I would like to improve the security of my web server...

trist007 · 01-04-2010, 02:52 PM

I am running Slackware 13.0. Today I found several entries in my access_log of IPs from china trying to exploit my web server. How can I prevent all this? I figure I have three options.

1. This web server is for personal/friend use. How could I limit access to my web server to a few select ISPs? How would I do that? Maybe edit the /etc/hosts.allow and just put in a wildcard figure for an ISPs IP address like i.e. 68.203.185.* or something like that. That way all http requests coming in from that ISP are allowed to view my website.

2. I could find out all the Chinese ISPs IP ranges and add those to the /etc/hosts.deny list. However, it seems like that would take forever.

3. Setup a filter on fail2ban that would detect the use of malicious code by find if html codes like 501 or 400 are detected in the entries of the access_log.

Seems like the 3rd option would be the most efficient, that way it would prevent attackers from other places other than china. However, for now, I'd like to quickly implement something so how would I go about doing option 1?

MS3FGX · 01-04-2010, 03:02 PM

You could use something like fail2ban to block IPs that have run automated attacks on your server if you really want, but there isn't much point. Those are bots that simply scan the Internet and run known exploits against anything with port 80 open. That doesn't mean your server is actually vulnerable to those attacks however. In fact, most of the bots don't even check what server is running, a lot of times they will try to run IIS attacks on Apache.

Blocking these attempts won't increase your security at all, they will just keep them out of your log files. If you are worried about maintaining security, make sure your server is up to date and properly configured.

trist007 · 01-04-2010, 03:05 PM

Forget to mention, today I ran

Code:

lsof -i

and this came out

Code:

root@server:~# lsof -i
COMMAND     PID     USER   FD   TYPE DEVICE SIZE NODE NAME
inetd      2965     root    4u  IPv4   7970       TCP *:time (LISTEN)
inetd      2965     root    5u  IPv4   7971       UDP *:time
inetd      2965     root    6u  IPv4   7972       UDP *:biff
inetd      2965     root    7u  IPv4   7973       TCP *:auth (LISTEN)
sshd       2968     root    3u  IPv4   7988       TCP *:ssh (LISTEN)
sendmail   3012     root    4u  IPv4   8767       TCP *:smtp (LISTEN)
sendmail   3012     root    5u  IPv4   8768       TCP *:submission (LISTEN)
httpd      3057     root    3u  IPv4   8879       TCP *:http (LISTEN)
vlc        3061     root    4u  IPv4  68839       TCP server.darkstar.net:8000 (LISTEN)
vlc        3062     root    4u  IPv4  68849       TCP server.darkstar.net:8001 (LISTEN)
postmaste  3067 postgres    3u  IPv4   8956       TCP localhost:postgresql (LISTEN)
postmaste  3067 postgres    5u  IPv4   8962       UDP localhost:39127->localhost:39127
httpd      3069   apache    3u  IPv4   8879       TCP *:http (LISTEN)
httpd      3070   apache    3u  IPv4   8879       TCP *:http (LISTEN)
httpd      3071   apache    3u  IPv4   8879       TCP *:http (LISTEN)
httpd      3073   apache    3u  IPv4   8879       TCP *:http (LISTEN)
proftpd    3074   nobody    1u  IPv4   8951       TCP *:ftp (LISTEN)
postmaste  3080 postgres    5u  IPv4   8962       UDP localhost:39127->localhost:39127
postmaste  3081 postgres    5u  IPv4   8962       UDP localhost:39127->localhost:39127
postmaste  3082 postgres    5u  IPv4   8962       UDP localhost:39127->localhost:39127
postmaste  3083 postgres    5u  IPv4   8962       UDP localhost:39127->localhost:39127
httpd      3213   apache    3u  IPv4   8879       TCP *:http (LISTEN)
httpd      3214   apache    3u  IPv4   8879       TCP *:http (LISTEN)
httpd      3215   apache    3u  IPv4   8879       TCP *:http (LISTEN)
httpd      3216   apache    3u  IPv4   8879       TCP *:http (LISTEN)
httpd      3217   apache    3u  IPv4   8879       TCP *:http (LISTEN)
httpd      3217   apache    9u  IPv4  68506       TCP server.darkstar.net:http->218.62.13.218:31982 (ESTABLISHED)
httpd      3218   apache    3u  IPv4   8879       TCP *:http (LISTEN)
ventrilo_ 17215     root    4u  IPv4  46168       TCP *:3784 (LISTEN)
ventrilo_ 17215     root    5u  IPv4  46169       UDP *:3784
sshd      21861     root    3r  IPv4  68853       TCP server.darkstar.net:ssh->192.168.1.107:1952 (ESTABLISHED)

Notice the 218.62.13.218 IP, that's the Chinese one with an established connection to an httpd instance. That just means that the IP was viewing my website?

Here's my access_log

Code:

202.99.23.184 - - [04/Jan/2010:06:32:39 -0600] "hO\xc88\xe6" 501 217
125.91.132.210 - - [04/Jan/2010:06:42:17 -0600] "\xe3v" 501 214
123.234.118.31 - - [04/Jan/2010:06:48:00 -0600] "\xe1\x87" 501 214
113.232.138.155 - - [04/Jan/2010:06:56:34 -0600] "\x9f\xd3Q" 501 215
123.4.226.64 - - [04/Jan/2010:07:10:53 -0600] "\x9f5\xc6\x1f\xba\xf3\xb7\xf7C" 501 221
118.233.154.158 - - [04/Jan/2010:07:16:52 -0600] "'\x91\x05\x888\b\x17\x15y\xc9G\x9f\xee=\x8e\bm\x10\xf2\xa2{\xae\xc5R\x16\xd1T\xce\xe2\xc8L" 501 243
60.16.107.179 - - [04/Jan/2010:07:51:35 -0600] "\xe3{" 501 214
114.113.50.60 - - [04/Jan/2010:08:04:55 -0600] "\xa6XByG} \x165\xe9SG\xa5g|" 400 226
210.192.100.142 - - [04/Jan/2010:08:14:29 -0600] "\xe3{" 501 214
125.89.18.93 - - [04/Jan/2010:08:19:13 -0600] "\xe3w" 501 214
60.16.107.179 - - [04/Jan/2010:08:36:22 -0600] "\xe3{" 501 214
122.156.195.106 - - [04/Jan/2010:08:42:42 -0600] "\xe3w" 501 214
222.94.55.62 - - [04/Jan/2010:08:44:31 -0600] "\xe3{" 501 214
59.42.21.108 - - [04/Jan/2010:08:58:32 -0600] "\xe3v" 501 214
86.38.174.98 - - [04/Jan/2010:08:59:50 -0600] "\x8f#\xf1#]\xebFH\x12\xeaT\xde\xc1E\x1c\x90`\x97\x16N\xc6\x85\x91\xc7D#" 501 238
123.180.118.238 - - [04/Jan/2010:08:59:58 -0600] "\xe3v" 501 214
58.62.42.202 - - [04/Jan/2010:09:00:30 -0600] "A\xd6\x0e" 501 215
123.180.118.238 - - [04/Jan/2010:09:01:03 -0600] "1\x92g" 501 215
123.180.118.238 - - [04/Jan/2010:09:02:06 -0600] "\xe3v" 501 214
123.180.118.238 - - [04/Jan/2010:09:06:13 -0600] "\xe3v" 501 214
222.93.14.100 - - [04/Jan/2010:09:09:33 -0600] "\xe3\x86" 501 214
123.180.118.238 - - [04/Jan/2010:09:10:11 -0600] "\xe3v" 501 214
59.42.21.108 - - [04/Jan/2010:09:11:01 -0600] "\xe3v" 501 214
123.180.118.238 - - [04/Jan/2010:09:11:13 -0600] ",\x9cE" 501 215
220.201.5.76 - - [04/Jan/2010:09:45:54 -0600] "\xe3w" 501 214
113.88.220.135 - - [04/Jan/2010:09:47:02 -0600] "\xe3}" 501 214
125.39.113.84 - - [04/Jan/2010:09:52:49 -0600] "\xe3\x83" 501 214
59.175.16.227 - - [04/Jan/2010:09:55:43 -0600] "\xe3y" 501 214
125.39.113.84 - - [04/Jan/2010:09:57:29 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:09:58:32 -0600] "\xb7\xc4," 501 215
69.155.118.14 - - [04/Jan/2010:10:01:28 -0600] "GET /favicon.ico HTTP/1.1" 200 1150
58.247.38.11 - - [04/Jan/2010:10:07:23 -0600] "\xe3w" 501 214
125.39.113.84 - - [04/Jan/2010:10:07:50 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:10:08:52 -0600] "\x1b\x82 " 501 214
125.39.113.84 - - [04/Jan/2010:10:09:54 -0600] "\xe3\x83" 501 214
