note on security paranoia [wasRe: [oclug]Apache Logs]

Shad Young shad.young at sympatico.ca
Wed Oct 30 14:12:47 EST 2002 

One thing this list is famous for is an absolute security paranoia. It is
important for all to understand a bit more about what is happening in your
logs. Log interpretation is the biggest area of concern for me. I once had a
client who was log obsessed. So I was forced to look for a year at almost
ever log entry he had. There is so little consistency in log data that
interpretation is difficult at best. some reasons why:

1) Lack of consistency. Logger is often fooled by external protocols.

2) Lack of understanding of non Linux protocols. In your particular case, as
I watch the flood of misinformation come in, the lack of understanding of MS
FrontPage's .net extensions and other non Linux RPC get said protocols
labeled as hack attempts.

3) Lack of understanding about how search engines and harvesters work.
search engines and harvesters are trying to reach every nook and cranny of
your system looking for information to either index or harvest. They trigger
all kinds of things and make all kinds of log noise. In today's supercluster
search engined world, you will get indexed in as little as 15 minutes from
going live... it may even be a proxy server somewhere close to you.. but "oh
god... who is that... *block*".

4) a lack of understanding of the calls your -own- system makes. Put a
packet sniffer on your own box and then listen... half the log entries are
your own reflections due to cookies and other remote communication devices.
<--- this is the scary part folks, not imagined script kiddies.

May advice take it slow, do not panic and enjoy your box... Nobody wants to
break in and steal your family pictures :)

Shad
----- Original Message -----
From: "Brian's Linux Box" <b_mckee at myrealbox.com>
To: <oclug at lists.oclug.on.ca>
Sent: Wednesday, October 30, 2002 1:21 PM
Subject: [oclug]Apache Logs


> Good Afternoon All
>
>     Well, www.bmckee.ca is 'on the air'
> Don't bother running over to look unless you want to look at family
> pictures.  Content is pretty thin at the moment.  :-)
>
>     At any rate - I looked at the error log for the first time and as
> startled by what looks to me like script kiddie hacking attempts
> For example
>
> [Sun Oct 27 07:41:42 2002] [error] [client XX.XX.XX.XX] File does not
exist:
> /var/www/html/MSADC/root.exe
>
> And
> [Sun Oct 27 07:42:04 2002] [error] [client XX.XX.XX.XX] File does not
exist:
> /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
>
> Somehow I can't see that working on my RedHat system.
>
> So, judging by how soon these entries started, this obviously is pretty
> common.
> Question one -  Is there anything I can or should do?  I.e. Chase IP
numbers
> back to ISP's and report them?  Add them to the hosts.deny? Or something
> else?  Do any of you that are running webservers take a pro-active
response
> to entries like these or just do your best to bar the door and ignore
them?
>
> Second question - can anyone suggest an Apache for neophytes type book -
> preferable one that contains at least a chapter on security?
>
> Brian
>
> _______________________________________________
> oclug mailing list
> oclug at lists.oclug.on.ca
> http://www.oclug.on.ca/mailman/listinfo/oclug

More information about the OCLUG mailing list