?
Solved

Deny from

Posted on 2005-03-19
8
Medium Priority
?
203 Views
Last Modified: 2010-03-04
when I looked at the access log, I saw from time to time something like this
218.254.54.240 - - [20/Mar/2005:11:07:18 +0800] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\......

what is this, some kind of attack ?  

I tried place the "Deny from " lines in the httpd.conf, but do not know why, still one or two such IP can pas thru. How do I stop this kind of attack from messing up my access log.
0
Comment
Question by:ChanYiuPong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 27

Expert Comment

by:caterham_www
ID: 13585330
where did you place the deny from? Dou you have also some "Allow from" in your httpd.conf?

But if access is blocked, you'll find a log entry with the status code 403 like

127.0.0.1 - - [19/Mar/2005:17:54:38 +0200] "HEAD /..... HTTP/1.0" 403 - "-" "-"
in your access log
0
 

Author Comment

by:ChanYiuPong
ID: 13585726
HIi caterham,

I have the line inside the doucment root
I have
  Order allow,deny
  Allow from all
before the line

never seen the status code 403 before in the access log, do you mean the error log ?
0
 
LVL 1

Expert Comment

by:pmrussell892
ID: 13590357
Caterham_www is right, It will be in the access log.

An easier way to fight this kind of abuse is to put in your httpd.conf

AllowOverride Limit

And just maintain an .htaccess file inside the websites root directory with

Deny from 192.156.24.34
Deny from 23.45.34.235

and so on in the .htaccess

0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:ChanYiuPong
ID: 13591885
pmrussell892,

will try on that, let's see how it goes for 1 day.  Is there any other way to block such attack rather than until the IP is shown in the log. It seem to be of a pattern but unluckily it is from a lot of different IPs.
0
 
LVL 1

Expert Comment

by:pmrussell892
ID: 13592110
If it is from a block of identivcal ip addresses you can block that range of ip

EX:

From

23.45.234.45
23.45.234.44
23.45.234.46

you could put

Deny from 23.45.234.

or if the first two match up on all
you could put just the first two

23.45

BUT you must be careful while doing this as you may end up blocking legitimate users.

It may be extra work but i find it better to just put the exact ip of the abusers so as to not block legit users.

This may also just be homework or some script kiddy looking for an easy target.

Here are some security tools you should be running to check for an actual breach of security.
 
AIDE http://www.cs.tut.fi/~rammer/aide.html or
Tripwire http://www.tripwire.org/

And  

chkrootk http://www.chkrootkit.org  is  a good one for checking for activity of a root kit being setup.

Armed with these security tools you should be able to detect if your server has been hacked or if it is just noise.

hope some of this helps.
0
 

Author Comment

by:ChanYiuPong
ID: 13597609
Unluckily I am using apache on windows platform, so the tools cannot be used. I have changed the .htaccess to htaccess format to cop and it is functioning, at least in 8 hours only 1 of such is found.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 13816880
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month8 days, 12 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question