[Sshguard-users] SSHguard for HTTP

[Peter B. <be...@an...>]

A common attack these days is to try a few thousand HTTP URLs looking for
scripts or code or pages that are running open source software with some
sort of vulnerability or "feature" that sends email out.

Often these attacks are run on servers that can generate thousands of
requests per second, overwhelming systems and servers that usually handle
hundreds of connections per minute.

I use lighttpd, but it could be extended to Apache.  For example (actual IP
and hostname replaced to protect, well something):

198.6.1.1 4.3.2.1 - [01/Jan/2009:13:31:31 +0000] "GET /modules/jinzora/backend/classes.php?include_path=../lib/jinzora.js%00 HTTP/1.1" 404 5069 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
198.6.1.1 4.3.2.1 - [01/Jan/2009:13:31:31 +0000] "GET /cgi-bin//plugins/db/mysql/mysql.inc.php HTTP/1.1" 404 5039 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
198.6.1.1 4.3.2.1 - [01/Jan/2009:13:31:31 +0000] "GET /cgi-bin/index.php?blog=1&title='&more=1&c=1&tb=1&pb=1 HTTP/1.1" 404 5074 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
198.6.1.1 4.3.2.1 - [01/Jan/2009:13:31:31 +0000] "GET /scripts/ideabox/include.php?ideaDir=http://xxxxxxxx HTTP/1.1" 404 5051 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
198.6.1.1 4.3.2.1 - [01/Jan/2009:13:31:31 +0000] "GET //plugins/db/mysql/mysql.inc.php HTTP/1.1" 404 5031 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
198.6.1.1 4.3.2.1 - [01/Jan/2009:13:31:32 +0000] "GET /cgi-bin/ideabox/include.php?ideaDir=http://xxxxxxxx HTTP/1.1" 404 5051 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
198.6.1.1 4.3.2.1 - [01/Jan/2009:13:31:32 +0000] "GET /ideabox/include.php?ideaDir=http://xxxxxxxx HTTP/1.1" 404 5043 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
198.6.1.1 4.3.2.1 - [01/Jan/2009:13:31:32 +0000] "GET /include.php?ideaDir=http://xxxxxxxx HTTP/1.1" 404 5035 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
198.6.1.1 4.3.2.1 - [01/Jan/2009:13:31:32 +0000] "GET /ideabox/include.php?ideaDir=http://xxxxxxxx HTTP/1.1" 404 5043 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"

My concern is that there are potentially two IP addresses in the log file,
the REMOTE_ADDR and the server IP, HTTP_HOST.  There isn't really much of
an "error" here.  Nothing is wrong, other than the end user generated over
8,000 404 (Not Found) messages in a matter of a few minutes.

I realize there are bandwidth limiters and other sorts of software to block
stuff like this, but I really like sshguard, and this seems like the kind
of thing it can do well.

Would this work?

     tail -n0 -F httpd.log | grep ' 404 ' | sshguard -a 100 -s 60 -p 1200

That would strip out the 404's from the log, and only those would be passed
to sshguard, which would block them upon more than 100 404 messages in 60
seconds.

Thoughts?  What happens when there are multiple IP addresses in the log
file line?

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
be...@an...                                 http://www.angryox.com/
---------------------------------------------------------------------------