Hello,

I've been running RH8.0 for about a week now, and this is my first delving into a *nix based os in about 20 years. Within the first 2 hours of forwarding port 80 to my linux box, the access log started capturing script kiddie's probing. Except for a couple of malformed, the probes were directed toward windoz nt based systems.

what is the best direction toward securing a http web server from these numskulls?


the Iptables Basics NHF looks pretty straight forward, yet this is more of an after the fact solution.

Any ideas Please

ixthus
<><

A nice hardware firewall is fairly cheap now-a-days, that's a good place to start.

Unfortunately, new hardware is not an option, so i've utilized the NHF on Armoring Linux and i've copied the ip's into host.deny [like paddling upstream :eek: ].

thanks for the response. :)

ixthus <><

if u see something like
GET /nt/xxx/command.com?xxxxxxxxx

then it's probably nimda worm is scanin ur server and try to infect u...

but no need to worry... u hav the protection of *nix hehehe...

it only infect IIS in winbloze...

"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-" "-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-" "-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-" "-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-" "-"
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 351 "-" "-"
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 351 "-" "-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 361 "-" "-"
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 361 "-" "-"
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 339 "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 337 "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 347 "-"


monkeyboi,

this is what i'm seeing and suspected as much....i appreciated your assistance and confimation.

ixthus <><

yap it's nimda or codered worm......
stupid ppl who runs ISS ahahaha

I get those all day, everyday. Its my fine broadband neighbors. I wouldn't pay much attention (or take the time to copy every IP into hosts.deny) since you'd quickly have hundreds of IP's to add.

If you're interested - here's a quick perl script I whipped up long ago to summarize the attacks by IP. (assuming your access_log is in "common" format)


#!/usr/bin/perl

die "Usage $0 /path/to/access_log\n" if (!@ARGV);

while(<>)
{
chomp;

if(/(cmd|root)\.exe|default\.ida/)
{
($ip,undef,$date) = /^((\d{1,3}\.){3}\d{1,3}).+\[(.*)\]/;

$data{$ip}{COUNT}++;
$data{$ip}{LAST} = $date;
}
}

foreach $x (sort {$data{$b}{COUNT} <=> $data{$a}{COUNT} } keys %data)
{
print "IP: $x\tAttacks: $data{$x}{COUNT}, Last: $data{$x}{LAST}\n";
}


output sample:

IP: 24.73.192.92 Attacks: 924, Last: 07/Dec/2002:00:34:19 -0500
IP: 24.73.37.42 Attacks: 390, Last: 23/Dec/2002:23:27:17 -0500
IP: 24.73.73.80 Attacks: 320, Last: 22/Nov/2002:00:16:16 -0500
IP: 24.73.2.179 Attacks: 273, Last: 26/Nov/2002:12:36:42 -0500
IP: 24.73.27.82 Attacks: 160, Last: 20/Nov/2002:21:52:26 -0500
IP: 24.73.171.166 Attacks: 144, Last: 16/Dec/2002:08:48:25 -0500
IP: 24.73.20.33 Attacks: 143, Last: 25/Dec/2002:22:49:32 -0500
IP: 24.73.1.224 Attacks: 128, Last: 25/Dec/2002:10:02:52 -0500
IP: 24.73.24.224 Attacks: 118, Last: 28/Nov/2002:01:42:09 -0500
IP: 24.73.5.11 Attacks: 112, Last: 16/Dec/2002:00:03:44 -0500
IP: 24.73.40.243 Attacks: 112, Last: 15/Dec/2002:02:49:57 -0500

Looks like code red garbage. Add a zero-length file to webroot called default.ida if the bandwidth usage bothers you.

iDxMan and zagiboy,

thank you for the postings.

1 question please....

Add a zero-length file to webroot called default.ida


would i be creating an empty file in the httpd folder named default.ida?



ixthus

<><

You add the file in the main web shared directory. All this does is it keeps apache from wasteing bandwidth and sending the 404 page every time code red requests the default.ida file.

Originally posted by monkeyboi
yap it's nimda or codered worm......
stupid ppl who runs ISS ahahaha

What's ISS?

google it, and thou shall find out

Didn't even notice that before. ISS -> IIS

M$'s webserver