('|'), as shown below,
# is somewhat experimental and might fail under heavy load.
# "Usual libc implementations of printf will stall the whole
# process if the receiving end of a pipe stops reading."
#CGILog "|/usr/sbin/cronolog --symlink=/var/log/boa/cgi_log /var/log/boa/cgi-%Y%m%d.log"

# CGIumask 027 (no mask for user, read-only for group, and nothing for user)
# CGIumask 027
# The CGIumask is set immediately before execution of the CGI.

# UseLocaltime: Logical switch. Uncomment to use localtime
# instead of UTC time
#UseLocaltime

# VerboseCGILogs: this is just a logical switch.
# It simply notes the start and stop times of cgis in the error log
# Comment out to disable.

#VerboseCGILogs

# ServerName: the name of this server that should be sent back to
# clients if different than that returned by gethostname + gethostbyname

#ServerName www.your.org.here

# VirtualHost: a logical switch.
# Comment out to disable.
# Given DocumentRoot /var/www, requests on interface 'A' or IP 'IP-A'
# become /var/www/IP-A.
# Example: http://localhost/ becomes /var/www/127.0.0.1
#
# Not used until version 0.93.17.2. This "feature" also breaks commonlog
# output rules, it prepends the interface number to each access_log line.
# You are expected to fix that problem with a postprocessing script.

#VirtualHost


# VHostRoot: the root location for all virtually hosted data
# Comment out to disable.
# Incompatible with 'Virtualhost' and 'DocumentRoot'!!
# Given VHostRoot /var/www, requests to host foo.bar.com,
# where foo.bar.com is ip a.b.c.d,
# become /var/www/a.b.c.d/foo.bar.com
# Hostnames are "cleaned", and must conform to the rules
# specified in rfc1034, which are be summarized here:
#
# Hostnames must start with a letter, end with a letter or digit,
# and have as interior characters only letters, digits, and hyphen.
# Hostnames must not exceed 63 characters in length.

#VHostRoot /var/www

# DefaultVHost
# Define this in order to have a default hostname when the client does not
# specify one, if using VirtualHostName. If not specified, the word
# "default" will be used for compatibility with older clients.

#DefaultVHost foo.bar.com

# DocumentRoot: The root directory of the HTML documents.
# Comment out to disable server non user files.

DocumentRoot /var/www

# UserDir: The name of the directory which is appended onto a user's home
# directory if a ~user request is received.

UserDir public_html

# DirectoryIndex: Name of the file to use as a pre-written HTML
# directory index. Please MAKE AND USE THESE FILES. On the
# fly creation of directory indexes can be _slow_.
# Comment out to always use DirectoryMaker

DirectoryIndex index.html

# DirectoryMaker: Name of program used to create a directory listing.
# Comment out to disable directory listings. If both this and
# DirectoryIndex are commented out, accessing a directory will give
# an error (though accessing files in the directory are still ok).

DirectoryMaker /usr/lib/boa/boa_indexer

# DirectoryCache: If DirectoryIndex doesn't exist, and DirectoryMaker
# has been commented out, the the on-the-fly indexing of Boa can be used
# to generate indexes of directories. Be warned that the output is
# extremely minimal and can cause delays when slow disks are used.
# Note: The DirectoryCache must be writable by the same user/group that
# Boa runs as.

# DirectoryCache /var/spool/boa/dircache

# KeepAliveMax: Number of KeepAlive requests to allow per connection
# Comment out, or set to 0 to disable keepalive processing

KeepAliveMax 1000

# KeepAliveTimeout: seconds to wait before keepalive connection times out

KeepAliveTimeout 10

# MimeTypes: This is the file that is used to generate mime type pairs
# and Content-Type fields for boa.
# Set to /dev/null if you do not want to load a mime types file.
# Do *not* comment out (better use AddType!)

MimeTypes /etc/mime.types

# DefaultType: MIME type used if the file extension is unknown, or there
# is no file extension.

DefaultType text/plain

# CGIPath: The value of the $PATH environment variable given to CGI progs.

CGIPath /bin:/usr/bin:/usr/local/bin

# SinglePostLimit: The maximum allowable number of bytes in
# a single POST. Default is normally 1MB.

# AddType: adds types without editing mime.types
# Example: AddType type extension [extension ...]

# Uncomment the next line if you want .cgi files to execute from anywhere
#AddType application/x-httpd-cgi cgi

# Redirect, Alias, and ScriptAlias all have the same semantics -- they
# match the beginning of a request and take appropriate action. Use
# Redirect for other servers, Alias for the same server, and ScriptAlias
# to enable directories for script execution.

# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Example: Redirect /bar http://elsewhere/feh/bar

# Aliases: Aliases one path to another.
# Example: Alias /path1/bar /path2/foo

Alias /doc /usr/share/doc

# ScriptAlias: Maps a virtual path to a directory for serving scripts
# Example: ScriptAlias /htbin/ /www/htbin/

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 
Old 01-12-2015, 04:18 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If you 'grep -v ^# boa.config | grep .;' then there's nothing left that could explain its behaviour. Boa is "simple" in the sense that it does not offer any restrictions, it's way old and no longer maintained. Unless you're only studying things locally (meaning no impact on others) I'd suggest moving to something small that's still maintained like say thttpd.
 
Old 01-12-2015, 04:30 PM   #9
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 258

Original Poster
Rep: Reputation: Disabled
"Unless you're only studying things locally (meaning no impact on others)..."
Yes, this is me. I will look into thttpd. I wanted something very simple, so I went with BOA. I'll probably switch.

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hack attempt ? minty33 Linux - Security 13 07-01-2013 08:43 PM
question about hack attempt danff Linux - Security 3 11-07-2007 02:28 AM
Possible Hack Attempt baddah Linux - Security 19 09-28-2007 07:23 AM
Hack Attempt? keysorsoze Linux - Security 6 05-18-2007 11:32 PM
newbie question: do these logs show a hack attempt lucastic Linux - Security 4 08-13-2003 08:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration