From owner-freebsd-questions@FreeBSD.ORG Wed May 19 03:00:19 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2DD41065673 for ; Wed, 19 May 2010 03:00:19 +0000 (UTC) (envelope-from aiza21@comclark.com) Received: from avmxsmtp1.comclark.com (avmxsmtp1.comclark.com [202.69.191.115]) by mx1.freebsd.org (Postfix) with ESMTP id 4D76C8FC0C for ; Wed, 19 May 2010 03:00:18 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ArcfAEvx8kvKRaxHPGdsb2JhbAAHngwBAQEBMQS9coUQBIM+IQ X-IronPort-AV: E=Sophos;i="4.53,259,1272816000"; d="scan'208";a="23257901" Received: from unknown (HELO [10.0.10.3]) ([202.69.172.71]) by avmxsmtp2.comclark.com with ESMTP; 19 May 2010 11:00:15 +0800 Message-ID: <4BF3543D.7070708@comclark.com> Date: Wed, 19 May 2010 11:00:13 +0800 From: Aiza User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Michael Powell References: <4BF26530.3080501@comclark.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Apache web server being attacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2010 03:00:19 -0000 Michael Powell wrote: > Aiza wrote: > >> I put apache13 in a jail and left inbound port 80 open in my firewall. >> There is no domain name pointing to my web server. The content there is >> a small apache web application that fools web >> email address harvest programs into harvesting bogus email address from >> web page. http://www.monkeys.com/wpoison This is what I am doing. >> >> Since setting this up I have not had any bots scan the site for email >> address. But have had port 80 attacks that did not work. MY Apache >> access and error logs follow. >> > [snip log content] >> As you can see looks like a script kiddy is running something they dont >> understand. "/usr/local/www/data//phpmyadmin2/config.inc.php" >> there should only be a single / between data/phpmyadmin2. >> >> But beside that looks like php config.inc.php file is a target and >> phpmyadmin also is a target. The apache return code 404 means not found >> so no effect to me. >> >> Has anyone seen this junk hitting their apache web servers or have any >> different explanation of what this means? > > Sorry to tell you this, but this kind of thing goes on all the time. You can > fine tune mod_security for some control for SQL injection techniques, as > well as many other generic forms of locking down the web server in general. > > Generally speaking, the bulk of this does nothing more than filling the logs > - BUT - all it takes is for one app to let the attacker "leak" onto your > hard drive and they're in. I see a lot of scans for roundcube and > phpMyAdmin. Have also seen a lot of phpBB in the past. > > The attackers spew lots of requests but the needle in the haystack they are > looking for is that one app that has a known vulnerability. In addition to > securing the web server itself you should monitor any app running on it for > reported security flaws and keep them updated to the latest "safe" versions. > > You can also add to the hardening of your web server (if Apache) with > various .htaccess + mod_rewrite tricks. Examples include: > > # block all smarty templates (no reason to have these exposed) > RedirectMatch gone ^/.*\.tpl$ > > # block all .log (log files), .sql (sql dump/export) and .conf (config > files) files in case some day these files move to another directory > RedirectMatch gone ^.*\.(sql|log|conf)$ > > # block access to the 'Smarty-*' directory > RedirectMatch gone ^.*Smarty.*$ > > # block common files present that you don't want served > RedirectMatch gone CHANGELOG.* > RedirectMatch gone COPYRIGHT.* > RedirectMatch gone INSTALL.* > RedirectMatch gone NEW.* > RedirectMatch gone README.* > RedirectMatch gone UPGRADE.* > RedirectMatch gone VERSION.* > > # block access to directories > Redirect gone /upgrade > Redirect gone /tmp > Redirect gone /var > Redirect gone /sql > > #Redirect pesky stuff based on referrer > Options -MultiViews -Indexes > > RewriteEngine On > RewriteBase / > > RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR] > RewriteCond %{HTTP_USER_AGENT} ^Morfeus [NC,OR] > RewriteCond %{HTTP_USER_AGENT} ^Toata [NC] > RewriteRule .* - [F,L] > > There is much and many more, just a couple of examples for ideas. :-) > > -Mike > Where do I find documentation on how to enable and use apache mods rewrite and redirect?