thr3ads.net - CentOS - [CentOS] Apache attacks - you can't stop them, or can you? [Mar 2013]

If this information is useful, please help other people find it:
Share via:

Robert Moskowitz

2013-Mar-06 13:17 UTC

[CentOS] Apache attacks - you can't stop them, or can you?

So I have this nice, simple web server up running.  Its purpose is to 
allow me external testing with HIP, and to provide some files for 
external distribution.  Of course, there it is sitting on port 80 and 
the attacks are coming in per logwatch report.  Examples from the report 
include:

  Requests with error response codes
     404 Not Found
        //phpMyAdmin-2.5.1/scripts/setup.php: 1 Time(s)
        //phpMyAdmin-2.5.4/scripts/setup.php: 1 Time(s)
        //phpMyAdmin-2.5.5-pl1/scripts/setup.php: 1 Time(s)
        //phpMyAdmin-2.5.5-rc1/scripts/setup.php: 1 Time(s)
        //phpMyAdmin-2.5.5-rc2/scripts/setup.php: 1 Time(s)
        /muieblackcat: 1 Time(s)
        /myadmin/scripts/setup.php: 2 Time(s)
        /mysql-admin/scripts/setup.php: 1 Time(s)
        /mysql/scripts/setup.php: 1 Time(s)
        /mysqladmin/scripts/setup.php: 2 Time(s)
        /mysqlmanager/scripts/setup.php: 1 Time(s)

Now these are only a few, though I am probably not being hit as hard as 
others out there.

My question is:

Is there a way to shut this nonsense down?  Or because I am sending the 
404, I am doing all that is reasonable to do?

I am wondering that if this list starts getting long, that is a lot of 
logging and I probably don't need to log 404s?

Lorenzo Quatrini

2013-Mar-06 13:25 UTC

head link

[CentOS] Apache attacks - you can't stop them, or can you?

Il 06/03/2013 14:17, Robert Moskowitz ha scritto:> So I have this nice, simple web server up running.  Its purpose is to 
> allow me external testing with HIP, and to provide some files for 
> external distribution.  Of course, there it is sitting on port 80 and 
> the attacks are coming in per logwatch report.  Examples from the report 
> include:
> 
>   Requests with error response codes
>      404 Not Found
>         //phpMyAdmin-2.5.1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.4/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-pl1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-rc1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-rc2/scripts/setup.php: 1 Time(s)
>         /muieblackcat: 1 Time(s)
>         /myadmin/scripts/setup.php: 2 Time(s)
>         /mysql-admin/scripts/setup.php: 1 Time(s)
>         /mysql/scripts/setup.php: 1 Time(s)
>         /mysqladmin/scripts/setup.php: 2 Time(s)
>         /mysqlmanager/scripts/setup.php: 1 Time(s)
> 
> Now these are only a few, though I am probably not being hit as hard as 
> others out there.
> 
> My question is:
> 
> Is there a way to shut this nonsense down?  Or because I am sending the 
> 404, I am doing all that is reasonable to do?
> You could use fail2ban to reduce the load on the server; here is my config:

 cat /etc/fail2ban/filter.d/apache-errorcode.conf

# Fail2Ban configuration file
#
# Author: Lorenzo Quatrini
#
# $Revision: 1 $
#

[Definition]

errorcode = 400|403|404

# Option:  failregex
# Notes.:  Regexp to catch bad request
# Values:  TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" (?:%(errorcode)s)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex 
> I am wondering that if this list starts getting long, that is a lot of 
> logging and I probably don't need to log 404s?
> The "downside" of using fail2ban is that you will start receiving
email about
banned hosts; but that is configurable, as is the number of failed attempts
before being banned.
Also you can have "trusted" hosts that never get banned... but the
manual
explains this better that I can do.

Regards
Lorenzo

Johnny Hughes

2013-Mar-06 16:58 UTC

head link

[CentOS] Apache attacks - you can't stop them, or can you?

On 03/06/2013 07:17 AM, Robert Moskowitz wrote:> So I have this nice, simple web server up running.  Its purpose is to 
> allow me external testing with HIP, and to provide some files for 
> external distribution.  Of course, there it is sitting on port 80 and 
> the attacks are coming in per logwatch report.  Examples from the report 
> include:
>
>   Requests with error response codes
>      404 Not Found
>         //phpMyAdmin-2.5.1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.4/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-pl1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-rc1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-rc2/scripts/setup.php: 1 Time(s)
>         /muieblackcat: 1 Time(s)
>         /myadmin/scripts/setup.php: 2 Time(s)
>         /mysql-admin/scripts/setup.php: 1 Time(s)
>         /mysql/scripts/setup.php: 1 Time(s)
>         /mysqladmin/scripts/setup.php: 2 Time(s)
>         /mysqlmanager/scripts/setup.php: 1 Time(s)
>
> Now these are only a few, though I am probably not being hit as hard as 
> others out there.
>
> My question is:
>
> Is there a way to shut this nonsense down?  Or because I am sending the 
> 404, I am doing all that is reasonable to do?
>
> I am wondering that if this list starts getting long, that is a lot of 
> logging and I probably don't need to log 404s?
There is also mod_security ...

http://people.centos.org/hughesjr/mod_security/

You can read about what it is here:

http://www.modsecurity.org/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20130306/850c14a0/attachment-0002.sig>

Tilman Schmidt

2013-Mar-06 17:31 UTC

head link

[CentOS] Apache attacks - you can't stop them, or can you?

Am 06.03.2013 14:17, schrieb Robert Moskowitz:> So I have this nice, simple web server up running. [...] 
> the attacks are coming in per logwatch report.  Examples from the report 
> include:
> 
>   Requests with error response codes
>      404 Not Found
>         //phpMyAdmin-2.5.1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.4/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-pl1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-rc1/scripts/setup.php: 1 Time(s)
>         //phpMyAdmin-2.5.5-rc2/scripts/setup.php: 1 Time(s)
>         /muieblackcat: 1 Time(s)
>         /myadmin/scripts/setup.php: 2 Time(s)
>         /mysql-admin/scripts/setup.php: 1 Time(s)
>         /mysql/scripts/setup.php: 1 Time(s)
>         /mysqladmin/scripts/setup.php: 2 Time(s)
>         /mysqlmanager/scripts/setup.php: 1 Time(s)
That's the normal background noise of the Internet.
Scans for known security holes. Hardly worth a bother.
If it bothers you, set up fail2ban as Lorenzo proposed.
Apart from that, take it as a reminder to keep up to date
with the software you use to close known security holes
as quickly as possible.
> My question is:
> 
> Is there a way to shut this nonsense down?  Or because I am sending the 
> 404, I am doing all that is reasonable to do?
> 
> I am wondering that if this list starts getting long, that is a lot of 
> logging and I probably don't need to log 404s?
I wouldn't disable 404 logging. Even on my hardest-hit
webservers the volume is not so big that it gets anywhere
near causing an actual problem. And it's nice to be kept up
to date about the latest exploits in your daily logwatch
mail so if the hits are getting closer you can take evasive
action. :-)

-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20130306/596cfd04/attachment-0002.sig>

Eero Volotinen

2013-Mar-06 17:47 UTC

head link

[CentOS] Apache attacks - you can't stop them, or can you?

2013/3/6 Johnny Hughes <johnny at centos.org>:> On 03/06/2013 07:17 AM, Robert Moskowitz wrote:
>> So I have this nice, simple web server up running.  Its purpose is to
>> allow me external testing with HIP, and to provide some files for
>> external distribution.  Of course, there it is sitting on port 80 and
>> the attacks are coming in per logwatch report.  Examples from the
report
>> include:
>>
>>   Requests with error response codes
>>      404 Not Found
>>         //phpMyAdmin-2.5.1/scripts/setup.php: 1 Time(s)
>>         //phpMyAdmin-2.5.4/scripts/setup.php: 1 Time(s)
>>         //phpMyAdmin-2.5.5-pl1/scripts/setup.php: 1 Time(s)
>>         //phpMyAdmin-2.5.5-rc1/scripts/setup.php: 1 Time(s)
>>         //phpMyAdmin-2.5.5-rc2/scripts/setup.php: 1 Time(s)
>>         /muieblackcat: 1 Time(s)
>>         /myadmin/scripts/setup.php: 2 Time(s)
>>         /mysql-admin/scripts/setup.php: 1 Time(s)
>>         /mysql/scripts/setup.php: 1 Time(s)
>>         /mysqladmin/scripts/setup.php: 2 Time(s)
>>         /mysqlmanager/scripts/setup.php: 1 Time(s)
>>
>> Now these are only a few, though I am probably not being hit as hard as
>> others out there.
>>
>> My question is:
>>
>> Is there a way to shut this nonsense down?  Or because I am sending the
>> 404, I am doing all that is reasonable to do?
>>
>> I am wondering that if this list starts getting long, that is a lot of
>> logging and I probably don't need to log 404s?
>
> There is also mod_security ...
>
> http://people.centos.org/hughesjr/mod_security/
>
> You can read about what it is here:
ossec also blocks this kind of web scanners with active response enabled.

--
Eero

Apparently Analagous Threads

Search for more apparently analagous threads

CentOS - Mar 2013 - Apache attacks - you can't stop them, or can you?

[CentOS] Apache attacks - you can't stop them, or can you?

[CentOS] Apache attacks - you can't stop them, or can you?

[CentOS] Apache attacks - you can't stop them, or can you?

[CentOS] Apache attacks - you can't stop them, or can you?

[CentOS] Apache attacks - you can't stop them, or can you?

Apparently Analagous Threads