LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-23-2007, 06:40 AM   #1
reeseslover531
Member
 
Registered: Nov 2005
Distribution: Fedora Core 5
Posts: 64

Rep: Reputation: 15
attempts to use know hacks by 47 hosts in logwatch


ok so i use logwatch and in my httpd section i get this
Code:
--------------------- httpd Begin ------------------------ 

 0.13 MB transferred in 144 responses  (1xx 0, 2xx 10, 3xx 0, 4xx 12, 5xx 122) 
     11 Images (0.01 MB),
     11 Content pages (0.01 MB),
    122 Other (0.12 MB) 
 
 Attempts to use known hacks by 47 hosts were logged 122 time(s) from:
and then it lists the ips. What should I do about this? also how can I stop it with an automated way, I don't really want to have to go through and block all 47 hosts manually in iptables. should I even be worried about this?
 
Old 02-24-2007, 01:59 AM   #2
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 361Reputation: 361Reputation: 361Reputation: 361
You could use an adaptive firewall setup to block those hosts, but it probably isn't going to do much good in the long run.

A lot of attacks that are run against Apache servers are totally ineffective. I was running the web server for a public library, which got a considerable amount of traffic on it's site. Accordingly I was hit with literally hundreds of attack attempts every day.

The thing is, every single one of them was an exploit against IIS and was completely useless against Apache.

Most of these attacks are from automated tools in the hands of 14 year olds, and are nothing to be worried about. Now, if you are logging serious attacks, that is another thing, but more often then not you are just seeing the random garbage connections that every server on the Internet has to put up with.
 
Old 02-25-2007, 06:14 AM   #3
reeseslover531
Member
 
Registered: Nov 2005
Distribution: Fedora Core 5
Posts: 64

Original Poster
Rep: Reputation: 15
alright cool so I don't need to really worry about anything if i am running an up to date apache version.
 
Old 02-25-2007, 07:27 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
alright cool so I don't need to really worry about anything if i am running an up to date apache version.
No, that's not completely true. MS3FGX' reply isn't complete.

Quote:
Originally Posted by MS3FGX
A lot of attacks that are run against Apache servers are totally ineffective. I was running the web server for a public library, which got a considerable amount of traffic on it's site. Accordingly I was hit with literally hundreds of attack attempts every day. The thing is, every single one of them was an exploit against IIS and was completely useless against Apache.
While it is tru some network ranges are more prone to scanning the amount of hits is not a measure for risk. Next to that his experiences of encountering only IIS sploits is a subjective observation and doesn't help you assess your situation. Risk depends on what you run and how you protect it. Period.


Quote:
Originally Posted by MS3FGX
Most of these attacks are from automated tools in the hands of 14 year olds, and are nothing to be worried about. Now, if you are logging serious attacks, that is another thing, but more often then not you are just seeing the random garbage connections that every server on the Internet has to put up with.
Unless you lived under a rock for the past five years you know that flaws in PHP-based applications make up the majority of the "common" intrusions. If you check this forum for incidents you'll see that it's usually due to (a combination of) not auditing and hardening the box, not, partial or late updating, configuration errors and such. So what you want is to make sure you have a grip on those basic principles of practicing "safe hex", audit the box, adjust and add measures.
The LQ FAQ: Security references can help you with that. When you're done with the basics look at post #6 about web application security. If you look at web application security w/o applying the basics your efforts are for naught.

Last edited by unSpawn; 02-25-2007 at 07:31 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
known hacks aenguillo Linux - Newbie 5 06-27-2006 07:27 PM
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 08:06 PM
Hacks against ssh sniff Linux - Security 5 12-14-2005 09:41 AM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
Audio hacks Freaksta Linux - General 1 06-26-2003 02:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration