Matthew Nuzum wrote:
But that's not my point... if you run a web-facing server there are some
plugins for nessus that cause it to search for known-vulnerable web
applications and such. It's a good idea to run it periodically so that you
can find if you're exposed before someone else does.
You are assuming too much of nessus. Your logic requires nessus to know
to check for *all* vulnerabilities. I don't have that much faith in any
product, even open source ones. The best way to run a secure server is
to not trust other tools and software. Do your own checking,
investigating, and *don't* run suspicious, or even mildly problematic
(i.e. php), software.
I've not looked into it, but it would be nice if there was some *simple* to
maintain script that would detect these types of probes and automatically
add the IP to hosts.deny and etc.
I have a script (see below) that scans apache logs, I then add the
output to a file that sets up iptables rules. I don't run (nor trust)
hosts.deny as it relies on the application's coders to properly use.
The below file is by no means a comprehensive set of tests, it's just
the common ones that I see. The output on just one of my systems yields
almost 20K IPs that get blocked. ;-) YMMV.
-Jim P.
---- begin: identify-bad-http-requests ----
TEMP=temp.$$
egrep
"FormMail.cgi|FormMail.pl|apage.cgi|auctions.cgi|awstats|ctpub_adserv.cgi|formmail.cgi|formmai
l.pl|imgannot.cgi|includer.cgi|openwebmail|proxyjudge.cgi|tellafriend.pl|upload2.cgi"
/var/log/httpd
/error_log* | sed -e 's/.*\[client \(.*\)\].*/\1/' > $TEMP
sed -e "s/SEARCH.*x90.*/BLOCK-IP/" /var/log/httpd/*_log* | grep BLOCK-IP
| sed -e 's/ - - .*//' >> $
TEMP
sort -u $TEMP
rm -f $TEMP
---- end ------
--
fedora-legacy-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-legacy-list
