2

I have a VM running about 100 websites, I run logwatch, blockhosts & mod_evasive, and between the three I have a pretty good idea what happens on a daily basis... though, I do get a lot of requests like:

 /cgi-bin/commerce.cgi?search=/../../../../../../../../../../etc/passwd%00&category=A001 HTTP Response 302 
    /cgi-bin/commerce.cgi?register=../../../../../../../../../../proc/self/environ HTTP Response 302 
    /cgi-bin/commerce.cgi?display=/etc/passwd HTTP Response 302 
    /cgi-bin/commerce.cgi?display=../../../../../../../../../../proc/self/environ HTTP Response 302 
    /cgi-bin/commerce.cgi?search=/../../../../../../../../../../proc/self/environ%00&category=A001 HTTP Response 302

not a big deal - these never went anywhere, though, I would like a nice simple way to add the requesting IPs to the block list in hosts.allow ...

say any request that contains /etc/passwd or /proc/self/

any thoughts?

TessellatingHeckler
  • 5,726
  • 3
  • 27
  • 45
Sean Kimball
  • 869

3 Answers3

6

You can use Fail2Ban to watch logs and automatically add offending IPs to the firewall's block list. Additionally it can unblock them after a certain amount of time (in case it's a botnet PC or dynamic IP).

Chris S
  • 78,185
  • you mean via iptables/chains type commands.. the firewall is external so... I'll look at it though. - it's http://www.fail2ban.org BTW - they don't have the www setup for some reason. - thanks. – Sean Kimball Aug 11 '11 at 15:19
  • 1
    The fact that the firewall is external doesn't mean that fail2ban won't work. You can nest firewalls, for a variety of reasons, and it works well: the exterior firewall keeps most ports shielded, and fail2ban running locally just toggles access to port 80 for sites that appear to be generating log badness. – MadHatter Aug 11 '11 at 16:09
  • yes - I just have not looked at fail2ban just yet, and this is a minor annoyance, not really a security issue, so the simplest, least painful solution is the winner... I really don't want to start mucking around with firewalls & cascading configs... [but your point is well taken] – Sean Kimball Aug 11 '11 at 16:19
2

You want mod_security ( http://www.modsecurity.org/ ); there are pre-written rulesets to catch directory-traversal attacks (and hundreds more), and simple facilities for responding. e.g:

  • slow their connection to a crawl
  • return 500s to their ip/subnet for x-seconds/x-minutes or forever
  • shell out and do something at the system level
  • high-atmosphere atomic bombardment
MrTuttle
  • 1,176
1

Fail2Ban will do it, but is it worth it? Answer to my question on blocking ips doing brute force attacks with SSH logins suggested it wasn't worth the effort, and that may be the same here.

Community
  • 1
dunxd
  • 9,704
  • Seeing as you don't know what effort is required in setting up Fail2Ban, I'm not sure how you feel qualified to state that it may be too much effort. It certainly isn't security theater for most uses. – Chris S Aug 11 '11 at 16:42
  • I merely point to the answers given to my earlier question. Anyone can judge for themselves and make up their own minds here. – dunxd Aug 12 '11 at 08:55