Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Server Development (http://www.linux-archive.org/ubuntu-server-development/)
-   -   Webserver attacks (http://www.linux-archive.org/ubuntu-server-development/634966-webserver-attacks.html)

Whisperity 02-18-2012 10:16 AM
Webserver attacks
 
Greetings!

I wanted to share my little script with you, server owners. A week or two ago I have set up an Ubuntu server box, with some services (Apache, MySQL) for personal usage. But my webserver is getting attacked by flood bots from time to time, so I needed to develop a wall (using Shorewall firewall) for it, and an easy manage script.


The two script files (ip.sh and log.sh) are the swiss army knife for me right now. (You need to put them into your webserver log folder (/var/log/apache2))
What I am asking for, knowing that people here are developers with more knowledge than me

- log.sh: lists the access.log (or anything else log file specified in the first argument) and filters out the "banned" IP-list
- ip.sh: (needs to run as root) manages the IP filtering (also adjusts Shorewall's blacklist)


I have attached two log files, somewhat fresh from my webserver. They seems to be some sort of vulnearability checks, should I be worried? Can you please give me some more tips on how to improve my server's security?


Some more information which might help us identify problems:
- Server is basically a desktop computer with Ubuntu server OS on it.
- 320 GB HDD, in the following setup:
-******* /dev/sda - boot record in MBR

-******* /dev/sda1 (/boot, ext4, ~2 GiB) - /boot stuff
-******* /dev/sda2 (/, ext4,* ~233 GiB) - everything else
-******* /dev/sda5 (swap, swap, ~6 GiB) - swap space
- TP-LINK 1043ND router with Firewall
- Shorewall firewall on the server itself (I have attached the configurational files for Shorewall too)

- Installed services:
-** * Apache, MySQL
-** * SSH
-** * Samba

$ uname -a
Linux the-server 2.6.38-13-server #54-Ubuntu SMP Tue Jan 3 13:55:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

Sorry if my e-mail was a little bit hard to understand. Any help is appreciated.


-- Whisperity.

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Whisperity 02-19-2012 01:34 PM
Webserver attacks
 
Greetings!

I wanted to share my little script with you, server owners. A week or two ago I have set up an Ubuntu server box, with some services (Apache, MySQL) for personal usage. But my webserver is getting attacked by flood bots from time to time, so I needed to develop a wall (using Shorewall firewall) for it, and an easy manage script.



The two script files (ip.sh and log.sh) are the swiss army knife for me right now. (You need to put them into your webserver log folder (/var/log/apache2))
What I am asking for, knowing that people here are developers with more knowledge than me


- log.sh: lists the access.log (or anything else log file specified in the first argument) and filters out the "banned" IP-list
- ip.sh: (needs to run as root) manages the IP filtering (also adjusts Shorewall's blacklist)



There are some awkward, flood-like entries in my webserver's log. They seems to be some sort of vulnearability checks, should I be worried? Can you please give me some more tips on how to improve my server's security?



Some more information which might help us identify problems:
- Server is basically a desktop computer with Ubuntu server OS on it.
- 320 GB HDD, in the following setup:
-******* /dev/sda - boot record in MBR


-******* /dev/sda1 (/boot, ext4, ~2 GiB) - /boot stuff
-******* /dev/sda2 (/, ext4,* ~233 GiB) - everything else
-******* /dev/sda5 (swap, swap, ~6 GiB) - swap space
- TP-LINK 1043ND router with Firewall
- Shorewall firewall on the server itself (I have attached the configurational files for Shorewall too)


- Installed services:
-** * Apache, MySQL
-** * SSH
-** * Samba

$ uname -a
Linux the-server 2.6.38-13-server #54-Ubuntu SMP Tue Jan 3 13:55:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

Sorry if my e-mail was a little bit hard to understand. Any help is appreciated.



-- Whisperity.



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Clint Byrum 02-20-2012 04:09 PM
Webserver attacks
 
Excerpts from Whisperity's message of Sun Feb 19 06:34:57 -0800 2012:
> Greetings!
>
> I wanted to share my little script with you, server owners. A week or two
> ago I have set up an Ubuntu server box, with some services (Apache, MySQL)
> for personal usage. But my webserver is getting attacked by flood bots from
> time to time, so I needed to develop a wall (using Shorewall firewall) for
> it, and an easy manage script.
>
> The two script files (ip.sh and log.sh) are the swiss army knife for me
> right now. (You need to put them into your webserver log folder
> (/var/log/apache2))
> What I am asking for, knowing that people here are developers with more
> knowledge than me
> - log.sh: lists the access.log (or anything else log file specified in the
> first argument) and filters out the "banned" IP-list
> - ip.sh: (needs to run as root) manages the IP filtering (also adjusts
> Shorewall's blacklist)
>
> There are some awkward, flood-like entries in my webserver's log. They
> seems to be some sort of vulnearability checks, should I be worried? Can
> you please give me some more tips on how to improve my server's security?
>

A single server is a huge weakness, so the first tip I'd give you is to
get a second server, in a second physical location. Be ready to scale
out when you get legitimate traffic, and you'll have no problem handling
malicious traffic while you find and ban the bad actors.

Second, consider an application level firewall such as mod_security:

http://www.modsecurity.org/

Most of those probes you are seeing are just mindless zombies looking
for known vulnerable versions of old webapps, and can be ignored. I'd
recommend filtering them out. Some packages, like logwatch, already
do that.

Finally, consider using apparmor to confine your application so that if
somebody finds a hole in your application's security you can at least
keep it confined to the files/directories/capabilities that you expect.
Its actually a pretty straight forward process:

https://help.ubuntu.com/11.10/serverguide/C/apparmor.html
https://help.ubuntu.com/community/AppArmor

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam


All times are GMT. The time now is 07:56 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.