On 03/03/2014 05:11 PM, Dan Thurman wrote:
On 03/03/2014 03:25 PM, Rick Stevens wrote:
On 03/03/2014 02:06 PM, eoconnor25@xxxxxxxxx issued this missive:
What's the best way to avoid/prevent this from happening?...
Since the IP is part of a Turkish /24 network, odds are it's a hack
attempt. If you don't care about servicing Turkey, you could block that
IP space in your firewall. Pertinent information:
inetnum: 185.4.227.0 - 185.4.227.255
netname: SAYFANET
descr: Istanbul DC Customer
country: TR
admin-c: KSM20-RIPE
tech-c: KSM20-RIPE
status: ASSIGNED PA
mnt-by: ER101-MNT
source: RIPE # Filtered
("whois 185.4.227.194" will give you the gory details), so add that /24
to your filter list. In the old days:
iptables -I INPUT [some-rulenumber] -s 185.4.227.0/24 -j DROP
It's difficult to weed out traffic selectively unless you have the
ability to do a deep packet inspection and look at the actual request.
Generally that equipment costs a good deal of $$$$.
----- Reply message -----
From: "Mark Haney" <mhaney@xxxxxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: F19: Is this an httpd attack attempt?
Date: Mon, Mar 3, 2014 11:59 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/03/14 11:42, Dan Thurman wrote:
>
> It looks to me like a successful indirect connection?
>
> The following is taken from /var/log/httpd/access_log
>
> 185.4.227.194 - - [03/Mar/2014:07:27:49 -0800] "GET
>
http://24x7-allrequestsallowed.com/?PHPSESSID=1rmsxtj500143TRMUTP_ODZZWA
>
>
HTTP/1.1" 200 5264 "-" "-"
>
It certainly looks that way. I see several of those kinds of GETs a
day on our web servers. Not from that particular domain, but similar
types of GETs.
A quick google points to similar GET requests to that domain as far
back as 2011, and the domain itself isn't live, just a placeholder for
parked domain.
- -- Mark Haney
Network/Systems Administrator
Practichem
W: (919) 714-8428
Fedora release 20 (Heisenbug) 3.13.4-200.fc20.x86_64
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTFLTbAAoJEM/YzwEAv6e7lMUH/20KyuLCbB9FeGV5fbe1OB8s
AQUxwifz9XyyD+5x3EEs4Oeg062/cyySVAcE5KyFEoQvfeMXGJEpzcHS2fXWHkSk
q7w25D78iQzIvZlD0Y1XDxxJ4X8td6rBKARGTNyL94mRhunEJGH/kiVhqEBnJLxW
o1GQLjlLg2vNlpDDjjhko4cqATDFJOv8fBDh/CyY/PcfHC8XcPR0SGQ+Tz24PnGx
VzpIvysV2iJiARQgscg8/gDQo772eqLDLIEmo/6Z1uVBCYa8MUCxge122JMvAvJ5
hBiEIhc7s6VHGGImyQaUDxjZ/q47jBazmDp6SIu5fUyTlbl759JE33erOhkglIQ=
=nqC7
-----END PGP SIGNATURE-----
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Alternatively, one could add the following IPs to /etc/hosts.deny:
ALL: 85.25.196.141
ALL: 85.25.226.154
ALL: 146.185.239.100
ALL: 185.4.227.194
ALL: 192.99.2.75
[...]
This works if the IPs are static but if IPs are from a pool, dynamic,
or spoofed, then one is out of luck chasing a tiger's tail?
FWIW
Ugh, Apache by default does not use the tcpwrappers
unless recompiled. Another alternative is to append
the following to /etc/httpd/conf/httpd.conf:
# Blacklist
<Location />
<Limit GET POST PUT>
order allow,deny
allow from all
deny from 85.25.196.141
deny from 85.25.226.154
deny from 146.185.239.100
deny from 185.4.227.194
deny from 192.99.2.75
</Limit>
</Location>
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org