Author |
|
BIODIGITZMAN
Joined: 11 Feb 2008 Posts: 5 Location: Spain
|
Posted: Mon 11 Feb '08 3:41 Post subject: Apache Security Answer |
|
|
Hola!
i have a one Problem in:
Apache 2.2.8
php5.2.5
MySql 6
Server localhost in Windows Vista Ultimate sp1
i Have one Abusive conecttion IP SYN_RCVD
Via apache :
i Have :
1. Apache ModSecurity 2.1.4
2. .htacces banned this ip 78.136.122.61
3. .htacces banned this ip 78.136.122.
4. .htacces banned this ip 78.136.
5. .htacces banned this rang 78. Full Banned
6. acces.conf banned this IP
7. http.conf banned this ip
Banned from all conf possibles and. nothing
this conecttion external is constantly
Pd: This IP no have Reverse
¿What i can do for banned this *** IP ?
Thanks |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Tue 12 Feb '08 17:52 Post subject: |
|
|
Hi!
If you are using a router to connect to the internet, you maybe can block that IP there. But that is only a moving from the problem to the router.
From Apache side you can't do more than banning the ip with deny. |
|
Back to top |
|
BIODIGITZMAN
Joined: 11 Feb 2008 Posts: 5 Location: Spain
|
Posted: Tue 12 Feb '08 21:02 Post subject: |
|
|
Currently, the attack has ceased.
The problem is that I can not access the web config of my router
My router is closed by my ISP
Moment of the attack has stopped. Will be continued if
Thanks to respond if something happens again it comment |
|
Back to top |
|
BIODIGITZMAN
Joined: 11 Feb 2008 Posts: 5 Location: Spain
|
Posted: Fri 15 Feb '08 4:39 Post subject: |
|
|
in .htacces :
Code: | ## SITE REFERRER BANNING
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} 78\.136\.122\.61 [NC]
RewriteRule .* - [F] |
Generator :
http://tools.dynamicdrive.com/userban/
Mod Rewrite On
This is Very Killer but found ...
Another Qüestion is...
Why this:
Code: | 212.59.200.171 - - [15/Feb/2008:00:00:03 +0100] "GET /Updates/Ping.asp HTTP/1.1" 200 - |
¿Why Ping.asp ???
in apache |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Fri 15 Feb '08 10:48 Post subject: |
|
|
BIODIGITZMAN wrote: |
Why this:
Code: | 212.59.200.171 - - [15/Feb/2008:00:00:03 +0100] "GET /Updates/Ping.asp HTTP/1.1" 200 - |
|
It seems there is a Ping.asp in a folder Uploads. The 200 means Ok File file is there. - Zerobytes transfered.
The name Uploads let me think someone else can upload files there? |
|
Back to top |
|
BIODIGITZMAN
Joined: 11 Feb 2008 Posts: 5 Location: Spain
|
Posted: Fri 15 Feb '08 11:15 Post subject: |
|
|
I never usu nothing in that folder. Even exist ..
Put there because the error log apache. Marked these connections> ping.asp
That's why I .. But if I look Remove this folder:
[Fri Feb 15 10:10:41 2008] [error] [client 201.246.44.254] File does not exist: Rootfolder/htdocs/Updates
[Fri Feb 15 10:10:51 2008] [error] [client 79.147.153.176] File does not exist: Rootfolder/htdocs/Updates
I never have configured nothing whit this folder updates
Only got there because. Apache error log always full of that error
Now this cleared. But all connections want to ping.asp on my server ...
That is what I do not understand .. Because a ping.asp? On my server? |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Fri 15 Feb '08 18:04 Post subject: |
|
|
Seeing that this is coming from more than one IP, I'd say it is a bot attack of a known vulnerability in ping.asp. Many of these bots that attack webservers do not look to see if you are running IIS or Apache or anything else, they just sweep a bunch of IP addresses.
Looking up ping.asp, it is vulnerable to DDOSing it's own server.
I get tons of attacks on stuff that does not exist. Those of us that have been around long enough remember the pollution in our logs Code Red and Code Red II left. We were using Apache so we were safe. Those using unpatched IIS were not.
For years I have never had PHP, there wasn't anything PHP that I could not find an equivalent for in Perl. Yet I still got tons of hits looking for PHP apps like Webblog and others that had known vulnerabilities.
It's just part of the game. |
|
Back to top |
|