ChanYiuPong
asked on
Deny from
when I looked at the access log, I saw from time to time something like this
218.254.54.240 - - [20/Mar/2005:11:07:18 +0800] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\
what is this, some kind of attack ?
I tried place the "Deny from " lines in the httpd.conf, but do not know why, still one or two such IP can pas thru. How do I stop this kind of attack from messing up my access log.
218.254.54.240 - - [20/Mar/2005:11:07:18 +0800] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\
what is this, some kind of attack ?
I tried place the "Deny from " lines in the httpd.conf, but do not know why, still one or two such IP can pas thru. How do I stop this kind of attack from messing up my access log.
ASKER
HIi caterham,
I have the line inside the doucment root
I have
Order allow,deny
Allow from all
before the line
never seen the status code 403 before in the access log, do you mean the error log ?
I have the line inside the doucment root
I have
Order allow,deny
Allow from all
before the line
never seen the status code 403 before in the access log, do you mean the error log ?
Caterham_www is right, It will be in the access log.
An easier way to fight this kind of abuse is to put in your httpd.conf
AllowOverride Limit
And just maintain an .htaccess file inside the websites root directory with
Deny from 192.156.24.34
Deny from 23.45.34.235
and so on in the .htaccess
An easier way to fight this kind of abuse is to put in your httpd.conf
AllowOverride Limit
And just maintain an .htaccess file inside the websites root directory with
Deny from 192.156.24.34
Deny from 23.45.34.235
and so on in the .htaccess
ASKER
pmrussell892,
will try on that, let's see how it goes for 1 day. Is there any other way to block such attack rather than until the IP is shown in the log. It seem to be of a pattern but unluckily it is from a lot of different IPs.
will try on that, let's see how it goes for 1 day. Is there any other way to block such attack rather than until the IP is shown in the log. It seem to be of a pattern but unluckily it is from a lot of different IPs.
If it is from a block of identivcal ip addresses you can block that range of ip
EX:
From
23.45.234.45
23.45.234.44
23.45.234.46
you could put
Deny from 23.45.234.
or if the first two match up on all
you could put just the first two
23.45
BUT you must be careful while doing this as you may end up blocking legitimate users.
It may be extra work but i find it better to just put the exact ip of the abusers so as to not block legit users.
This may also just be homework or some script kiddy looking for an easy target.
Here are some security tools you should be running to check for an actual breach of security.
AIDE http://www.cs.tut.fi/~rammer/aide.html or
Tripwire http://www.tripwire.org/
And
chkrootk http://www.chkrootkit.org is a good one for checking for activity of a root kit being setup.
Armed with these security tools you should be able to detect if your server has been hacked or if it is just noise.
hope some of this helps.
EX:
From
23.45.234.45
23.45.234.44
23.45.234.46
you could put
Deny from 23.45.234.
or if the first two match up on all
you could put just the first two
23.45
BUT you must be careful while doing this as you may end up blocking legitimate users.
It may be extra work but i find it better to just put the exact ip of the abusers so as to not block legit users.
This may also just be homework or some script kiddy looking for an easy target.
Here are some security tools you should be running to check for an actual breach of security.
AIDE http://www.cs.tut.fi/~rammer/aide.html or
Tripwire http://www.tripwire.org/
And
chkrootk http://www.chkrootkit.org is a good one for checking for activity of a root kit being setup.
Armed with these security tools you should be able to detect if your server has been hacked or if it is just noise.
hope some of this helps.
ASKER
Unluckily I am using apache on windows platform, so the tools cannot be used. I have changed the .htaccess to htaccess format to cop and it is functioning, at least in 8 hours only 1 of such is found.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
But if access is blocked, you'll find a log entry with the status code 403 like
127.0.0.1 - - [19/Mar/2005:17:54:38 +0200] "HEAD /..... HTTP/1.0" 403 - "-" "-"
in your access log