[oclug]Apache Logs

Bart Trojanowski bart-oclug at jukie.net
Wed Oct 30 13:51:35 EST 2002 

* Brian's Linux Box <b_mckee at myrealbox.com> [021030 13:22]:
> Good Afternoon All
> 
>     Well, www.bmckee.ca is 'on the air'
> Don't bother running over to look unless you want to look at family
> pictures.  Content is pretty thin at the moment.  :-)
> 
>     At any rate - I looked at the error log for the first time and as
> startled by what looks to me like script kiddie hacking attempts
> For example
> 
> [Sun Oct 27 07:41:42 2002] [error] [client XX.XX.XX.XX] File does not exist:
> /var/www/html/MSADC/root.exe
> 
> And
> [Sun Oct 27 07:42:04 2002] [error] [client XX.XX.XX.XX] File does not exist:
> /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> 
> Somehow I can't see that working on my RedHat system.

I just block these IPs.  Attempting to execute cmd.exe is an obvious
search for an exploit.

I installed 'snort' and 'guardian.pl' which together automatically block
the IP addresses of the hosts that attempt such exploits.

Snort, out of the box, has a pretty high rate of detecting false
positives.  And guardian is a very stupid script which just does what
snort tells it to do.  It does however have an 'ignore' list that you
can customize to include all 'trusted' IPs.  Make sure to add your
internal hosts as they are likely to trigger some possible-intrusion
checks especially if you run NFS.

For the first few weeks you run guardian I suggest to check your deny
list constantly to make sure that nothing bad snuck in.

I customized my block.sh to to following:

source=$1
interface=$2

if ! (/sbin/iptables -L guardian > /dev/null 2>&1) ; then
	/sbin/iptables -N guardian
fi

if ! (iptables-save | grep '^-A INPUT -j guardian' > /dev/null) ; then
	/sbin/iptables -I INPUT -j guardian
fi

if ! test -z "$source" -o -z "$interface" ; then
	/sbin/iptables -I guardian -s $source -i $interface -j DROP
fi

This creates a guardian chain for all the snort detected alerts.

To prevent maintaining a long list of entries in the chain, guardian
removes these entries (with a mirror unblock.sh script) after a
configurable time.

It all works pretty well after some tweaking.

B.

-- 
				WebSig: http://www.jukie.net/~bart/sig/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20021030/9ed9c3c0/attachment.bin

More information about the OCLUG mailing list