LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-27-2010, 05:31 PM   #1
CapnStank
Member
 
Registered: Oct 2009
Distribution: Fedora, HPUX
Posts: 31

Rep: Reputation: 2
httpd security question


Hey guys,

I have a computer set up running an apache httpd server with the basic LAMP functionality. I logged into the server today and noticed numerous attempts by a remote IP to access various files on my server.

Code:
[Fri Nov 26 07:37:56 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpMyAdmin-2.8.1-rc1
[Fri Nov 26 07:37:56 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpMyAdmin-2.8.1
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpMyAdmin-2.8.2
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/sqlmanager
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/mysqlmanager
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/p
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/PMA2005
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/pma2005
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpmanager
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/php-myadmin
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpmy-admin
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/webadmin
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/sqlweb
[Fri Nov 26 07:37:59 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/websql
[Fri Nov 26 07:37:59 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/webdb
[Fri Nov 26 07:37:59 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/mysqladmin
[Fri Nov 26 07:37:59 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/mysql-admin
There are many many more lines similar to this but its obvious that a remote host was attempting to run my phpmyadmin page and gain access.

My question is that since I'm a novice at running httpd what sort of things should I be looking out for in regards to security and configuration to prevent any attacks or is this common and should just be ignored?

I do run phpMyAdmin on the server and have configured MySQL to not have blank passwords or user accounts. The database had no new changes to it so I doubt they actually accessed it.

Am I just paranoid or is there something I should look at doing?
 
Old 11-27-2010, 06:06 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
You are going to get attempts like this. It is one of the side effects of running a web server. What you can do is:
1 - make sure your system stays up to date. This includes your Linux system, Apache, PHP, SQL, and any other 'server' process you run
2 - Consider making critical applications like your MyAdmin available only via your local LAN or by localhost by binding the host that can access them to the appropriate interface. Otherwise, I look into securing web pages so that at a minimum a user name and password is required to access them and preferably a browser certificate. You should also put these pages on a HTTPS page rather than an HTTP to prevent packet sniffing. (.htaccess is a good place to start).
3 - Start to learn about the threats that web servers carry, such as cross site scripting.
4 - analyze your logs regularly to look for signs of trouble. Logwatch can be of benefit here.
5 - install and run an intrusion detection system
6 - use a firewall, either hardware (a router) or software (iptables). By default, Linux does not open ports, but a firewall will help add a layer of protection against the unintended and unforeseen. Only open the ports necessary.
7 - Learn about the apache add ons such as mod-security.
8 - consider applications such as fail2ban which look at the logs and impede script kiddies and scanners. Then pay attention, as best you can, and if you notice a repeat offender, then consider creating a black list and denying access to them permanently.
 
1 members found this post helpful.
Old 11-27-2010, 06:30 PM   #3
CapnStank
Member
 
Registered: Oct 2009
Distribution: Fedora, HPUX
Posts: 31

Original Poster
Rep: Reputation: 2
Excellent information. I run it behind a router with only the http port open (80) and use iptables as much as possible. As for #5 however is there any personal recommendations I should look into?
 
Old 11-28-2010, 06:45 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I personally use a combination of Snort and Ossec. Snort watches all of the network traffic and reports any issues that it sees. Ossec watches the system for any changes, such as an above average number of log entries, first time access by users, and system file checksum changes.

I have also seen a lot of recommendations for a program called Samhain. I haven't looked at it in depth, but on the surface it too looks like a good choice.

While generally easy to install, these programs take effort to maintain. You need to be diligent about updating the 'rules' that are used to analyze traffic, watch the log reports, and even learn to tweak them as you will get a lot of false positives until you customize it more to your specific network.
 
Old 11-28-2010, 07:30 AM   #5
LyCC
LQ Newbie
 
Registered: Nov 2010
Posts: 6

Rep: Reputation: 0
I have that all the time, i'm 99.99% sure that those are bots checking all the sites, and most likely for softwares that a hacker knows it has a weekness. So, as an easy solution, is to rename the original folders into something else or move them into some non public folder. Bots don't check every possibility, just the most common folder names if it exists or not, like in your logs ...
Of course you can take extra security measures (more better solution), but at least take my advise, and such softwares like phpmyadmin, rename or move to a non public subfolder with a not common name.
This measure should be taken all the time, even if you have additional protection.

PS: if you have an opened ssh or ftp port, it's a verry good idea to move them to other ports, or close them if it's not absolutely necessary to have them public. My ssh log was full of attempts, about 300.000 / day untill i closed these ports via firewall, of course these ware also bots, like those seeking phpmyadmin locations ...
 
Old 11-28-2010, 07:43 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Quote:
Originally Posted by Noway2 View Post
I have also seen a lot of recommendations for a program called Samhain. I haven't looked at it in depth, but on the surface it too looks like a good choice.
Samhain can be compared to Aide except it runs as a daemon and provides more checks and methods when compared to Aide (or OSSEC-HIDS). It can encrypt its database, run in client-server mode, watch kernel addresses, the process table, network ports, user logins, run setuid checks, syslog and email warnings, et cetera.
 
Old 11-28-2010, 05:42 PM   #7
RudyGomez
LQ Newbie
 
Registered: Nov 2010
Location: South Florida
Posts: 20

Rep: Reputation: 0
IMHO, don't ever use default folder names and/or ports. Change them whenever possible.
Even if bots dont get in, the ton of logs and wasted bandwidth can be overwhelming.

--if your gonna leave your keys in your car, it pays to drive a monster truck (one just tall enough so no one can see them.)

-rg
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
HTTPD Security Update tronayne Slackware 15 02-22-2008 12:36 AM
Default UID / GID / Security Context for httpd root directory rioguia Linux - Security 1 05-09-2006 01:26 PM
web site directory security? .htaccess or httpd.conf Moonman Linux - Software 0 03-03-2006 09:51 PM
Trying to enable SSL security to vsftpd/httpd, buti have no idea where to start. CodeWarriorFX Linux - Security 1 12-14-2005 11:20 AM
Httpd security updates royco2 Linux - Security 1 07-13-2005 10:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration