Menu
▾
▴
#16 Parse Apache HTTPD access logs for common exploits
I'd like to suggest parsing Apache's access log files for common exploits, based on a database of known exploits.
My personal motivation is this: shortly after setting up Apache HTTPD on my server, I already had thousands of requests in my access log from people trying to exploit some non-existant PHP applications. Though futile, because I'm not running PHP, these requests give a pretty good idea about who's trying to break into people's servers.
For example, I had these in the log:
<IP> - - [14/Sep/2007:00:50:02 +0200] "GET /phpMyAdmin-2.6.4-rc1/main.php HTTP/1.0" 404 227
<IP> - - [14/Sep/2007:00:50:02 +0200] "GET /phpMyAdmin-2.6.4-pl1/main.php HTTP/1.0" 404 227
<IP> - - [14/Sep/2007:00:50:02 +0200] "GET /phpMyAdmin-2.6.4-pl2/main.php HTTP/1.0" 404 227
<IP> - - [14/Sep/2007:00:50:02 +0200] "GET /phpMyAdmin-2.6.4-pl3/main.php HTTP/1.0" 404 227
[... and lots more...]
I think adding these guys to Denyhosts (and leveraging the feature of uploading/downloading attack data) would improve Denyhosts very much. Instead of looking for failed login attempts, the application would have to look for certain URIs together with 404 errors (not found) in the access log and then add the attackers to the central database. People who actually *do* use the vulnerable applications would then greatly benefit from having known attackers blocked automatically.
The database of known web server exploit URIs can easily be created from access log files like mine. Instead of looking at the number of unsuccessful login attempts (like in SSH logins), Denyhosts would need to look at the number of different exploits tried by a single client, though, in order to not blacklist people who simply enter a wrong URI into their web browsers.
Logged In: NO
That would be great. Fail2ban can do that but it uses iptables to block hosts.
For apache there is a _great_ mod called mod-security that works like a firewall for apache server. It has proven it's value for me, it has blocked couple of attacks to an unpatched exploit at phpbb2-forum that I host.