Menu
▾
▴
Re: [Sshguard-users] Blocking bots looking for vulnerable web apps
|
From: Mij <mi...@bi...> - 2009-02-06 11:17:38
|
On Feb 5, 2009, at 9:11 PM, Hans F. Nordhaug wrote: > * Forrest Aldrich <fo...@fo...> [2009-02-05]: >> I have the same problem -- my method of blocking is visually doing >> "tail >> -F access.log" and putting filters in. >> >> To use SSHGuard for this, you'd have to implement pattern searches >> for >> the specific attacks... might be okay for a few, annoying for more >> than >> that. I think something like mod_security may help in this case >> (though I've never used it). > > Well, I don't think you have to do it that strict. I would say that if > an IP is getting many 404 entries (maybe with the added condition of > empty referrer) in very short time, it's likely to be a scanning > attack. SSHGuard by default doesn't block for very long so if it was a > legitime user hitting refresh like crazy, it wouldn't harm that much. I'm not quite convinced for 2 reasons: 1) such rules appear quite "loose". I'm not sure this fits with the conservative policy used so far to avoid false positives at the cost of complexity. For example, crawlers issue a "GET /robots.txt" which often results in a 404 and lacks a referer. On webservers with plenty of vhosts a bunch of such requests within few minutes may result in an undesired blocking. A solution can be to add to such conditions sensitivity to the target filetype, and block only those involving dynamic scripts like .php, .pl etc. 2) Sshguard currently assumes that all attacks have the same "density", that is, 4 attacks to ssh are "as dangerous" as 4 to proftpd or anything else. This case breaks this assumption, as you would require many more "404"s than login failures before determining an abuse. A solution is either to define the conditions above "tight enough" to raise the density of each attack, or to wait for me to eventually implement the system based on scoring and threshold. > I'm using mod_security, but I would like to use SSHGuard to > 1) get the burden of Apache and > 2) block the IP at the network level since it probably will do other > unfriendly things > >> I tried to figure out how the lex stuff works for implementing my own >> patterns, but alas I'm not a programmer -- if someone can explain it, >> I'd love to do a few things with it. > > I happen to be a programmer, but I hate reinventing the wheel so I'll > wait some more time before I give it a try myself. The yacc parser itself (src/sshguard_parser.y) is quite easy to manipulate. It contains many examples that can be used for inspiration for adding new ones. Otherwise, users can use this http://sshguard.sourceforge.net/newattackpatt.php michele > > Hans > >> Hans F. Nordhaug wrote: >>> The last months the bots looking for vulnerable web apps on my >>> servers >>> have increaed in number and intensity. I guess you all have entries >>> like these in your log files: >>> >>> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpmyadmin/ >>> main.php HTTP/1.0" 404 357 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:12 +0100] "GET /phpMyAdmin/ >>> main.php HTTP/1.0" 404 357 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /PMA/main.php >>> HTTP/1.0" 404 350 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /admin/main.php >>> HTTP/1.0" 404 352 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:13 +0100] "GET /dbadmin/ >>> main.php HTTP/1.0" 404 354 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /mysql/main.php >>> HTTP/1.0" 404 352 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /myadmin/ >>> main.php HTTP/1.0" 404 354 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:14 +0100] "GET /phpmyadmin2/ >>> main.php HTTP/1.0" 404 358 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin2/ >>> main.php HTTP/1.0" 404 358 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /phpMyAdmin-2/ >>> main.php HTTP/1.0" 404 359 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:15 +0100] "GET /php-my-admin/ >>> main.php HTTP/1.0" 404 359 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET / >>> phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 363 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET / >>> phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 363 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:16 +0100] "GET / >>> phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 363 "-" "-" >>> 74.63.252.86 - - [02/Feb/2009:10:33:17 +0100] "GET / >>> phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 363 "-" "-" >>> >>> I wonder if someone have already tried to use SSHguard to >>> block this annoying traffic (in addition to brute force SSH >>> attacks)? >>> Or could someone give me a hint about how to get started on >>> setting this up (without breaking the existing SSH blocking)? >>> >>> Regards, >>> Hans > > ------------------------------------------------------------------------------ > Create and Deploy Rich Internet Apps outside the browser with > Adobe(R)AIR(TM) > software. With Adobe AIR, Ajax developers can use existing skills > and code to > build responsive, highly engaging applications that combine the > power of local > resources and data with the reach of the web. Download the Adobe AIR > SDK and > Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
