Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Dear All,
I found these logs entries. The intruder actually knows the exact path and file name and also the get value which the programme suppose to accept. I have secured it where at the very top I check if the session value are isset and not empty. Is there any thing else can be harden here on linux? I guess possibly they have sniff the link maybe from some attacked pc could that be the reason they got the exact links.
Install & configure "iptables" (firewall) and then install "fail2ban" and configure it to 1) recognize the faulty attempts in your apache (or whatever you're using) logfile and to block access from that IP-number after more than X attempts.
As stated above, it is just a scan. I get tons of those as well. You can also use iptables in the newer kernels to drop packets complying to strings. For example, my biggest issue is w00tw00t and zmEu scans, but really not to much of an issue since they never find what they are after. You can then use iptables to check strings like zmeu and make it drop those packets
Last edited by ericson007; 11-14-2013 at 05:04 PM.
my biggest issue is w00tw00t and zmEu scans, but really not to much of an issue since they never find what they are after. You can then use iptables to check strings like zmeu and make it drop those packets
Dear Pearl,
I have both iptables and fail2ban running. Unfortunately my hosting guy off the iptables saying is not required as we have the hardware based firewall. Anyway I am gonna on it so what extra line can I put in it so that it recognize this sort of activity and same goes for fail2ban?
Dear Habitual,
You suggested the .htacess method but some articles are saying dont use .htacess as it can create vulnerabilities too. Yes I hide my software but its very funny how do they know the exact get variable I dont think so its a scanner can do so exact matching right? Could it be they have hacked into some pc who have used this exact links with the get variables so they re-running it ?
I don't really see there is much of a performance hit. The system is not so busy, i am running a small online training site for my business but most students don't bother using it. So the greatest amount of traffic i see are those types of hits.
I would think theoretically it should use less resources than apache starting a worker thread and writing a 404.
Since packets are dropped before reaching the server.
The virtual processor seems to be sitting around mostly at 0 - 0.46 at max utilization. That is pretty much what it was before and hits that peak when scanned and cron starts to run.
The 1000 just makes it lighter on resources by inspecting the first 1000 bits. Generally the engine details would be found in that part of the packet.
@newbie14
I would suggest getting that iptables up and going. Fits right in with a multi layered security approach. Your i.t. guy is gonna get bitten one day.
The .htaccess might be the onlything you have available depending on your hoting provider. If you can it is better to define variables in your config file for the host. It will be better protected and as benefit will have a slight performance benefit by not having to read the .htaccess every time an operation is performed.
And no they don't get exact matches if you get 404 errors. If it was an exact match, it would be a 200 code.
If you serve folders publically and left the default http config then your folders can be indexed. Scanners can traverse directories and just try tons of things.
You won't believe how many variations i saw last month with a scanner checking for phpmyadmin. There was one day with almost 400 variations of directories they tried.
Last edited by ericson007; 11-15-2013 at 01:05 AM.
Dear Ericson,
Part of iptables is as below. Anything extra I should I add to this?
Quote:
# TCP only accept HTTP and HTTPS
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 80,443 -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "IN_HTTP "
# ...and limit the amount of new requests:
-A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 80,443 -m limit --limit 16/sec --limit-burst 4 -j ACCEPT
#
What do you mean by this "If you can it is better to define variables in your config file for the host." Which config you mean here is the httpd.conf? Yes I know why they didnt get exact match is because of my names have few upper case where as theirs was all small case but trust me it was exact match with even the get variable. This is what worries me what and how do you think they would got those links?
I have remove the indexes from day one where it will give this
Quote:
error Forbidden
You don't have permission to access /folder1/ on this server.
. So I dont know how they can traverse my folder it the indexes is off from day one. Yes I get those tons of phmyadmin and even cgi-bin variation lucky all failed and I stop using phpmyadmin on this machine as I got attacked before this. I use only on lan access machine .
Dear Habitual,
You suggested the .htacess method but some articles are saying dont use .htacess as it can create vulnerabilities too.
Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>
in .htaccess.
Code:
chmod 444 /path/to/.htaccess
and I'd like to know where you are reading that nonsense.
Quote:
Originally Posted by newbie14
Yes I hide my software but its very funny how do they know the exact get variable I dont think so its a scanner can do so exact matching right? Could it be they have hacked into some pc who have used this exact links with the get variables so they re-running it ?
Hard to tell without a complete couple of lines from the log.
Standard installs of standardized programs creates standardized attack vectors.
Dear Habitual,
I read sometime ago article sorry for misinformation.Actually my application is a login based. That is why on every page I check for the session values. So do you think .htacess will incur extra login rite? As I mentioned to eriscon I know why they didnt get exact match is because of my names have few upper case where as theirs was all small case but trust me it was exact match with even the get variable. This is what worries me what and how do you think they would got those links? How to stop scanner will the indexing itself help ?
Dear Habitual,
I read sometime ago article sorry for misinformation.Actually my application is a login based. That is why on every page I check for the session values. So do you think .htacess will incur extra login rite? As I mentioned to eriscon I know why they didnt get exact match is because of my names have few upper case where as theirs was all small case but trust me it was exact match with even the get variable. This is what worries me what and how do you think they would got those links? How to stop scanner will the indexing itself help ?
No worries.
If you don't care to post a "complete couple of lines from the log", then PM me a few of them and we can see what the pattern may be to the scan.
If this is a Public-facing site, then perhaps you can allow me to know it via PM and I can use some detective skills.fu to see what's up there?
Code:
deny from xxx.xx.xxx.xxx
allow from all
and if there is a pattern to the scan, we could perhaps deny all except for a 'valid' host/IPs such as this wordpress .htaccess configuration that prevent unauthorized logins/access to wp-login.php
Code:
# END WordPress
<Files wp-login.php>
order deny,allow
deny from all
allow from xx.xxx.xxx.xxx # M's Office
Allow from xxx.xx.xx.xx # J's house
</Files>
Do you have root access to the server?
As I have said, the intruder does NOT know "exactly" anything, else those 404s would be 200s.
Dear Habitual,
No its not a public facing site. So can I email you will best. Yes I do have a root access to it but i dont use it. I use key based login.
Dear Habitual,
No its not a public facing site. So can I email you will best. Yes I do have a root access to it but i dont use it. I use key based login.
That's mostly good news.
But how does 207.182.143.146 reach it if it's not public-facing then?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.