Security Basics mailing list archives

Re: Apache attacks

From: bernie () e-mich com
Date: Thu, 27 Jan 2005 21:15:03 -0500

Kenny,

Another thing you might want to look at it Dshield.org, this is a upadted dailt
list of subnets around the world that are know for hack attempts and other
types of un-ethical network activity.

The link I sent you earlier to www.rfxnetworks.com has APF the Advanced
Protection Firewall in the projects link.  This firewall can be set up to
update this list every day and block those networks from your network.  It also
has a module for BFD Brute Force Detection that will block IP's or subnets that
try to brute force you SSH and FTP.  This firewall is based on IPtables, which
I would bcome real familiar with if you want to protect your network, if you
find APF to be to daunting at first try KISS firewall
http://www.geocities.com/steve93138/ or Firestarter
http://www.fs-security.com/.  Some people prefer Firestarter as it works with a
GUI and requires GTK.

These will be great tools in trying to keep the script kiddies out and the other
more serious intrusions.  But like any firewal they are never 100% and it takes
allot of tools to keep your network safe.  Also remember security is a trade of
between ease of use and protection.

Just my 2 cents

B.Johnson



Quoting Bernie Johnson <bernie () e-mich com>:

Kenny,

Look at www.rfxnetworks.com and get APF, BFD and look at the other
scripts there.  This should od what you want and need.

B. Johnson



On Wed, 2005-01-26 at 15:56, Kenny wrote:

Hi List,

Long time reader, first time poster..

My server crashed yesturday and I had to restart it, to get it going
again. Now everything seems ok, however looking at my
/var/log/httpd/access_log.1 shows a visitor to the website posting some
big chunks of exploit code (containing a massive nop sled).
How do I know if this attacker actually got in or not?

This is a redhat fedora core 2 box, and I would describe myself as an
"intermediate" linux user.

Also, has anyone got any scripts that can detect attacks against apache
and ban the ip for a period of time?

I will post the exploit on request.

Thanks, Kenny

--





----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Current thread:

Apache attacks Kenny (Jan 27)
- Re: Apache attacks Bernie Johnson (Jan 27)
  - Re: Apache attacks Micheal Cottingham (Jan 28)
  - Re: Apache attacks bernie (Jan 28)
- Re: Apache attacks KillKenny (Jan 28)
- Re: Apache attacks Dan Margolis (Jan 28)
- Re: Apache attacks Ty Bodell (Jan 31)
- <Possible follow-ups>
- Re: Apache attacks miguel . dilaj (Jan 31)