210.192.98.34 - - [04/Jan/2010:10:11:27 -0600] "\xe3{" 501 214
83.235.234.133 - - [04/Jan/2010:10:15:38 -0600] "GET / HTTP/1.1" 200 267
122.246.122.145 - - [04/Jan/2010:10:17:45 -0600] "\xe3\x86" 501 214
125.97.31.146 - - [04/Jan/2010:10:20:42 -0600] "\xe3{" 501 214
125.39.113.84 - - [04/Jan/2010:10:22:50 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:10:26:47 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:10:27:50 -0600] "AK:" 501 215
125.39.113.84 - - [04/Jan/2010:10:28:52 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:10:33:28 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:10:34:31 -0600] "M*a" 501 215
125.39.113.84 - - [04/Jan/2010:10:37:51 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:10:38:54 -0600] "\x7f\xe9/" 501 215
125.39.113.84 - - [04/Jan/2010:10:39:56 -0600] "\xe3\x83" 501 214
218.6.230.78 - - [04/Jan/2010:10:45:11 -0600] "\xe3y" 501 214
59.56.48.10 - - [04/Jan/2010:10:48:00 -0600] "\xe3x" 501 214
125.39.113.84 - - [04/Jan/2010:10:52:51 -0600] "\xe3\x83" 501 214
58.48.35.14 - - [04/Jan/2010:10:53:31 -0600] "\xe4\x9e\x1c\x05Y\x16\xc9\x05\xd1\x81\xa2\x96\b\xf0\xae\xc0%\x0c\x1b\xf32\"r<" 400 226
125.39.113.84 - - [04/Jan/2010:10:57:27 -0600] "\xe3\x83" 501 214
58.247.241.207 - - [04/Jan/2010:11:00:32 -0600] "\xe3y" 501 214
125.39.113.84 - - [04/Jan/2010:11:01:28 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:11:05:27 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:11:06:30 -0600] "obt" 501 215
125.39.113.84 - - [04/Jan/2010:11:07:33 -0600] "\xe3\x83" 501 214
98.215.132.99 - - [04/Jan/2010:11:10:06 -0600] "\xd1\x17@:\xb3L\xe9\x99\xb8|\xe1\xc9\xf2\x8aZ\xac\xa0\x7f'\xb9\x84\x9b\xe9\x99\x7f\x12\x89\"<\xf0\x8b\xbb\x94\x91l|\x7fm\xe6Pl\x85^\x99j\xb8\xe6\x16\x93lQB\x19\xd1Iob\xd6\x95\b\xf5\xf0CWAS" 501 286
58.247.38.11 - - [04/Jan/2010:11:10:39 -0600] "\xe3w" 501 214
124.160.46.115 - - [04/Jan/2010:11:18:34 -0600] "\xe3z" 501 214
125.39.113.84 - - [04/Jan/2010:11:22:52 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:11:23:55 -0600] "\x9bY3" 501 215
125.39.113.84 - - [04/Jan/2010:11:24:57 -0600] "\xe3\x83" 501 214
121.33.50.113 - - [04/Jan/2010:11:33:47 -0600] "o\x8a\xf88\xc3]zH\xa2\xa5\xf1\xf8s\xba\xae7\x04eZ\xee\x89" 501 233
125.39.113.84 - - [04/Jan/2010:11:37:52 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:11:41:28 -0600] "\xe3\x83" 501 214
125.39.113.84 - - [04/Jan/2010:11:42:31 -0600] "\x11U5" 501 215
125.39.113.84 - - [04/Jan/2010:11:43:33 -0600] "\xe3\x83" 501 214
115.64.10.118 - - [04/Jan/2010:12:02:29 -0600] "\xe3\x7f" 501 214
117.88.172.110 - - [04/Jan/2010:12:04:47 -0600] "\xe3z" 501 214
83.18.162.42 - - [04/Jan/2010:13:45:52 -0600] "GET / HTTP/1.1" 200 267

