404 error attack

newbie14 · 11-15-2013, 11:18 AM

Dear Habitual,
My apology yes its facing public but is password protected. I got things mixed up.

Habitual · 11-15-2013, 11:26 AM

Quote:

Originally Posted by newbie14

Dear Habitual,
My apology yes its facing public but is password protected. I got things mixed up.

No need to apologize. I been at this 20 years and I get mixed up all the time.
How is this "password protection" utilized?

.htpasswd?

newbie14 · 11-15-2013, 11:30 AM

Dear Habitual,
Which password you mean? You mean the machine password or the application. I never utilized .htpasswd. I am still newbie in hardening and security learning to improvise and apply.

Habitual · 11-15-2013, 11:31 AM

How is the "password protection" implemented for the application?

newbie14 · 11-15-2013, 11:34 AM

Dear Habitual,
For the application its purely mysql db storing it. So I just run a check on the username and password. I got to admit its now clear text and I was soo busy doing all other hardening on the server I forgot to change this to hashing based. Now I am learning on best hashing.

Habitual · 11-15-2013, 11:39 AM

an application password does NOT prevent scans on the web's DocumentRoot.

Like I asked, send me a PM of some of the complete couple of lines from the apache|httpd logs

newbie14 · 11-15-2013, 11:44 AM

Dear Habitual,
Ok I just sent you test pm. I dont know it reached you if yes then I am preparing the full logs of this activity to send over.

Habitual · 11-15-2013, 12:46 PM

OK. PM replied to...

newbie14 · 11-15-2013, 01:00 PM

Dear Habitual,
I have replied with the required information.

---------- Post added 11-16-13 at 03:01 AM ----------

Dear Habitual,
I have replied with the required information.

Habitual · 11-15-2013, 01:04 PM

Great. Give me some time to analyze. I have a full-time Job.

newbie14 · 11-15-2013, 01:06 PM

Dear Habitual,
Is ok take your time but do guide me and share me to knowledge in this line.

Habitual · 11-16-2013, 03:22 PM

I don't believe there's anything in those logs to worry about.
You can either block that IP using .htaccess or iptables.
http://www.htaccess-guide.com/deny-v...by-ip-address/

Code:

iptables -I INPUT -s 207.182.143.146 -j DROP

The scans are nothing out of the ordinary.

I'd use an "deny from 207.182.143.146" in .htaccess explained in the link above and keep an eye on the logs for a few days.

Good luck.

newbie14 · 11-17-2013, 12:09 AM

Dear Habitual,
To my surprise how could they guess so well the names and even the exact get query input? This puzzles me till now. I have been monitoring there is not activity from this ip or this sort for now. Where to store this .htacces is it in my /var/html or /var/html/myfolder?

Habitual · 11-17-2013, 08:08 AM

The configuration directives found in a .htaccess file are applied to the directory in which the .htaccess file is found, and to all subdirectories thereof. However, it is important to also remember that there may have been .htaccess files in directories higher up. Directives are applied in the order that they are found. Therefore, a .htaccess file in a particular directory may override directives found in .htaccess files found higher up in the directory tree. And those, in turn, may have overridden directives found yet higher up, or in the main server configuration file itself.

http://httpd.apache.org/docs/2.2/howto/htaccess.html

newbie14 · 11-19-2013, 11:24 AM

Dear Habitual,
I read here http://httpd.apache.org/docs/2.2/howto/htaccess.html it say if you have the main config file then you should us that? So what is you opinion on it? Go with .htaccess or change the main config file?