attempts to use know hacks by 47 hosts in logwatch
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
attempts to use know hacks by 47 hosts in logwatch
ok so i use logwatch and in my httpd section i get this
Code:
--------------------- httpd Begin ------------------------
0.13 MB transferred in 144 responses (1xx 0, 2xx 10, 3xx 0, 4xx 12, 5xx 122)
11 Images (0.01 MB),
11 Content pages (0.01 MB),
122 Other (0.12 MB)
Attempts to use known hacks by 47 hosts were logged 122 time(s) from:
and then it lists the ips. What should I do about this? also how can I stop it with an automated way, I don't really want to have to go through and block all 47 hosts manually in iptables. should I even be worried about this?
You could use an adaptive firewall setup to block those hosts, but it probably isn't going to do much good in the long run.
A lot of attacks that are run against Apache servers are totally ineffective. I was running the web server for a public library, which got a considerable amount of traffic on it's site. Accordingly I was hit with literally hundreds of attack attempts every day.
The thing is, every single one of them was an exploit against IIS and was completely useless against Apache.
Most of these attacks are from automated tools in the hands of 14 year olds, and are nothing to be worried about. Now, if you are logging serious attacks, that is another thing, but more often then not you are just seeing the random garbage connections that every server on the Internet has to put up with.
alright cool so I don't need to really worry about anything if i am running an up to date apache version.
No, that's not completely true. MS3FGX' reply isn't complete.
Quote:
Originally Posted by MS3FGX
A lot of attacks that are run against Apache servers are totally ineffective. I was running the web server for a public library, which got a considerable amount of traffic on it's site. Accordingly I was hit with literally hundreds of attack attempts every day. The thing is, every single one of them was an exploit against IIS and was completely useless against Apache.
While it is tru some network ranges are more prone to scanning the amount of hits is not a measure for risk. Next to that his experiences of encountering only IIS sploits is a subjective observation and doesn't help you assess your situation. Risk depends on what you run and how you protect it. Period.
Quote:
Originally Posted by MS3FGX
Most of these attacks are from automated tools in the hands of 14 year olds, and are nothing to be worried about. Now, if you are logging serious attacks, that is another thing, but more often then not you are just seeing the random garbage connections that every server on the Internet has to put up with.
Unless you lived under a rock for the past five years you know that flaws in PHP-based applications make up the majority of the "common" intrusions. If you check this forum for incidents you'll see that it's usually due to (a combination of) not auditing and hardening the box, not, partial or late updating, configuration errors and such. So what you want is to make sure you have a grip on those basic principles of practicing "safe hex", audit the box, adjust and add measures.
The LQ FAQ: Security references can help you with that. When you're done with the basics look at post #6 about web application security. If you look at web application security w/o applying the basics your efforts are for naught.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.