Another security problem..

[Jim Popovitch]

Matthew Nuzum wrote:
> 
> But that's not my point... if you run a web-facing server there are some
> plugins for nessus that cause it to search for known-vulnerable web
> applications and such. It's a good idea to run it periodically so that you
> can find if you're exposed before someone else does.

You are assuming too much of nessus.  Your logic requires nessus to know 
to check for *all* vulnerabilities.  I don't have that much faith in any 
product, even open source ones.  The best way to run a secure server is 
to not trust other tools and software.  Do your own checking, 
investigating, and *don't* run suspicious, or even mildly problematic 
(i.e. php), software.

> I've not looked into it, but it would be nice if there was some *simple* to
> maintain script that would detect these types of probes and automatically
> add the IP to hosts.deny and etc.

I have a script (see below) that scans apache logs, I then add the 
output to a file that sets up iptables rules.  I don't run (nor trust) 
hosts.deny as it relies on the application's coders to properly use. 
The below file is by no means a comprehensive set of tests, it's just 
the common ones that I see.  The output on just one of my systems yields 
almost 20K IPs that get blocked. ;-)  YMMV.

-Jim P.

---- begin: identify-bad-http-requests ----
TEMP=temp.$$
egrep 
"FormMail.cgi|FormMail.pl|apage.cgi|auctions.cgi|awstats|ctpub_adserv.cgi|formmail.cgi|formmai
l.pl|imgannot.cgi|includer.cgi|openwebmail|proxyjudge.cgi|tellafriend.pl|upload2.cgi" 
/var/log/httpd
/error_log* | sed -e 's/.*\[client \(.*\)\].*/\1/' > $TEMP
sed -e "s/SEARCH.*x90.*/BLOCK-IP/" /var/log/httpd/*_log* | grep BLOCK-IP 
| sed -e 's/ - - .*//' >> $
TEMP
sort -u $TEMP
rm -f $TEMP
---- end ------