404 error attack
Dear All,
I found these logs entries. The intruder actually knows the exact path and file name and also the get value which the programme suppose to accept. I have secured it where at the very top I check if the session value are isset and not empty. Is there any thing else can be harden here on linux? I guess possibly they have sniff the link maybe from some attacked pc could that be the reason they got the exact links. Code:
207.182.143.146 - - [13/Nov/2013:18:11:11 +0800] "GET /folder2/v....php?ui=8090 HTTP/1.1" 404 224 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36" |
Hi
Install & configure "iptables" (firewall) and then install "fail2ban" and configure it to 1) recognize the faulty attempts in your apache (or whatever you're using) logfile and to block access from that IP-number after more than X attempts. |
http://www.htaccess-guide.com/deny-v...by-ip-address/
Funny, are you hiding the software they are GET'ing for a reason? If they know it's there, they wouldn't need to GET folder2/... folder1/... So I think it's a scan for vulnerable software. |
As stated above, it is just a scan. I get tons of those as well. You can also use iptables in the newer kernels to drop packets complying to strings. For example, my biggest issue is w00tw00t and zmEu scans, but really not to much of an issue since they never find what they are after. You can then use iptables to check strings like zmeu and make it drop those packets
|
Quote:
Code:
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "w00tw00t" --to 1000 -j DROP Any performance hits the system doing so? I saw an example without the "--to 1000" and to be honest, I'm not sure what that does. Thanks. |
Dear Pearl,
I have both iptables and fail2ban running. Unfortunately my hosting guy off the iptables saying is not required as we have the hardware based firewall. Anyway I am gonna on it so what extra line can I put in it so that it recognize this sort of activity and same goes for fail2ban? |
Dear Habitual,
You suggested the .htacess method but some articles are saying dont use .htacess as it can create vulnerabilities too. Yes I hide my software but its very funny how do they know the exact get variable I dont think so its a scanner can do so exact matching right? Could it be they have hacked into some pc who have used this exact links with the get variables so they re-running it ? |
@Habitual
I don't really see there is much of a performance hit. The system is not so busy, i am running a small online training site for my business but most students don't bother using it. So the greatest amount of traffic i see are those types of hits. I would think theoretically it should use less resources than apache starting a worker thread and writing a 404. Since packets are dropped before reaching the server. The virtual processor seems to be sitting around mostly at 0 - 0.46 at max utilization. That is pretty much what it was before and hits that peak when scanned and cron starts to run. The 1000 just makes it lighter on resources by inspecting the first 1000 bits. Generally the engine details would be found in that part of the packet. @newbie14 I would suggest getting that iptables up and going. Fits right in with a multi layered security approach. Your i.t. guy is gonna get bitten one day. The .htaccess might be the onlything you have available depending on your hoting provider. If you can it is better to define variables in your config file for the host. It will be better protected and as benefit will have a slight performance benefit by not having to read the .htaccess every time an operation is performed. And no they don't get exact matches if you get 404 errors. If it was an exact match, it would be a 200 code. If you serve folders publically and left the default http config then your folders can be indexed. Scanners can traverse directories and just try tons of things. You won't believe how many variations i saw last month with a scanner checking for phpmyadmin. There was one day with almost 400 variations of directories they tried. |
Dear Ericson,
Part of iptables is as below. Anything extra I should I add to this? Quote:
I have remove the indexes from day one where it will give this Quote:
|
Quote:
Code:
<Files .htaccess> Code:
chmod 444 /path/to/.htaccess Quote:
Standard installs of standardized programs creates standardized attack vectors. |
Quote:
|
Dear Habitual,
I read sometime ago article sorry for misinformation.Actually my application is a login based. That is why on every page I check for the session values. So do you think .htacess will incur extra login rite? As I mentioned to eriscon I know why they didnt get exact match is because of my names have few upper case where as theirs was all small case but trust me it was exact match with even the get variable. This is what worries me what and how do you think they would got those links? How to stop scanner will the indexing itself help ? |
Quote:
If you don't care to post a "complete couple of lines from the log", then PM me a few of them and we can see what the pattern may be to the scan. If this is a Public-facing site, then perhaps you can allow me to know it via PM and I can use some detective skills.fu to see what's up there? Code:
deny from xxx.xx.xxx.xxx Code:
# END WordPress As I have said, the intruder does NOT know "exactly" anything, else those 404s would be 200s. |
Dear Habitual,
No its not a public facing site. So can I email you will best. Yes I do have a root access to it but i dont use it. I use key based login. |
Quote:
But how does 207.182.143.146 reach it if it's not public-facing then? Subscribed with interest... |
All times are GMT -5. The time now is 01:32 AM. |