I review my web server logs pretty regularly, and there’s a pattern of 404′s I’ve seen recently that I haven’t been blocking up until now: searching each directory for ‘contact.php’ or ‘setup.php’ — the latter often searching for every variety of phpMyAdmin. I don’t have PMA on my machine, but I’d sure make sure I read all the instructions and removed setup.php if I had! (And you should, too!) I found this link that adds a simple test and rules using Fail2Ban to temporarily banning sites that hit too many 404′s too fast. I’ll have to see if this bonks too many search engines.
Interesting account of how an add-on for FireFox claiming to be a
security test included a backdoor that captured usernames & passwords.
If you’ve recently download “Mozilla Sniffer” you’ll want to pay
particular attention to this article:
I swapped out web servers two weekends ago, when the old machine started showing some unacceptable behavior. Part of that swap involved switching from a CentOS-based Linux distribution to an Ubuntu-based distribution. There were some great learning moments involved in that. I also wanted to swap out a few programs that hadn’t worked as well as I had hoped.
One of the new packages I’m trying out is Fail2Ban, an Python-based application to review the logs and temporarily bans IP addresses based on the patterns of abuse. Similar applications like DenyHosts are well-rated, but DenyHosts specializes in ssh, which hadn’t been too much of a problem for me, and didn’t have a straight-forward configuration for ftp, which unfortunately I must offer. I had used a similar Perl-based application before, but it hadn’t supported a couple of a my applications, and appeared to introduce some instability in the system. Fail2Ban came with configurations for Apache 2 and vsftpd. In their wiki, there was a HOWTO for banning PHP-based file upload attacks, something which had begun to fill the logs with nonsense.
So, 48 hours in and things seem to be running well. The log files clearly show some applications being blocked, other applications seems to be running well, and performance and responsiveness of the site seems to be okay.
Over at the SANS Internet Storm Center, John Bambenek describes the increasingly grim situation for keeping machines secure. Automated patching triggers automated reverse engineering and the development of exploits in The Patch Window is Gone: Automated Patch-Based Exploit Generation. Deeply troubling.