Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Deny from

Posted on 2005-03-19
8
Medium Priority
?
204 Views
Last Modified: 2010-03-04
when I looked at the access log, I saw from time to time something like this
218.254.54.240 - - [20/Mar/2005:11:07:18 +0800] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\......

what is this, some kind of attack ?  

I tried place the "Deny from " lines in the httpd.conf, but do not know why, still one or two such IP can pas thru. How do I stop this kind of attack from messing up my access log.
0
Comment
Question by:ChanYiuPong
7 Comments
 
LVL 27

Expert Comment

by:caterham_www
ID: 13585330
where did you place the deny from? Dou you have also some "Allow from" in your httpd.conf?

But if access is blocked, you'll find a log entry with the status code 403 like

127.0.0.1 - - [19/Mar/2005:17:54:38 +0200] "HEAD /..... HTTP/1.0" 403 - "-" "-"
in your access log
0
 

Author Comment

by:ChanYiuPong
ID: 13585726
HIi caterham,

I have the line inside the doucment root
I have
  Order allow,deny
  Allow from all
before the line

never seen the status code 403 before in the access log, do you mean the error log ?
0
 
LVL 1

Expert Comment

by:pmrussell892
ID: 13590357
Caterham_www is right, It will be in the access log.

An easier way to fight this kind of abuse is to put in your httpd.conf

AllowOverride Limit

And just maintain an .htaccess file inside the websites root directory with

Deny from 192.156.24.34
Deny from 23.45.34.235

and so on in the .htaccess

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:ChanYiuPong
ID: 13591885
pmrussell892,

will try on that, let's see how it goes for 1 day.  Is there any other way to block such attack rather than until the IP is shown in the log. It seem to be of a pattern but unluckily it is from a lot of different IPs.
0
 
LVL 1

Expert Comment

by:pmrussell892
ID: 13592110
If it is from a block of identivcal ip addresses you can block that range of ip

EX:

From

23.45.234.45
23.45.234.44
23.45.234.46

you could put

Deny from 23.45.234.

or if the first two match up on all
you could put just the first two

23.45

BUT you must be careful while doing this as you may end up blocking legitimate users.

It may be extra work but i find it better to just put the exact ip of the abusers so as to not block legit users.

This may also just be homework or some script kiddy looking for an easy target.

Here are some security tools you should be running to check for an actual breach of security.
 
AIDE http://www.cs.tut.fi/~rammer/aide.html or
Tripwire http://www.tripwire.org/

And  

chkrootk http://www.chkrootkit.org  is  a good one for checking for activity of a root kit being setup.

Armed with these security tools you should be able to detect if your server has been hacked or if it is just noise.

hope some of this helps.
0
 

Author Comment

by:ChanYiuPong
ID: 13597609
Unluckily I am using apache on windows platform, so the tools cannot be used. I have changed the .htaccess to htaccess format to cop and it is functioning, at least in 8 hours only 1 of such is found.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 13816880
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Suggested Courses
Course of the Month11 days, 10 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question