Michael Powell wrote:
Aiza wrote:
I put apache13 in a jail and left inbound port 80 open in my firewall.
There is no domain name pointing to my web server. The content there is
a small apache web application that fools web
email address harvest programs into harvesting bogus email address from
web page. http://www.monkeys.com/wpoison This is what I am doing.
Since setting this up I have not had any bots scan the site for email
address. But have had port 80 attacks that did not work. MY Apache
access and error logs follow.
[snip log content]
As you can see looks like a script kiddy is running something they dont
understand. "/usr/local/www/data//phpmyadmin2/config.inc.php"
there should only be a single / between data/phpmyadmin2.
But beside that looks like php config.inc.php file is a target and
phpmyadmin also is a target. The apache return code 404 means not found
so no effect to me.
Has anyone seen this junk hitting their apache web servers or have any
different explanation of what this means?
Sorry to tell you this, but this kind of thing goes on all the time. You can
fine tune mod_security for some control for SQL injection techniques, as
well as many other generic forms of locking down the web server in general.
Generally speaking, the bulk of this does nothing more than filling the logs
- BUT - all it takes is for one app to let the attacker "leak" onto your
hard drive and they're in. I see a lot of scans for roundcube and
phpMyAdmin. Have also seen a lot of phpBB in the past.
The attackers spew lots of requests but the needle in the haystack they are
looking for is that one app that has a known vulnerability. In addition to
securing the web server itself you should monitor any app running on it for
reported security flaws and keep them updated to the latest "safe" versions.
You can also add to the hardening of your web server (if Apache) with
various .htaccess + mod_rewrite tricks. Examples include:
# block all smarty templates (no reason to have these exposed)
RedirectMatch gone ^/.*\.tpl$
# block all .log (log files), .sql (sql dump/export) and .conf (config
files) files in case some day these files move to another directory
RedirectMatch gone ^.*\.(sql|log|conf)$
# block access to the 'Smarty-*' directory
RedirectMatch gone ^.*Smarty.*$
# block common files present that you don't want served
RedirectMatch gone CHANGELOG.*
RedirectMatch gone COPYRIGHT.*
RedirectMatch gone INSTALL.*
RedirectMatch gone NEW.*
RedirectMatch gone README.*
RedirectMatch gone UPGRADE.*
RedirectMatch gone VERSION.*
# block access to directories
Redirect gone /upgrade
Redirect gone /tmp
Redirect gone /var
Redirect gone /sql
#Redirect pesky stuff based on referrer
Options -MultiViews -Indexes
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Morfeus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Toata [NC]
RewriteRule .* - [F,L]
There is much and many more, just a couple of examples for ideas. :-)
-Mike
Where do I find documentation on how to enable and use apache mods
rewrite and redirect?
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
