Mitigating ongoing attacks to my web server.
I’ve been seeing messages like this one in my Logwatch e-mails for quite some time:
A total of 2 sites probed the server
203.246.75.102A total of 7 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):/wiki/index.php/Talk:AVR_GCC//index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%27.include($_GET[a]),exit.%27&a=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
So I decided to take a brief look at it. I’m fairly certain that this isn’t an exploit in my MediaWiki install — I think they’re looking for an exploit in a package “PNphpBB2″ which I don’t have. Anyway, I did some grepping of my logs to find the bad IPs and created a simple conf.d file that contains all the IP addresses that are bad. The greps that I did look like this:
zgrep “w00tw00t” /var/log/httpd/*.gz | perl -p -e “s/^.*[^0-9]([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)[^0-9].*$/\1/g” | sort | uniq
zgrep “\.\./\.\./\.\./\.\./\.\.” /var/log/httpd/*.gz | perl -p -e “s/^.*[^0-9]([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)[^0-9].*$/\1/g” | sort | uniq
zgrep “PNphpBB2″ *.gz | perl -p -e “s/^.*[^0-9]([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)[^0-9].*$/\1/g” | sort | uniq
And then I put those all in a file under /etc/httpd/conf.d called “global_deny.conf” that looks like this:
<DirectoryMatch .*>
Order Allow,Deny
allow from all
deny from [...]
deny from [...]
</DirectoryMatch>
With one IP address on each “deny from” line. Hopefully this should shut out a lot of the people that are trying to find exploits on my site. There were 845 unique IP addresses that had hit such URLs.
Does anyone know of an automated solution for doing stuff like this? What I’d like to be able to is to have a regexp of URLs that if you ever hit them, then you automatically end up in a set of denied IP addresses. Maybe it would show a special “you’re an abuser” webpage for the first few hits after that, and then just begin 404ing.
Thanks for the tip. Didn’t know about logwatch; seems like one of those programs that should come installed as part of every self-respecting distro. Installed it and made it happy reviewing lighttd’s logs; woohoo!
The two pieces of software that I use are:
Bad Behavior http://www.bad-behavior.ioerror.us/
This inspects the details of the request itself to determine if it is a robot. Also, this will help slow down request that come too fast
portsentry http://sourceforge.net/projects/sentrytools
This will automatically block any computers that attempt to port scan the server
I actually talked about and created a solution for automatically blocking any client that does something I deem as “offensive” temporarily with the new ipset feature in the Linux kernel. I wrote about it here: http://blog.robin.smidsrod.no/2011/10/07/autoblock-sshd-dictionary-attacks.
You might be able to use a similar approach with Apache to trigger an external command that activates the blocking. It should be easier than syslog, I would think. You might also want to investigate the mentioned fail2ban software, or those rate-limiting iptables rules if that is more appropriate to your needs.
I decided to post this comment here, as your article was one of the first that showed up for the phrase “A total of X sites probed the server”, and I thought that my approach to dealing with the issue could work for anyone that comes here looking. Hope you find it interesting.