how do I block this type of traffic and prevent my site getting hacked.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15
Rep:
how do I block this type of traffic and prevent my site getting hacked.
www.mydomain.com||||10225||||68.196.158.210 - - [11/Sep/2010:00:06:28 -0500] "GET /image.php?type=hv&hash=0eadb644e0e9e7318cd55682b39e9fbd HTTP/1.0" 200 10225 "http://www.mydomain.com/register.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC" www.mydomain.com||||1181||||67.142.166.21 - - [11/Sep/2010:00:06:29 -0500] "POST /.cod6xo/?action=fbgen&v=125&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )" www.mydomain.com||||20993||||68.196.158.210 - - [11/Sep/2010:00:06:29 -0500] "POST /register.php?do=addmember HTTP/1.0" 200 20993 "http://www.mydomain.com register.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC" www.mydomain.com||||1181||||120.140.74.198 - - [11/Sep/2010:00:06:32 -0500] "GET /.cod6xo/?action=captcha&a=get&i=45069&v=21 HTTP/1.0" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
The previous if from my httpd access log. This happens few times every second. They are trying to exploit something and I dont know what it is. How can I block this type of traffic completely just short of taking down the whole domain.
If those access_log entries spawn a 404 error in your error_log, then there's a tool called blockhosts you can use to ban any IP that causes more than X-number of 404 errors in a given time period.
(Note: you will *have* to make sure you're website contains no broken links from this point on.)
Note that by default, blockhosts will just watch your syslog output, and depends on iptables being installed and running. There's a few usage examples on the website, specifically regarding apache log files.
It's also great for banning IPs of people that keep knocking on your SSH port.
@fordwrench: what sort of web service(s) are you running? A cursory look (i.e. without research) shows that someone is perhaps trying to replay authenticated sessions, and/or take advantage of broken web app audits to perform an action.
Short of a reactive utility (as described in the previous post), you can:
Keep Apache web server and (especially) your web apps up to date.
Maintain a secure web server configuration.
Employ an application (layer 7) firewall, like mod_security.
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15
Original Poster
Rep:
anomie,
I am running ispconfig web hosting software on debian 4. http,ftp,dns,ssh,smtp, and imap. The particular site they are trying to hit has a phpbb forum. Ever since this server has been up I have been getting battered and none of the other domains on the same server get this type of traffic.
The first few days I had it up I was getting pummeled on ssh and I installed fail2ban and stopped those attempts. Now I am getting hit on the http and mail services. I get random attempts on the mail server with someone always trying to send mail to unknown recepients on the particular domain, but no others.
@anomie: spot on I'd say. The OP quote of "Ever since this server has been up I have been getting battered" actually translates as "they have succeeded before and put hidden folders in my web that have xml exploits" (posted elsewhere).
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15
Original Poster
Rep:
unSpawn, spot on is correct! But that is why I am here. I keep my dist up to date as much as possible. I monitor logs. And I am trying to implement some better security measures. So if you dont have anything to help then dont say nothing. Yes I am a newbie of sort. I am not a linux GURU? I spend most of my time reading forums and such. I am trying everything I can, that is why I ask the question here.
Thanks xeleema and anomie for your excellent input.
I am running ispconfig web hosting software on debian 4. http,ftp,dns,ssh,smtp, and imap. The particular site they are trying to hit has a phpbb forum. Ever since this server has been up I have been getting battered and none of the other domains on the same server get this type of traffic.
The first few days I had it up I was getting pummeled on ssh and I installed fail2ban and stopped those attempts. Now I am getting hit on the http and mail services. I get random attempts on the mail server with someone always trying to send mail to unknown recepients on the particular domain, but no others.
mrfordwrench
You might check the website itself for any premade applications such as Word Press or Jummla for the product version. There are many Internet worms that will scan for product versions and if they are not kept up to date then they will start slamming the site with scripts of known exploits.
...I keep my dist up to date as much as possible. I monitor logs. And I am trying to implement some better security measures.
That's great! I wish more admins would do the same!
Quote:
Originally Posted by fordwrench
So if you dont have anything to help then dont say nothing. Yes I am a newbie of sort.
Hold yer horses there. No need to get on UnSpawn about that, he was talking to anomie.
UnSpawn's one of our trusted moderators, and a fair one at that. He wasn't taking a punch at you.
Quote:
Originally Posted by fordwrench
I am not a linux GURU? I spend most of my time reading forums and such. I am trying everything I can, that is why I ask the question here.
That's awesome, keep that up and never stop learning.
Quote:
Originally Posted by fordwrench
Thanks xeleema and anomie for your excellent input.
No problem, let us know what you try and how it works out for you!
EDIT: Also, if you could note which posts you find helpful, that might help the many, many people that have viewed this thread so far (over 100!).
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15
Original Poster
Rep:
Sorry unSpawn but your comments came to me negatively. And I dont know your intentions. So I had to take what I got from the post. I have been reading these forums since before 2006 when I finally signed up. I know you are a mod. Again Sorry.
Now back to the problem, I have had this domain since 2000 and have run it on several different servers. I started it on ensim at ev1. I gave up on EV1 when I had a problem and called them for support and they were no help so I had to start my own support system. When I first started hosting this myself is when I noticed the ssh hits. I know now that they are trying cross-site scripting to exploit my system. I have installed mod_security and am now trying to configure it properly to catch and thwart the http hacking. I havent even started on the mail situation.
I have no mail users on the domain so any email address they try gets rejected.
@fordwrench
Okay, let me make sure I understand the scope of the problem;
You have remote IPs hitting the following services;
HTTP - Port 80 - XSS (Cross-Site Scripting) attacks hitting your system.
SMTP - Port 25 - Attempting to email anyone within your domain, but there are currently no valid @yourdomain.com email addresses configured.
Current problem: the HTTP XSS attacks.
It doesn't really sound like 'fail2ban' is going to help you knock-out as many of these problem areas as needed. According to a tutorial from unix-tutorials, it's great for spotting failed login attempts, but doesn't look like it's configurable to trap any error from any log file, and ban the responsible IP.
As I mentioned before, blockhosts.py does behave like fail2ban in many ways, however, you can tell it what logfiles to watch, and what actions to look for (then watch/ban as configured). From the website, it covers the regexp needed for vsftp(/var/log/secure), apache/horde web-based email, and SSH or other login failures.
Now about these XSS attacks, even though they're showing up in your access_log, is anything showing up in your error_log?
If so, you could setup custom Error Pages to call a little PHP script that will trigger a blockhosts check (like in the apache+horde link above).
Distribution: debian,freebsd,slackware, and ubuntu
Posts: 15
Original Poster
Rep:
xeleema,
I have installed blockhosts and it is working for sshd and proftpd. I have read the link you noted and the pattern in the link does not match the pattern of the problem in my httpd log file. I need to match the following line with a pattern.
As for the "GET /.cod6xo/" requests in your access_log...if there's a DocumentRoot:/.cod6xo/ directory on your webserver, I can understand the frustration. I'm looking into a RegExp for the problem.
In the interim , consider a ReWrite Rule;
Code:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)(/.cod6x/)(.*) [NC]
RewriteRule .* - [F]
NOTE: Not tested, so you might have to tweak the bolded section.
the key is the "GET /.cod6xo/" If I can get a pattern that will search for that in the line and block based on that it will work.
Mind that this request gives a 404 error, so it's not that important. What is important and strange is the format of host doing the request. (www.mydomain.com||||1181||||120.140.74.198). I've never seen something like that.
Anyway you can also use mod_rewrite to block such hosts:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.