Search Results

Search found 27 results on 2 pages for 'logwatch'.

Page 2/2 | < Previous Page | 1 2 

  • Dealing with HTTP w00tw00t attacks

    - by Saif Bechan
    I have a server with apache and I recently installed mod_security2 because I get attacked a lot by this: My apache version is apache v2.2.3 and I use mod_security2.c This were the entries from the error log: [Wed Mar 24 02:35:41 2010] [error] [client 88.191.109.38] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Wed Mar 24 02:47:31 2010] [error] [client 202.75.211.90] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Wed Mar 24 02:47:49 2010] [error] [client 95.228.153.177] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Wed Mar 24 02:48:03 2010] [error] [client 88.191.109.38] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) Here are the errors from the access_log: 202.75.211.90 - - [29/Mar/2010:10:43:15 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 392 "-" "-" 211.155.228.169 - - [29/Mar/2010:11:40:41 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 392 "-" "-" 211.155.228.169 - - [29/Mar/2010:12:37:19 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 392 "-" "-" I tried configuring mod_security2 like this: SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS" SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS" SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:" SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:\)" The thing in mod_security2 is that SecFilterSelective can not be used, it gives me errors. Instead I use a rule like this: SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" SecRule REQUEST_URI "\w00tw00t\.at\.ISC\.SANS" SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS" SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:" SecRule REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:\)" Even this does not work. I don't know what to do anymore. Anyone have any advice? Update 1 I see that nobody can solve this problem using mod_security. So far using ip-tables seems like the best option to do this but I think the file will become extremely large because the ip changes serveral times a day. I came up with 2 other solutions, can someone comment on them on being good or not. The first solution that comes to my mind is excluding these attacks from my apache error logs. This will make is easier for me to spot other urgent errors as they occur and don't have to spit trough a long log. The second option is better i think, and that is blocking hosts that are not sent in the correct way. In this example the w00tw00t attack is send without hostname, so i think i can block the hosts that are not in the correct form. Update 2 After going trough the answers I came to the following conclusions. To have custom logging for apache will consume some unnecessary recourses, and if there really is a problem you probably will want to look at the full log without anything missing. It is better to just ignore the hits and concentrate on a better way of analyzing your error logs. Using filters for your logs a good approach for this. Final thoughts on the subject The attack mentioned above will not reach your machine if you at least have an up to date system so there are basically no worries. It can be hard to filter out all the bogus attacks from the real ones after a while, because both the error logs and access logs get extremely large. Preventing this from happening in any way will cost you resources and they it is a good practice not to waste your resources on unimportant stuff. The solution i use now is Linux logwatch. It sends me summaries of the logs and they are filtered and grouped. This way you can easily separate the important from the unimportant. Thank you all for the help, and I hope this post can be helpful to someone else too.

    Read the article

  • Why do I get "ignoring out-of-zone data" when restarting BIND

    - by 6bytes
    I've been using my own DNS server but then I moved to a third part DNS provider. Yesterday I wanted to go back to using my own DNS's and cancel this third party service. I've lowered TTL in current DNS conf, changed DNS info in GoDaddy for my domain and that's when problems started. My domain seems to be working only for some people but not for others so clearly something is wrong. When restarting bind service named restart everything seems to be OK but later in email from Logwatch I'm getting errors like this: mydomain.com:30: ignoring out-of-zone data (ns1.mydns.com): 3 Time(s) mydomain.info:16: ignoring out-of-zone data (ns1.mydns.com): 5 Time(s) Can anyone point me in the right direction? My BIND configuration for those two domains below: File: /var/named/chroot/etc/zones.external zone "mydomain.com" IN { type master; file "mydomain.com"; allow-transfer { 213.251.188.140; }; allow-update { none; }; notify yes; also-notify { 213.251.188.140; }; }; zone "mydomain.info" IN { type master; file "mydomain.info"; allow-transfer { 213.251.188.140; }; allow-update { none; }; notify yes; also-notify { 213.251.188.140; }; }; File /var/named/chroot/var/named/mydomain.com being my main domain $TTL 3600 $ORIGIN mydomain.com. @ IN SOA ns1.mydns.com. ns2.mydns.com. ( 2010032101 ; Serial 10800 ; Refresh 3600 ; Retry 2419200 ; Expire 3600 ) ; NXDOMAIN TTL IN NS ns1.mydns.com. IN NS ns2.mydns.com. IN MX 10 ASPMX.L.GOOGLE.COM. IN MX 20 ALT1.ASPMX.L.GOOGLE.COM. IN MX 20 ALT2.ASPMX.L.GOOGLE.COM. IN MX 30 ASPMX2.GOOGLEMAIL.COM. IN MX 30 ASPMX3.GOOGLEMAIL.COM. IN MX 30 ASPMX4.GOOGLEMAIL.COM. IN MX 30 ASPMX5.GOOGLEMAIL.COM. IN A 111.111.111.111 * IN A 111.111.111.111 edu IN A 111.111.111.111 googleXXXXXXXXXXXXXXXX IN CNAME google.com. ns1.mydns.com. IN A 111.111.111.111 File /var/named/chroot/var/named/mydomain.info just an alias in apache for mydomain.com $TTL 86400 $ORIGIN mydomain.info. @ IN SOA ns1.mydns.com. ns2.mydns.com. ( 2009042901 ; Serial 10800 ; Refresh 3600 ; Retry 2419200 ; Expire 3600 ) ; NXDOMAIN TTL IN NS ns1.mydns.com. IN NS ns2.mydns.com. IN A 111.111.111.111 * IN A 111.111.111.111 ns1.mydns.com. IN A 111.111.111.111

    Read the article

< Previous Page | 1 2