On Mon, Aug 29, 2011 at 2:25 PM, Always Learning <centos@xxxxxxxxxxx> wrote:
>
>> For light use you could drop in VMware server or player or virtualbox
>> without much effect on the current system. It shouldn't be necessary,
>> though, unless you'd like to install otherwise conflicting rpm
>> packages or give root access to someone on the virtual server only.
>
> I've use Virtual Box successfully for Windoze 98 to run Ami Pro 3.1.
>
>> So why can't you do that for your new virtualhost instead of running
>> on a different IP?
>
> A mentally deranged lunatic has sent 30,000+ wrong URLs to a tiny web
> site. Its started about 5 August but significantly escalated on 22
> August.
Ummm, 30,000 isn't a particularly big number of hits to an apache
server, especially if all it has to do is respond with a 'file not
found'. But you are probably wise to be defensive.
> My Apache routine can add the IPs to iptables and block them. Since 22
> August the lunatic has used over 100 different IPs from around the world
> to send those wrong URLs which always seem to include one of these:-
>
> forgotten_password.php
>
> login.php
>
> contact.php
That probably means the intrusion is self-propagating. That is, if
the target is running some vulnerable php version or application, it
is able to install a copy of itself and start over.
> Assigning a spare IP address to this small web site should make it
> easier for me to experiment with IP tables and examine TCP packets
> without disturbing the server's normal workings. For example no valid
> HTTP request sent to that IP address should contain 'pas' or 'log' or
> 'con' so if I detect these the packets can be dropped - that is the
> theory. With dropped packets I lose the ability to easily record IP
> address and host name. However my web page has over 100 entries of
> machines compromised in the current abuse, so loosing new details is
> worth the satisfaction of blocking the loony.
As long as you aren't vulnerable yourself, I don't see the point of
wasting human hours to save machine microseconds. And this is a tiny
bit of the viruses and automated intrusion attempts happening in the
wild so unless you can generalize it into a fail2ban type of process
your time would be better spent making sure your systems are up to
date and inherently secure.
>> If you are just firewalling there, apache can permit/deny ip ranges on
>> its own for a location or virtualhost.
> It is amazing so many machines can be broken-into or misused by one
> deranged lunatic. I wonder if those machines run on Windoze.
If that is the first instance you've seen, you must have a low-profile
site. And no, web applications have their own bugs and
vulnerabilities on Linux too. And if you aren't fairly close to
up-to-date on the base distribution, those exploits can get root
access. The last one I bothered tracking down used a java/spring
vulnerability to run something to trigger a local root exploit in
glibc (that I think was fixed in the 5.4 or 5.5 update) but there are
probably newer ones - and more we don't know about.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
