Re: Getting a TON of IP attacks... Request for Open-Sourced IDS program

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2005-11-10 at 09:12 -0800, Daniel B. Thurman wrote:

> /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /blog/xmlrpc.php: 1 Time(s)
> /blog/xmlsrv/xmlrpc.php: 1 Time(s)
> /blogs/xmlsrv/xmlrpc.php: 1 Time(s)
> /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
> /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
> /drupal/xmlrpc.php: 1 Time(s)
> /favicon.ico: 1 Time(s)
> /phpgroupware/xmlrpc.php: 1 Time(s)
> /wordpress/xmlrpc.php: 1 Time(s)
> /xmlrpc.php: 2 Time(s)
> /xmlrpc/xmlrpc.php: 1 Time(s)
> /xmlsrv/xmlrpc.php: 1 Time(s)
> 
There's a script floating around. I have seen the same sequence
repeatedly. Favicon.ico is not a hack. It's looking for the default URL
icon which you might want to create.

1. Modsecurity is a nifty tool but at the cost of memory, cycles and
httpd response speed.

2. You can have swatch watch the logs and add rules to IPTables based on
regular expressions. Swatch is a perl script that is economical to use
and does not interfere with HTTPD. Since many people have difficulty
with swatch, I'll give you my command line:
        /usr/bin/swatch --use-cpan-file-tail \
        --config-file=/etc/swatch.conf --daemon \ 
        --awk-field-syntax --tail-file=/var/log/httpd/access_log
        
        Works for me - YMMV

3. If you are running awstats, make sure that  you have the most recent
version. Even then, I have it password protected via httpd.conf.

4. Snort is the best intrusion detector around. The default rules are a
tad paranoid. Snort does have a rather large footprint.

5. The best GUI to iptables (IMO) is webmin.

6. If it makes you feel better, you can make permanent redirects of
repeated hacks to your own "FBI" or "Law Enforcement" page. eg: Redirect
permanent /blog /hack.htm

-- 
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com/spam_trap.htm
              RBLDNSD HowTo: http://www.TQMcube.com/rbldnsd.htm
            Multi-RBL Check: http://www.TQMcube.com/rblcheck.htm
Tired of spam? Do YOUR part: http://www.BoulderPledge.org


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux