Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-27-2010, 05:31 PM
|
#1
|
Member
Registered: Oct 2009
Distribution: Fedora, HPUX
Posts: 31
Rep:
|
httpd security question
Hey guys,
I have a computer set up running an apache httpd server with the basic LAMP functionality. I logged into the server today and noticed numerous attempts by a remote IP to access various files on my server.
Code:
[Fri Nov 26 07:37:56 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpMyAdmin-2.8.1-rc1
[Fri Nov 26 07:37:56 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpMyAdmin-2.8.1
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpMyAdmin-2.8.2
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/sqlmanager
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/mysqlmanager
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/p
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/PMA2005
[Fri Nov 26 07:37:57 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/pma2005
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpmanager
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/php-myadmin
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/phpmy-admin
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/webadmin
[Fri Nov 26 07:37:58 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/sqlweb
[Fri Nov 26 07:37:59 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/websql
[Fri Nov 26 07:37:59 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/webdb
[Fri Nov 26 07:37:59 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/mysqladmin
[Fri Nov 26 07:37:59 2010] [error] [client 72.167.161.46] File does not exist: /var/www/html/mysql-admin
There are many many more lines similar to this but its obvious that a remote host was attempting to run my phpmyadmin page and gain access.
My question is that since I'm a novice at running httpd what sort of things should I be looking out for in regards to security and configuration to prevent any attacks or is this common and should just be ignored?
I do run phpMyAdmin on the server and have configured MySQL to not have blank passwords or user accounts. The database had no new changes to it so I doubt they actually accessed it.
Am I just paranoid or is there something I should look at doing?
|
|
|
11-27-2010, 06:06 PM
|
#2
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
You are going to get attempts like this. It is one of the side effects of running a web server. What you can do is:
1 - make sure your system stays up to date. This includes your Linux system, Apache, PHP, SQL, and any other 'server' process you run
2 - Consider making critical applications like your MyAdmin available only via your local LAN or by localhost by binding the host that can access them to the appropriate interface. Otherwise, I look into securing web pages so that at a minimum a user name and password is required to access them and preferably a browser certificate. You should also put these pages on a HTTPS page rather than an HTTP to prevent packet sniffing. (.htaccess is a good place to start).
3 - Start to learn about the threats that web servers carry, such as cross site scripting.
4 - analyze your logs regularly to look for signs of trouble. Logwatch can be of benefit here.
5 - install and run an intrusion detection system
6 - use a firewall, either hardware (a router) or software (iptables). By default, Linux does not open ports, but a firewall will help add a layer of protection against the unintended and unforeseen. Only open the ports necessary.
7 - Learn about the apache add ons such as mod-security.
8 - consider applications such as fail2ban which look at the logs and impede script kiddies and scanners. Then pay attention, as best you can, and if you notice a repeat offender, then consider creating a black list and denying access to them permanently.
|
|
1 members found this post helpful.
|
11-27-2010, 06:30 PM
|
#3
|
Member
Registered: Oct 2009
Distribution: Fedora, HPUX
Posts: 31
Original Poster
Rep:
|
Excellent information. I run it behind a router with only the http port open (80) and use iptables as much as possible. As for #5 however is there any personal recommendations I should look into?
|
|
|
11-28-2010, 06:45 AM
|
#4
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
I personally use a combination of Snort and Ossec. Snort watches all of the network traffic and reports any issues that it sees. Ossec watches the system for any changes, such as an above average number of log entries, first time access by users, and system file checksum changes.
I have also seen a lot of recommendations for a program called Samhain. I haven't looked at it in depth, but on the surface it too looks like a good choice.
While generally easy to install, these programs take effort to maintain. You need to be diligent about updating the 'rules' that are used to analyze traffic, watch the log reports, and even learn to tweak them as you will get a lot of false positives until you customize it more to your specific network.
|
|
|
11-28-2010, 07:30 AM
|
#5
|
LQ Newbie
Registered: Nov 2010
Posts: 6
Rep:
|
I have that all the time, i'm 99.99% sure that those are bots checking all the sites, and most likely for softwares that a hacker knows it has a weekness. So, as an easy solution, is to rename the original folders into something else or move them into some non public folder. Bots don't check every possibility, just the most common folder names if it exists or not, like in your logs ...
Of course you can take extra security measures (more better solution), but at least take my advise, and such softwares like phpmyadmin, rename or move to a non public subfolder with a not common name.
This measure should be taken all the time, even if you have additional protection.
PS: if you have an opened ssh or ftp port, it's a verry good idea to move them to other ports, or close them if it's not absolutely necessary to have them public. My ssh log was full of attempts, about 300.000 / day untill i closed these ports via firewall, of course these ware also bots, like those seeking phpmyadmin locations ...
|
|
|
11-28-2010, 07:43 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by Noway2
I have also seen a lot of recommendations for a program called Samhain. I haven't looked at it in depth, but on the surface it too looks like a good choice.
|
Samhain can be compared to Aide except it runs as a daemon and provides more checks and methods when compared to Aide (or OSSEC-HIDS). It can encrypt its database, run in client-server mode, watch kernel addresses, the process table, network ports, user logins, run setuid checks, syslog and email warnings, et cetera.
|
|
|
11-28-2010, 05:42 PM
|
#7
|
LQ Newbie
Registered: Nov 2010
Location: South Florida
Posts: 20
Rep:
|
IMHO, don't ever use default folder names and/or ports. Change them whenever possible.
Even if bots dont get in, the ton of logs and wasted bandwidth can be overwhelming.
--if your gonna leave your keys in your car, it pays to drive a monster truck (one just tall enough so no one can see them.)
-rg
|
|
|
All times are GMT -5. The time now is 12:24 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|