Getting a TON of IP attacks... Request for Open-Sourced IDS program

David Cary Hart Fedora at TQMcube.com
Thu Nov 10 17:54:36 UTC 2005


On Thu, 2005-11-10 at 09:12 -0800, Daniel B. Thurman wrote:

> /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /blog/xmlrpc.php: 1 Time(s)
> /blog/xmlsrv/xmlrpc.php: 1 Time(s)
> /blogs/xmlsrv/xmlrpc.php: 1 Time(s)
> /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
> /drupal/xmlrpc.php: 1 Time(s)
> /favicon.ico: 1 Time(s)
> /phpgroupware/xmlrpc.php: 1 Time(s)
> /wordpress/xmlrpc.php: 1 Time(s)
> /xmlrpc.php: 2 Time(s)
> /xmlrpc/xmlrpc.php: 1 Time(s)
> /xmlsrv/xmlrpc.php: 1 Time(s)
> 
There's a script floating around. I have seen the same sequence
repeatedly. Favicon.ico is not a hack. It's looking for the default URL
icon which you might want to create.

1. Modsecurity is a nifty tool but at the cost of memory, cycles and
httpd response speed.

2. You can have swatch watch the logs and add rules to IPTables based on
regular expressions. Swatch is a perl script that is economical to use
and does not interfere with HTTPD. Since many people have difficulty
with swatch, I'll give you my command line:
        /usr/bin/swatch --use-cpan-file-tail \
        --config-file=/etc/swatch.conf --daemon \ 
        --awk-field-syntax --tail-file=/var/log/httpd/access_log
        
        Works for me - YMMV

3. If you are running awstats, make sure that  you have the most recent
version. Even then, I have it password protected via httpd.conf.

4. Snort is the best intrusion detector around. The default rules are a
tad paranoid. Snort does have a rather large footprint.

5. The best GUI to iptables (IMO) is webmin.

6. If it makes you feel better, you can make permanent redirects of
repeated hacks to your own "FBI" or "Law Enforcement" page. eg: Redirect
permanent /blog /hack.htm

-- 
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com/spam_trap.htm
              RBLDNSD HowTo: http://www.TQMcube.com/rbldnsd.htm
            Multi-RBL Check: http://www.TQMcube.com/rblcheck.htm
Tired of spam? Do YOUR part: http://www.BoulderPledge.org




More information about the users mailing list