FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 02-18-2012, 10:16 AM
Whisperity
 
Default Webserver attacks

Greetings!

I wanted to share my little script with you, server owners. A week or two ago I have set up an Ubuntu server box, with some services (Apache, MySQL) for personal usage. But my webserver is getting attacked by flood bots from time to time, so I needed to develop a wall (using Shorewall firewall) for it, and an easy manage script.


The two script files (ip.sh and log.sh) are the swiss army knife for me right now. (You need to put them into your webserver log folder (/var/log/apache2))
What I am asking for, knowing that people here are developers with more knowledge than me

- log.sh: lists the access.log (or anything else log file specified in the first argument) and filters out the "banned" IP-list
- ip.sh: (needs to run as root) manages the IP filtering (also adjusts Shorewall's blacklist)


I have attached two log files, somewhat fresh from my webserver. They seems to be some sort of vulnearability checks, should I be worried? Can you please give me some more tips on how to improve my server's security?


Some more information which might help us identify problems:
- Server is basically a desktop computer with Ubuntu server OS on it.
- 320 GB HDD, in the following setup:
-******* /dev/sda - boot record in MBR

-******* /dev/sda1 (/boot, ext4, ~2 GiB) - /boot stuff
-******* /dev/sda2 (/, ext4,* ~233 GiB) - everything else
-******* /dev/sda5 (swap, swap, ~6 GiB) - swap space
- TP-LINK 1043ND router with Firewall
- Shorewall firewall on the server itself (I have attached the configurational files for Shorewall too)

- Installed services:
-** * Apache, MySQL
-** * SSH
-** * Samba

$ uname -a
Linux the-server 2.6.38-13-server #54-Ubuntu SMP Tue Jan 3 13:55:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

Sorry if my e-mail was a little bit hard to understand. Any help is appreciated.


-- Whisperity.

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 02-19-2012, 01:34 PM
Whisperity
 
Default Webserver attacks

Greetings!

I wanted to share my little script with you, server owners. A week or two ago I have set up an Ubuntu server box, with some services (Apache, MySQL) for personal usage. But my webserver is getting attacked by flood bots from time to time, so I needed to develop a wall (using Shorewall firewall) for it, and an easy manage script.



The two script files (ip.sh and log.sh) are the swiss army knife for me right now. (You need to put them into your webserver log folder (/var/log/apache2))
What I am asking for, knowing that people here are developers with more knowledge than me


- log.sh: lists the access.log (or anything else log file specified in the first argument) and filters out the "banned" IP-list
- ip.sh: (needs to run as root) manages the IP filtering (also adjusts Shorewall's blacklist)



There are some awkward, flood-like entries in my webserver's log. They seems to be some sort of vulnearability checks, should I be worried? Can you please give me some more tips on how to improve my server's security?



Some more information which might help us identify problems:
- Server is basically a desktop computer with Ubuntu server OS on it.
- 320 GB HDD, in the following setup:
-******* /dev/sda - boot record in MBR


-******* /dev/sda1 (/boot, ext4, ~2 GiB) - /boot stuff
-******* /dev/sda2 (/, ext4,* ~233 GiB) - everything else
-******* /dev/sda5 (swap, swap, ~6 GiB) - swap space
- TP-LINK 1043ND router with Firewall
- Shorewall firewall on the server itself (I have attached the configurational files for Shorewall too)


- Installed services:
-** * Apache, MySQL
-** * SSH
-** * Samba

$ uname -a
Linux the-server 2.6.38-13-server #54-Ubuntu SMP Tue Jan 3 13:55:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

Sorry if my e-mail was a little bit hard to understand. Any help is appreciated.



-- Whisperity.



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 02-20-2012, 04:09 PM
Clint Byrum
 
Default Webserver attacks

Excerpts from Whisperity's message of Sun Feb 19 06:34:57 -0800 2012:
> Greetings!
>
> I wanted to share my little script with you, server owners. A week or two
> ago I have set up an Ubuntu server box, with some services (Apache, MySQL)
> for personal usage. But my webserver is getting attacked by flood bots from
> time to time, so I needed to develop a wall (using Shorewall firewall) for
> it, and an easy manage script.
>
> The two script files (ip.sh and log.sh) are the swiss army knife for me
> right now. (You need to put them into your webserver log folder
> (/var/log/apache2))
> What I am asking for, knowing that people here are developers with more
> knowledge than me
> - log.sh: lists the access.log (or anything else log file specified in the
> first argument) and filters out the "banned" IP-list
> - ip.sh: (needs to run as root) manages the IP filtering (also adjusts
> Shorewall's blacklist)
>
> There are some awkward, flood-like entries in my webserver's log. They
> seems to be some sort of vulnearability checks, should I be worried? Can
> you please give me some more tips on how to improve my server's security?
>

A single server is a huge weakness, so the first tip I'd give you is to
get a second server, in a second physical location. Be ready to scale
out when you get legitimate traffic, and you'll have no problem handling
malicious traffic while you find and ban the bad actors.

Second, consider an application level firewall such as mod_security:

http://www.modsecurity.org/

Most of those probes you are seeing are just mindless zombies looking
for known vulnerable versions of old webapps, and can be ignored. I'd
recommend filtering them out. Some packages, like logwatch, already
do that.

Finally, consider using apparmor to confine your application so that if
somebody finds a hole in your application's security you can at least
keep it confined to the files/directories/capabilities that you expect.
Its actually a pretty straight forward process:

https://help.ubuntu.com/11.10/serverguide/C/apparmor.html
https://help.ubuntu.com/community/AppArmor

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 09:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org