attempts to use know hacks by 47 hosts in logwatch

reeseslover531 · 02-23-2007, 06:40 AM

ok so i use logwatch and in my httpd section i get this

Code:

--------------------- httpd Begin ------------------------ 

 0.13 MB transferred in 144 responses  (1xx 0, 2xx 10, 3xx 0, 4xx 12, 5xx 122) 
     11 Images (0.01 MB),
     11 Content pages (0.01 MB),
    122 Other (0.12 MB) 
 
 Attempts to use known hacks by 47 hosts were logged 122 time(s) from:

and then it lists the ips. What should I do about this? also how can I stop it with an automated way, I don't really want to have to go through and block all 47 hosts manually in iptables. should I even be worried about this?

MS3FGX · 02-24-2007, 01:59 AM

You could use an adaptive firewall setup to block those hosts, but it probably isn't going to do much good in the long run.

A lot of attacks that are run against Apache servers are totally ineffective. I was running the web server for a public library, which got a considerable amount of traffic on it's site. Accordingly I was hit with literally hundreds of attack attempts every day.

The thing is, every single one of them was an exploit against IIS and was completely useless against Apache.

Most of these attacks are from automated tools in the hands of 14 year olds, and are nothing to be worried about. Now, if you are logging serious attacks, that is another thing, but more often then not you are just seeing the random garbage connections that every server on the Internet has to put up with.

reeseslover531 · 02-25-2007, 06:14 AM

alright cool so I don't need to really worry about anything if i am running an up to date apache version.

unSpawn · 02-25-2007, 07:27 AM

alright cool so I don't need to really worry about anything if i am running an up to date apache version.
No, that's not completely true. MS3FGX' reply isn't complete.

Quote:

Originally Posted by MS3FGX

A lot of attacks that are run against Apache servers are totally ineffective. I was running the web server for a public library, which got a considerable amount of traffic on it's site. Accordingly I was hit with literally hundreds of attack attempts every day. The thing is, every single one of them was an exploit against IIS and was completely useless against Apache.

While it is tru some network ranges are more prone to scanning the amount of hits is not a measure for risk. Next to that his experiences of encountering only IIS sploits is a subjective observation and doesn't help you assess your situation. Risk depends on what you run and how you protect it. Period.

Quote:

Originally Posted by MS3FGX

Most of these attacks are from automated tools in the hands of 14 year olds, and are nothing to be worried about. Now, if you are logging serious attacks, that is another thing, but more often then not you are just seeing the random garbage connections that every server on the Internet has to put up with.

Unless you lived under a rock for the past five years you know that flaws in PHP-based applications make up the majority of the "common" intrusions. If you check this forum for incidents you'll see that it's usually due to (a combination of) not auditing and hardening the box, not, partial or late updating, configuration errors and such. So what you want is to make sure you have a grip on those basic principles of practicing "safe hex", audit the box, adjust and add measures.
The LQ FAQ: Security references can help you with that. When you're done with the basics look at post #6 about web application security. If you look at web application security w/o applying the basics your efforts are for naught.