After seeing that Chinese IP in lsof -i, I killed my httpd instances, which was around 13:46.

My question is that when you see an IP with an established connection with httpd does that just mean that he is viewing my website? I have a user password protected database attached to my website via php, but I found no evidence that he accessed it.

jefro · 01-04-2010, 04:41 PM

Run from live cd and let them try to hack it.

Tinkster · 01-04-2010, 08:27 PM

Moved: This thread is more suitable in <Linux-Security> and has been moved accordingly to help your thread/question get the exposure it deserves.

nimnull22 · 01-04-2010, 08:43 PM

Have you tryed to use firewall, you can simply set IPs which will go through it, others never reach your server.
There is iptables - works very good.

Hangdog42 · 01-05-2010, 07:26 AM

Quote:

Notice the 218.62.13.218 IP, that's the Chinese one with an established connection to an httpd instance. That just means that the IP was viewing my website?

Yes.

Quote:

202.99.23.184 - - [04/Jan/2010:06:32:39 -0600] "hO\xc88\xe6" 501 217

See that 501? That is Apachese for "Method not found". That said, they are probably trying to do something nasty to your server, maybe cause a buffer overflow. In general, if you run a generally accessible web server, you're going to see this kind of stuff. Everyone does. So you need to make sure that you've got your machine fully patched and up to date.

You could install mod_security on your server. It requires a bit of tinkering to customize, but it does stop a lot of nonsense regardless of where it comes from. I'd also seriously suggest adding Aide or Samhain to the mix to monitor your file system.

anomie · 01-05-2010, 12:59 PM

Quote:

Originally Posted by trist007

How can I prevent all this?

In addition to keeping your web server up to date and configuring it properly, you could put your content behind HTTP digest authentication.

tuxgirl · 01-05-2010, 03:11 PM

This will allow people coming from local addresses, ip 55.55.55.55 and the range of ips starting with 33.33.33 to see your website. I don't think it blocks the actual port from anything, but it blocks access to your website (and any forms that might be there).

Code:

    <Directory "/var/www/htdocs/yourwebstuffdirectory">
             ..... //other configuration you have
        Order deny,allow
        Deny from all
        // Whatever local addresses you want
        Allow from 10.0.0 127.0.0 192.168
        // Whatever friends addresses you have
        // You can also do a range
        Allow from 55.55.55.55 33.33.33
        </Directory>

trist007 · 01-05-2010, 04:16 PM

Is that the /etc/hosts.deny file?

I activated fail2ban on ssh and it works great. Also, how would I update my apache server? Svn? Or do I just stop the process, download the newer source, and just install on top of the current installation?

Hangdog42 · 01-05-2010, 04:29 PM

Quote:

Also, how would I update my apache server? Svn? Or do I just stop the process, download the newer source, and just install on top of the current installation?

The easiest way it to just follow what is in the Slackware repository. Slackware will issue any updates needed for security reasons, so there is no need to follow the Apache development team. The slackpkg tool is fantastic for this as it will upgrade the packages for you. Pretty much all you would need to do is to restart Apache once the update is done.