PDA

View Full Version : Defense Script



sharingsunshine
09-13-2007, 08:02 AM
Hello,

I have a need to stop the script kiddies from bombarding my site with 404 requests. I have a program that tells me when a legitimate 404 has occurred and with the script kiddie output it is hard to find the real 404's. I have a big site so I need the 404 help.

My question:

Is there any defense script that will provide a shield to all of the port scanning and attempts to crack my system? I have seen several on the net just wanted to know if anyone has used them or if they will work within the WH environment.

I have a dedicated server with WH and I like the service just need some help on stopping the script kiddie requests.

jalal
09-13-2007, 11:52 PM
What is the difference between a 'real 404' and a 'non-real 404'?

The only sure way of stopping port scanning and cracking attempts that I know of is to disconnect the computer from the internet. but that has other side effects that you may not want... ;)

corvus
09-14-2007, 10:18 AM
When you get the non-real 404's, is the referer header set? That might be one of the few ways for you to differentiate the requests.

jball
09-15-2007, 09:44 AM
Dear sharingsunshine,


There is an excellent tool out there called mod_security which can be installed as a module for Apache. This can be installed on the account via the apxs utility used to install and update Apache modules. You can download and get information on this module at:

http://www.modsecurity.org/

Depending on how bad you're getting hit, or how serious you are about this, there is also a book you may want to consider looking at regarding this as well:

Apache Security by Ivan Ristic (who also wrote mod_security)

This book has a section devoted to mod_security. As an example on how to install this upon downloading, you could follow these steps:

1 - tar -zxvf modsecurity-apache_1.9.5.tar.gz
2 - cd /path/to/dir/modsecurity-apache_1.9.5/apache1
3 - apxs -c -i -a mod_security.c

I would then suggest that you either look at the book for configuration options or browse online. My guess would be that whoever is attacking you is using a script to connect to port 80 and thus the referer environment variable for Apache is set to "-". A line such as the following in the Apache configuration after installing mod_security that can help with that would be:

SecFilterSelective "HTTP_REFERER" "-"

A sample configuration of mod_security in your Apache configuration (/etc/httpd/conf/httpd.conf) may look like this:

<IfModule mod_security.c>
# Enable mod_security
SecFilterEngine On

# Retrieve request payload
SecFilterScanPOST On

# Automatic Validation Defaults
SecFilterCheckCookieFormat Off
SecFilterNormalizeCookies Off
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Reject invalid requests with status 403
SecFilterDefaultAction deny,log,status:403

# Record relevant information only
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log

# Where to store temporary and intercepted files
SecUploadDir /var/log/modsec_files/
# Do not store intercepted files for the time being
SecUploadKeepFiles Off

# Use 0 for the debug level in production
# and 4 for testing
SecFilterDebugLog /var/log/modsec_debug_log
SecFilterDebugLevel 4

##### Additional #####
SecFilterSelective "HTTP_REFERER" "-"
#SecFilterSelective THE_REQUEST ^GET\s/index\.html\sHTTP/1\.0$

/IfModule>

The last line saying SecFilterSelective is an example of how regular expressions can also be used for filtering.

Now, mod_security would help stop requests right when the get to Apache. You can also use a .htaccess file and take advantage of mod_rewrite to handle the blocks after Apache takes in the file. This can be done by creating a .htaccess file in /var/www/html with something similar to:

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ http://www.domain.com/errorpage.htm [R=302,L]

Regular expressions can also be used here. I hope this information is helpful

jball
09-15-2007, 09:52 AM
At least one small typo that I noticed in my post:

/IfModule>

Should be:

</IfModule>

sharingsunshine
11-28-2007, 05:37 AM
Hi Everyone,

I appreciate the great suggestions and pointing me to the Apache module. I have been using regex quite regularly.

In answer, to an earlier post I know they need to be trapped when it is something that is being requested that doesn't even remotely resemble what I have on my server. This is where the regular expressions have been very helpful.

Thanks again,

Randal

godrockzzz
01-06-2008, 02:13 AM
Anyone able to get mod_security installed here? I tried with no luck

wildjokerdesign
01-08-2008, 07:54 AM
Did you notice in your other post that Justin mentioned that he was not able to get the current version of mod_security installed but the version mentioned here (1.9.5) always worked for him?

godrockzzz
01-08-2008, 03:24 PM
I did get the latest version installed. It was just a matter of where it was installed. Has anyone used CSF?

Pablo
12-11-2008, 08:21 AM
Note: jball's instructions are for Apache versions 1.x. To install with Apache 2.x I used these steps:


wget http://www.modsecurity.org/download/modsecurity-apache_1.9.5.tar.gz
tar -zxvf modsecurity-apache_1.9.5.tar.gz
cd /path/to/dir/modsecurity-apache_1.9.5/apache2
apxs -Wc,-Wall -cia mod_security.c