Menu
▾
▴
Re: [Sshguard-users] Apache rules
|
From: Mij <mi...@ss...> - 2012-11-30 10:26:12
|
Hola Paco On Sep 23, 2012, at 14:18 , Paco Hope <pa...@pa...> wrote: > I'm sure this has been talked about before, but I'm struggling to find a way to search the email archives. Neither google nor sourceforge seem to have a mechanism. Am I really that daft? MLs are hosted at sourceforge . Have a look at http://sourceforge.net/search/?group_id=188282&type_of_search=mlists > Anyways, I see tons and tons of people probing my web server for common vulns. When they're probing for things that look like IIS, it's pretty safe for me to assume they're just brute forcing. Now, there are various apache-specific ways to protect myself (e.g., mod_security), but those would just protect apache from people trying to exploit apache. I'd very much like to have sshguard throw them into the blacklist so they can't even try ssh, ftp, or anything else if they trip on an apache rule. Is this unwise? Has this been discussed and rejected? Definitely makes sense. > Here are a few example entries: > 94.75.245.17 - - [21/Sep/2012:08:27:17 +0100] "GET /administrator/ HTTP/1.1" 301 247 "-" " > Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0 > .50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" > > 188.72.230.35 - - [09/Jul/2011:23:27:56 +0100] "CONNECT dl3.jetswap.net:80 HTTP/1.0" 405 235 "-" "-" > > 85.252.49.19 - - [17/Aug/2012:13:06:19 +0100] "POST /components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile.php HTTP/1.1" 301 308 "none" "" > > Is it just too many possible rules? or is there some other good reason? The problem I see with this is, the attack patterns change too often to be incorporated in a sane way. However, we do have an interest in this. Please post these sample patterns on http://www.sshguard.net/support/attacks/submit/ -m |
