www.mydomain.com||||10225||||68.196.158.210 - - [11/Sep/2010:00:06:28 -0500] "GET /image.php?type=hv&hash=0eadb644e0e9e7318cd55682b39e9fbd HTTP/1.0" 200 10225 "http://www.mydomain.com/register.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC"
www.mydomain.com||||1181||||67.142.166.21 - - [11/Sep/2010:00:06:29 -0500] "POST /.cod6xo/?action=fbgen&v=125&crc=669 HTTP/1.1" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; )"
www.mydomain.com||||20993||||68.196.158.210 - - [11/Sep/2010:00:06:29 -0500] "POST /register.php?do=addmember HTTP/1.0" 200 20993 "http://www.mydomain.com register.php?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC"
www.mydomain.com||||1181||||120.140.74.198 - - [11/Sep/2010:00:06:32 -0500] "GET /.cod6xo/?action=captcha&a=get&i=45069&v=21 HTTP/1.0" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"

The previous if from my httpd access log. This happens few times every second. They are trying to exploit something and I dont know what it is. How can I block this type of traffic completely just short of taking down the whole domain.

Any help is appreciated. TIA

mrfordwrench

Greetingz!

If those access_log entries spawn a 404 error in your error_log, then there's a tool called blockhosts you can use to ban any IP that causes more than X-number of 404 errors in a given time period.
(Note: you will *have* to make sure you're website contains no broken links from this point on.)

Note that by default, blockhosts will just watch your syslog output, and depends on iptables being installed and running. There's a few usage examples on the website, specifically regarding apache log files.

It's also great for banning IPs of people that keep knocking on your SSH port.

@fordwrench: what sort of web service(s) are you running? A cursory look (i.e. without research) shows that someone is perhaps trying to replay authenticated sessions, and/or take advantage of broken web app audits to perform an action.

Short of a reactive utility (as described in the previous post), you can:

• Keep Apache web server and (especially) your web apps up to date.
• Maintain a secure web server configuration.
• Employ an application (layer 7) firewall, like mod_security.
• Continue to monitor your logs.

1 members found this post helpful.

anomie,

I am running ispconfig web hosting software on debian 4. http,ftp,dns,ssh,smtp, and imap. The particular site they are trying to hit has a phpbb forum. Ever since this server has been up I have been getting battered and none of the other domains on the same server get this type of traffic.
The first few days I had it up I was getting pummeled on ssh and I installed fail2ban and stopped those attempts. Now I am getting hit on the http and mail services. I get random attempts on the mail server with someone always trying to send mail to unknown recepients on the particular domain, but no others.


mrfordwrench

@anomie: spot on I'd say. The OP quote of "Ever since this server has been up I have been getting battered" actually translates as "they have succeeded before and put hidden folders in my web that have xml exploits" (posted elsewhere).

unSpawn, spot on is correct! But that is why I am here. I keep my dist up to date as much as possible. I monitor logs. And I am trying to implement some better security measures. So if you dont have anything to help then dont say nothing. Yes I am a newbie of sort. I am not a linux GURU? I spend most of my time reading forums and such. I am trying everything I can, that is why I ask the question here.

Thanks xeleema and anomie for your excellent input.

Fordwrench

1 members found this post helpful.

Until you have acclimatized and know my intentions please refrain from pulling ones like that.

1 members found this post helpful.

You might check the website itself for any premade applications such as Word Press or Jummla for the product version. There are many Internet worms that will scan for product versions and if they are not kept up to date then they will start slamming the site with scripts of known exploits.

@fordwrenchThat's great! I wish more admins would do the same!
Hold yer horses there. No need to get on UnSpawn about that, he was talking to anomie.
UnSpawn's one of our trusted moderators, and a fair one at that. He wasn't taking a punch at you.
That's awesome, keep that up and never stop learning.
No problem, let us know what you try and how it works out for you!

EDIT: Also, if you could note which posts you find helpful, that might help the many, many people that have viewed this thread so far (over 100!).

Sorry unSpawn but your comments came to me negatively. And I dont know your intentions. So I had to take what I got from the post. I have been reading these forums since before 2006 when I finally signed up. I know you are a mod. Again Sorry.

Now back to the problem, I have had this domain since 2000 and have run it on several different servers. I started it on ensim at ev1. I gave up on EV1 when I had a problem and called them for support and they were no help so I had to start my own support system. When I first started hosting this myself is when I noticed the ssh hits. I know now that they are trying cross-site scripting to exploit my system. I have installed mod_security and am now trying to configure it properly to catch and thwart the http hacking. I havent even started on the mail situation.
I have no mail users on the domain so any email address they try gets rejected.

Fordwrench

@fordwrench
Okay, let me make sure I understand the scope of the problem;

You have remote IPs hitting the following services;
HTTP - Port 80 - XSS (Cross-Site Scripting) attacks hitting your system.
SMTP - Port 25 - Attempting to email anyone within your domain, but there are currently no valid @yourdomain.com email addresses configured.

Current problem: the HTTP XSS attacks.

It doesn't really sound like 'fail2ban' is going to help you knock-out as many of these problem areas as needed. According to a tutorial from unix-tutorials, it's great for spotting failed login attempts, but doesn't look like it's configurable to trap any error from any log file, and ban the responsible IP.

As I mentioned before, blockhosts.py does behave like fail2ban in many ways, however, you can tell it what logfiles to watch, and what actions to look for (then watch/ban as configured). From the website, it covers the regexp needed for vsftp(/var/log/secure), apache/horde web-based email, and SSH or other login failures.

Now about these XSS attacks, even though they're showing up in your access_log, is anything showing up in your error_log?
If so, you could setup custom Error Pages to call a little PHP script that will trigger a blockhosts check (like in the apache+horde link above).

xeleema,

I have installed blockhosts and it is working for sshd and proftpd. I have read the link you noted and the pattern in the link does not match the pattern of the problem in my httpd log file. I need to match the following line with a pattern.


www.mydomain.com||||1181||||120.140.74.198 - - [11/Sep/2010:00:06:32 -0500] "GET /.cod6xo/?action=captcha&a=get&i=45069&v=21 HTTP/1.0" 404 1181 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"

the key is the "GET /.cod6xo/" If I can get a pattern that will search for that in the line and block based on that it will work.

Unfortunately the forum on Blockhosts is old and outdated. I have been doing searches for apache patterns but have not seen any different.

Fordwrench

@fordwrench
Glad it's working for proftpd & ssh!

As for the "GET /.cod6xo/" requests in your access_log...if there's a DocumentRoot:/.cod6xo/ directory on your webserver, I can understand the frustration. I'm looking into a RegExp for the problem.

In the interim , consider a ReWrite Rule;
NOTE: Not tested, so you might have to tweak the bolded section.

The correct rewrite should be:

Mind that this request gives a 404 error, so it's not that important. What is important and strange is the format of host doing the request. (www.mydomain.com||||1181||||120.140.74.198). I've never seen something like that.
Anyway you can also use mod_rewrite to block such hosts:
Regards

2 members found this post helpful.

You can calibrate fail2ban to ban on other events, however its slightly more difficult (lots of regex).

Once I return home I'll try and remember to post some examples for you to help you block these attemps.

The problem part is the fact currently they return a code 200 (successful) and so fail2ban wouldn't see these as any type of "bad" attempt.