Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-18-2004, 11:36 AM
|
#1
|
Member
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1-15 RH 6.2/7, RHEL 6.5 SuSE 8.2/11.1, Debian 10.5
Posts: 518
Rep:
|
httpd attacks
I'm running Slackware with Apache 1.3 and have been checking through my logs for the past week or so and have seen 1000's of username/password guesses, obviously from a word list or similar. what I did initially was to use the IP address and add it to the DENY from feature in the httpd.conf file, but only this morning, I have seen the same thing happen again, this time it would seem that the IP addresses are completely random and as such forged, how would you go about combating such attempts to gain access to restricted areas?
Thanks in advance...
Last edited by plisken; 04-18-2004 at 07:57 PM.
|
|
|
04-18-2004, 03:34 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Could you post an example from your apache logs? If you think about it, using packet spoofing isn't going to do someone much good for brute-forcing passwords. They would send the initial connection attempt with a forged address, to which your system would reply with the authentication challenge (but it would go to the forged address not to evil.hacker!!), they would then send random username/password combos, but since any sucess/failure replies would go to the forged address, they would never know if they guessed correctly or not. On top of that, there is also an underlying issue of TCP sequence numbering that adds a second layer of difficulty in doing that (the TCP protocol uses a very rudimentary form of spoofing protection through the numbering of packets).
If you are seeing a truckload of packets, it's possible that you are seeing a mixture of spoofed and live packets. The logic being that if you mix in enough fake packets, you can hide legitimate ones in the noise.
|
|
|
04-18-2004, 04:29 PM
|
#3
|
Member
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1-15 RH 6.2/7, RHEL 6.5 SuSE 8.2/11.1, Debian 10.5
Posts: 518
Original Poster
Rep:
|
Hi there, please find below, extracts from my error_log
[Sun Apr 18 10:37:36 2004] [error] [client 207.141.37.198] user bigddd not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 68.152.174.70] user bigken not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 210.69.128.252] user bigjim5 not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 168.243.250.57] user benson not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 203.151.40.252] user bigbad not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 80.58.23.235] user beber6 not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 80.58.15.235] user beffy1 not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 202.175.238.202] user bigjim not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 203.198.42.21] user bigens not found: /members/
[Sun Apr 18 10:37:36 2004] [error] [client 203.154.153.59] user bigboper not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 213.68.127.140] user bigtee not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 202.163.228.90] user bignub7 not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 217.117.14.167] user bigmel28 not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 80.11.158.29] user bigstep not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 219.145.130.118] user bigmixx not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 80.58.2.44] user bemaking not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 217.99.47.167] user biffxxx not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 217.194.152.130] user bigclit1 not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 210.23.115.66] user bigmans not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 69.0.87.85] user bigfish not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 213.94.231.131] user bigtuna1 not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 213.177.64.182] user bigsix not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 213.154.70.121] user bigguy not found: /members/
[Sun Apr 18 10:37:37 2004] [error] [client 200.61.183.162] user bevoone not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 62.72.116.93] user billbill not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 80.58.3.172] user bigsal not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 140.131.117.6] user bigjoe not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 80.58.47.44] user bedbur not found: /members/
[Sun Apr 18 10:37:38 2004] [error] [client 61.11.26.150] user barter not found: /members/
This particular attack went on for 8 minutes or so...
Below, is an exctract from a previous attack, note though the IP address is the same in each instance below, unlike the log from above.
[Mon Apr 12 13:41:32 2004] [error] [client 217.224.47.247] user jamesch not found: /members/
[Mon Apr 12 13:41:32 2004] [error] [client 217.224.47.247] user jim not found: /members/
[Mon Apr 12 13:41:32 2004] [error] [client 217.224.47.247] user johnnyb not found: /members/
[Mon Apr 12 13:41:32 2004] [error] [client 217.224.47.247] user KCRandy not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user kwisatz not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user lee555 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user max7 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user mcgaryb not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user me2001 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user Mike8b not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user njken63 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user ososito not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pass2 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pker not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pootz not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pred not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user pwright not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user Rover2 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user schaepper not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user sexmetv not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user shaggydo1 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user smur4321 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user solidous not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user splippy1 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user Sponsor not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall12343 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall222 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall434 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall444 not found: /members/
[Mon Apr 12 13:41:33 2004] [error] [client 217.224.47.247] user stall4444 not found: /members/
[Mon Apr 12 13:41:34 2004] [error] [client 217.224.47.247] user telepath1 not found: /members/
[Mon Apr 12 13:41:34 2004] [error] [client 217.224.47.247] user The1saint not found: /members/
[Mon Apr 12 13:41:34 2004] [error] [client 217.224.47.247] user tnguy not found: /members/
One thing that really surprises me is the amount of guesses per second that is achieved.
all help and comments in this matter are appreciated!
|
|
|
04-18-2004, 05:12 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
this time it would seem that the IP addresses are completely random and as such forged, how would you go about combating such attempts to gain access to restricted areas?
Depends on who needs access to it and what it's worth protecting. First thing I think is just like with other vulnerable services like for instance FTP would be to make sure you never use system authentication databases as underlying auth db. Use separate ones even if it puts a burden managing it (depends on what restriction is worth of course). If your userbase is distinct and small, additional TCP wrappers plus firewall access restrictions could work. If your userbase is like world, then you could try rate limit access: check iplimit from Iptable's POM and check if mod_throttle or mod_dosevasive does provide rate limiting.
Nice IP listing BTW. At least half of them are open proxies.
The dictionary I do question, because the names don't seem that generic to me. Are you by any chance running a shell server?
|
|
|
All times are GMT -5. The time now is 08:46 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|