Another security problem..
Jim Popovitch
jimpop at yahoo.com
Thu Oct 20 20:29:36 UTC 2005
Matthew Nuzum wrote:
>
> But that's not my point... if you run a web-facing server there are some
> plugins for nessus that cause it to search for known-vulnerable web
> applications and such. It's a good idea to run it periodically so that you
> can find if you're exposed before someone else does.
You are assuming too much of nessus. Your logic requires nessus to know
to check for *all* vulnerabilities. I don't have that much faith in any
product, even open source ones. The best way to run a secure server is
to not trust other tools and software. Do your own checking,
investigating, and *don't* run suspicious, or even mildly problematic
(i.e. php), software.
> I've not looked into it, but it would be nice if there was some *simple* to
> maintain script that would detect these types of probes and automatically
> add the IP to hosts.deny and etc.
I have a script (see below) that scans apache logs, I then add the
output to a file that sets up iptables rules. I don't run (nor trust)
hosts.deny as it relies on the application's coders to properly use.
The below file is by no means a comprehensive set of tests, it's just
the common ones that I see. The output on just one of my systems yields
almost 20K IPs that get blocked. ;-) YMMV.
-Jim P.
---- begin: identify-bad-http-requests ----
TEMP=temp.$$
egrep
"FormMail.cgi|FormMail.pl|apage.cgi|auctions.cgi|awstats|ctpub_adserv.cgi|formmail.cgi|formmai
l.pl|imgannot.cgi|includer.cgi|openwebmail|proxyjudge.cgi|tellafriend.pl|upload2.cgi"
/var/log/httpd
/error_log* | sed -e 's/.*\[client \(.*\)\].*/\1/' > $TEMP
sed -e "s/SEARCH.*x90.*/BLOCK-IP/" /var/log/httpd/*_log* | grep BLOCK-IP
| sed -e 's/ - - .*//' >> $
TEMP
sort -u $TEMP
rm -f $TEMP
---- end ------
More information about the fedora-legacy-list
mailing list