Excerpts from Whisperity's message of Sun Feb 19 06:34:57 -0800 2012: > Greetings! > > I wanted to share my little script with you, server owners. A week or two > ago I have set up an Ubuntu server box, with some services (Apache, MySQL) > for personal usage. But my webserver is getting attacked by flood bots from > time to time, so I needed to develop a wall (using Shorewall firewall) for > it, and an easy manage script. > > The two script files (ip.sh and log.sh) are the swiss army knife for me > right now. (You need to put them into your webserver log folder > (/var/log/apache2)) > What I am asking for, knowing that people here are developers with more > knowledge than me > - log.sh: lists the access.log (or anything else log file specified in the > first argument) and filters out the "banned" IP-list > - ip.sh: (needs to run as root) manages the IP filtering (also adjusts > Shorewall's blacklist) > > There are some awkward, flood-like entries in my webserver's log. They > seems to be some sort of vulnearability checks, should I be worried? Can > you please give me some more tips on how to improve my server's security? >
A single server is a huge weakness, so the first tip I'd give you is to get a second server, in a second physical location. Be ready to scale out when you get legitimate traffic, and you'll have no problem handling malicious traffic while you find and ban the bad actors. Second, consider an application level firewall such as mod_security: http://www.modsecurity.org/ Most of those probes you are seeing are just mindless zombies looking for known vulnerable versions of old webapps, and can be ignored. I'd recommend filtering them out. Some packages, like logwatch, already do that. Finally, consider using apparmor to confine your application so that if somebody finds a hole in your application's security you can at least keep it confined to the files/directories/capabilities that you expect. Its actually a pretty straight forward process: https://help.ubuntu.com/11.10/serverguide/C/apparmor.html https://help.ubuntu.com/community/AppArmor -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
