LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-04-2011, 02:22 AM   #1
jamesbon
Member
 
Registered: Jun 2010
Posts: 130

Rep: Reputation: 9
what should be limit to use for IPTABLE rate limiting for a webserver


I see on my webserver some logs as follows

Quote:
203.252.157.98 - :25:02 "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:03 "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:03 "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:04 "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:05 "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:06 "GET //phppgadmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:06 "GET //PMA/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:07 "GET //admin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:08 "GET //MyAdmin/ HTTP/1.1" 404 392 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :27:36 "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :27:42 "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :27:42 "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :27:43 "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - - "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
and some more as follows
Quote:
118.219.234.254 - - [19/Oct/2010:22:57:41 "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:41 "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:42 "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:42 "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:43 "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:44 "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:44 "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:45 "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:45 "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:51 "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 407 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:52 "GET /admin/pma/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:52 "GET /admin/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:53 "GET /db/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:54 "GET /dbadmin/scripts/setup.php HTTP/1.1" 404 402 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:54 "GET /myadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:55 "GET /mysql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:55 "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:56 "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:56 "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:57 "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:57 "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:58 "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:58 "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:59 "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:59 "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:00 "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:01 "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:01 "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:02 "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
I have 2 questions
1) When such an attack happens on my site then while such scanning is going on how do I detect it? (In a very less time)
2)I have decided to rate limit the IPTABLES so as to reduce such DOS attacks by some script kiddies (to scan for vulnerabilities in phpmyadmin or some other script) to some extent.So how much should it be limited so that genuine users do not get kicked out.What is the best practise for question 2?
 
Old 02-04-2011, 04:07 AM   #2
rosv
Member
 
Registered: Jul 2008
Distribution: Slackware, ubuntu
Posts: 53

Rep: Reputation: 15
Hi,
1. Making sure that you're not vulnerable to the most common default configuration/old software security holes is probabaly the easiest way to stay out of trouble. "Attacks" like these will always take place but won't be a big deal of you've done your configuration correctly.
 
Old 02-04-2011, 05:41 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
You might like the application called fail2ban. Instead of rate limiting the connections, which could and probably will impact valid users, you can target the script kiddies directly. I too received an attempt to locate myadmin on my site, which I do have, but it is not accessible via a public interface; the important point being that their URL guessing FAILS. With fail2ban, too many attempts to access invalid URL will result in a temporary blockage of their IP address. >99.99% of the time this is sufficient to make them go away.

Here is a log output from my fail2ban from yesterday which stopped this same activity cold:
Code:
2011-02-03 15:16:23,830 fail2ban.actions: WARNING [apache] Ban 82.208.56.105
2011-02-03 15:16:24,852 fail2ban.actions: WARNING [apache] 82.208.56.105 already banned
This particular one managed to get more connection attempts than normal before fail2ban was able to stop them, 19 total, but this occurred in about a two second window. Notice that the fail2ban log tried to ban them twice, which was based upon the number of log entries, but once triggered the first time they were shut down. See the following error logs:
Code:
[Thu Feb 03 15:16:21 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/scripts
[Thu Feb 03 15:16:21 2011] [error] [client 82.208.56.105] Re-negotiation request failed
[Thu Feb 03 15:16:21 2011] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/pma
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/mysql
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/phpMyAdmin
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/scripts
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] Re-negotiation request failed
[Thu Feb 03 15:16:22 2011] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/pma
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/mysql
[Thu Feb 03 15:16:22 2011] [error] [client 82.208.56.105] File does not exist: /var/www/scripts
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/phpMyAdmin
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] access to /usr/share/phpmyadmin/scripts failed, reason: SSL connection required
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/pma
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/mysql
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/phpMyAdmin
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/scripts
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] access to /usr/share/phpmyadmin/scripts failed, reason: SSL connection required
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/pma
[Thu Feb 03 15:16:23 2011] [error] [client 82.208.56.105] File does not exist: /var/www/mysql
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Rate limiting problem XeonSX Linux - Newbie 2 01-22-2011 08:57 PM
Connection rate limiting rodm13 Linux - Networking 1 11-16-2007 06:31 AM
Rate limiting with Iptables on port 21 rino2003 Linux - Networking 1 12-26-2004 07:34 PM
Problem accessing webserver when using iptable. Sheridan1977 Linux - Security 7 04-28-2004 07:16 PM
Kernel Rate Limiting mikeyt_3333 Linux - Networking 1 10-25-2001 12:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration