Apache server being probed for possible vulnerabilities
Crew,
Every morning I start my day browsing the logs of my server. Mainly by just reading the summary sent by logwatch. If anything there concerns me I'll do a broader browse/search. Something I encounter almost every morning are the traces of someone bored looking for certain software on my server. phpMyAdmin is a good example. Code:
... For me it is obvious these people trying to discover what software I have installed do not have the right intentions. Can I automatically grey- or blacklist these requests? I'm aware there are packages available like snort, tripwire and others but that is somewhat like prescribing prednisone for a simple cold. Any help is appreciated! |
Quote:
Quote:
First one up is Snort for the simple reason it's way down the stack, specialises in logging anomalies and attacks and has blocking capabilities through third party utilities like Guardian which does "aging" and can hand off blocking to iptables, route and whatever you can script. One level up it's Netfilter with modules (search some listings) like "recent" and "tarpit". Applying "aging", its more used with general criteria for blocking like rate because using signature matching *will* have performance implications. Finally for the webserver itself you should have mod_security running anyway and a choice of tools like mod_evasive, one of the log-reading ssh-blocking tools (some work for anything they can read logs from) or the apachesecurity tools. That's about it, anything I forgot I hope somebody else will chip in or correct me on. |
|
No, I *did* mention mod_security, but I forgot to add about proxy (reverse).
|
Sorry about that...that's what I get for reading and posting at so late an hour. :)
Yeah, the reverse proxy functionality appears to be relatively recent. |
All times are GMT -5. The time now is 09:22 PM. |