Topic: Immediate Security Concern

[bsimecek]

I have an apache server that has nothing but a authorization required directory on it. Any errors go to a custom error page php file that notifies me of the server error and any other information (ip, referrer...) (via email).

My problem is, I am getting an error telling me that someone IS trying to authenticate to the directory twice within a second of eachother AND this happens every hour for the last several hours. The IP addresses listed (ips from multiple error messages) were internal ip addresses. These ip addresses are PROBABLY clean of any breakins.

So my guess is that I am getting some spoofing going on from the outside. I have changed the .htaccess file to block all internal ip addresses and the public ip address of my router (all unneeded addresses anyway) but the errors have only changed to "access forbidden".

I have two questions...

Is there a way for an outsider to know my internal ip address structure from apache (without assuming an internal network system compromise)?

AND

Is there a way for me to determine the MAC address that these requests are coming from (to determine if they are indeed coming from the inside)?

[flyingmonkey]

You can probably determine the MAC address using something like Ethereal to do packet monitoring. If you're internal ip structure is common like a 10. network or 192. etc... maybe it was just a lucky guess.