Getting a TON of IP attacks... Request for Open-Sourced IDS program
David Cary Hart
Fedora at TQMcube.com
Thu Nov 10 17:54:36 UTC 2005
On Thu, 2005-11-10 at 09:12 -0800, Daniel B. Thurman wrote:
> /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /blog/xmlrpc.php: 1 Time(s)
> /blog/xmlsrv/xmlrpc.php: 1 Time(s)
> /blogs/xmlsrv/xmlrpc.php: 1 Time(s)
> /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
> /drupal/xmlrpc.php: 1 Time(s)
> /favicon.ico: 1 Time(s)
> /phpgroupware/xmlrpc.php: 1 Time(s)
> /wordpress/xmlrpc.php: 1 Time(s)
> /xmlrpc.php: 2 Time(s)
> /xmlrpc/xmlrpc.php: 1 Time(s)
> /xmlsrv/xmlrpc.php: 1 Time(s)
>
There's a script floating around. I have seen the same sequence
repeatedly. Favicon.ico is not a hack. It's looking for the default URL
icon which you might want to create.
1. Modsecurity is a nifty tool but at the cost of memory, cycles and
httpd response speed.
2. You can have swatch watch the logs and add rules to IPTables based on
regular expressions. Swatch is a perl script that is economical to use
and does not interfere with HTTPD. Since many people have difficulty
with swatch, I'll give you my command line:
/usr/bin/swatch --use-cpan-file-tail \
--config-file=/etc/swatch.conf --daemon \
--awk-field-syntax --tail-file=/var/log/httpd/access_log
Works for me - YMMV
3. If you are running awstats, make sure that you have the most recent
version. Even then, I have it password protected via httpd.conf.
4. Snort is the best intrusion detector around. The default rules are a
tad paranoid. Snort does have a rather large footprint.
5. The best GUI to iptables (IMO) is webmin.
6. If it makes you feel better, you can make permanent redirects of
repeated hacks to your own "FBI" or "Law Enforcement" page. eg: Redirect
permanent /blog /hack.htm
--
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com/spam_trap.htm
RBLDNSD HowTo: http://www.TQMcube.com/rbldnsd.htm
Multi-RBL Check: http://www.TQMcube.com/rblcheck.htm
Tired of spam? Do YOUR part: http://www.BoulderPledge.org
More information about the users
mailing list