From owner-freebsd-questions@FreeBSD.ORG Tue May 18 11:01:21 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D204D106564A for ; Tue, 18 May 2010 11:01:21 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 5F1758FC0A for ; Tue, 18 May 2010 11:01:21 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1OEKY3-0001TK-TA for freebsd-questions@freebsd.org; Tue, 18 May 2010 13:01:19 +0200 Received: from pool-70-21-10-109.res.east.verizon.net ([70.21.10.109]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 18 May 2010 13:01:19 +0200 Received: from nightrecon by pool-70-21-10-109.res.east.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 18 May 2010 13:01:19 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org connect(): No such file or directory From: Michael Powell Followup-To: gmane.os.freebsd.questions Date: Tue, 18 May 2010 07:00:59 -0400 Lines: 82 Message-ID: References: <4BF26530.3080501@comclark.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: pool-70-21-10-109.res.east.verizon.net Subject: Re: Apache web server being attacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2010 11:01:22 -0000 Aiza wrote: > I put apache13 in a jail and left inbound port 80 open in my firewall. > There is no domain name pointing to my web server. The content there is > a small apache web application that fools web > email address harvest programs into harvesting bogus email address from > web page. http://www.monkeys.com/wpoison This is what I am doing. > > Since setting this up I have not had any bots scan the site for email > address. But have had port 80 attacks that did not work. MY Apache > access and error logs follow. > [snip log content] > As you can see looks like a script kiddy is running something they dont > understand. "/usr/local/www/data//phpmyadmin2/config.inc.php" > there should only be a single / between data/phpmyadmin2. > > But beside that looks like php config.inc.php file is a target and > phpmyadmin also is a target. The apache return code 404 means not found > so no effect to me. > > Has anyone seen this junk hitting their apache web servers or have any > different explanation of what this means? Sorry to tell you this, but this kind of thing goes on all the time. You can fine tune mod_security for some control for SQL injection techniques, as well as many other generic forms of locking down the web server in general. Generally speaking, the bulk of this does nothing more than filling the logs - BUT - all it takes is for one app to let the attacker "leak" onto your hard drive and they're in. I see a lot of scans for roundcube and phpMyAdmin. Have also seen a lot of phpBB in the past. The attackers spew lots of requests but the needle in the haystack they are looking for is that one app that has a known vulnerability. In addition to securing the web server itself you should monitor any app running on it for reported security flaws and keep them updated to the latest "safe" versions. You can also add to the hardening of your web server (if Apache) with various .htaccess + mod_rewrite tricks. Examples include: # block all smarty templates (no reason to have these exposed) RedirectMatch gone ^/.*\.tpl$ # block all .log (log files), .sql (sql dump/export) and .conf (config files) files in case some day these files move to another directory RedirectMatch gone ^.*\.(sql|log|conf)$ # block access to the 'Smarty-*' directory RedirectMatch gone ^.*Smarty.*$ # block common files present that you don't want served RedirectMatch gone CHANGELOG.* RedirectMatch gone COPYRIGHT.* RedirectMatch gone INSTALL.* RedirectMatch gone NEW.* RedirectMatch gone README.* RedirectMatch gone UPGRADE.* RedirectMatch gone VERSION.* # block access to directories Redirect gone /upgrade Redirect gone /tmp Redirect gone /var Redirect gone /sql #Redirect pesky stuff based on referrer Options -MultiViews -Indexes RewriteEngine On RewriteBase / RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^Morfeus [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^Toata [NC] RewriteRule .* - [F,L] There is much and many more, just a couple of examples for ideas. :-) -Mike