LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   attempts to use know hacks by 47 hosts in logwatch (https://www.linuxquestions.org/questions/linux-security-4/attempts-to-use-know-hacks-by-47-hosts-in-logwatch-531636/)

reeseslover531 02-23-2007 06:40 AM
attempts to use know hacks by 47 hosts in logwatch
 
ok so i use logwatch and in my httpd section i get this
Code:
--------------------- httpd Begin ------------------------

 0.13 MB transferred in 144 responses  (1xx 0, 2xx 10, 3xx 0, 4xx 12, 5xx 122)
    11 Images (0.01 MB),
    11 Content pages (0.01 MB),
    122 Other (0.12 MB)
 
 Attempts to use known hacks by 47 hosts were logged 122 time(s) from:
and then it lists the ips. What should I do about this? also how can I stop it with an automated way, I don't really want to have to go through and block all 47 hosts manually in iptables. should I even be worried about this?

MS3FGX 02-24-2007 01:59 AM
You could use an adaptive firewall setup to block those hosts, but it probably isn't going to do much good in the long run.

A lot of attacks that are run against Apache servers are totally ineffective. I was running the web server for a public library, which got a considerable amount of traffic on it's site. Accordingly I was hit with literally hundreds of attack attempts every day.

The thing is, every single one of them was an exploit against IIS and was completely useless against Apache.

Most of these attacks are from automated tools in the hands of 14 year olds, and are nothing to be worried about. Now, if you are logging serious attacks, that is another thing, but more often then not you are just seeing the random garbage connections that every server on the Internet has to put up with.

reeseslover531 02-25-2007 06:14 AM
alright cool so I don't need to really worry about anything if i am running an up to date apache version.

unSpawn 02-25-2007 07:27 AM
alright cool so I don't need to really worry about anything if i am running an up to date apache version.
No, that's not completely true. MS3FGX' reply isn't complete.

Quote:
Originally Posted by MS3FGX
A lot of attacks that are run against Apache servers are totally ineffective. I was running the web server for a public library, which got a considerable amount of traffic on it's site. Accordingly I was hit with literally hundreds of attack attempts every day. The thing is, every single one of them was an exploit against IIS and was completely useless against Apache.
While it is tru some network ranges are more prone to scanning the amount of hits is not a measure for risk. Next to that his experiences of encountering only IIS sploits is a subjective observation and doesn't help you assess your situation. Risk depends on what you run and how you protect it. Period.


Quote:
Originally Posted by MS3FGX
Most of these attacks are from automated tools in the hands of 14 year olds, and are nothing to be worried about. Now, if you are logging serious attacks, that is another thing, but more often then not you are just seeing the random garbage connections that every server on the Internet has to put up with.
Unless you lived under a rock for the past five years you know that flaws in PHP-based applications make up the majority of the "common" intrusions. If you check this forum for incidents you'll see that it's usually due to (a combination of) not auditing and hardening the box, not, partial or late updating, configuration errors and such. So what you want is to make sure you have a grip on those basic principles of practicing "safe hex", audit the box, adjust and add measures.
The LQ FAQ: Security references can help you with that. When you're done with the basics look at post #6 about web application security. If you look at web application security w/o applying the basics your efforts are for naught.


All times are GMT -5. The time now is 08:04 PM.