Webserver attacks
Clint Byrum
clint at ubuntu.com
Mon Feb 20 17:09:12 UTC 2012
Excerpts from Whisperity's message of Sun Feb 19 06:34:57 -0800 2012:
> Greetings!
>
> I wanted to share my little script with you, server owners. A week or two
> ago I have set up an Ubuntu server box, with some services (Apache, MySQL)
> for personal usage. But my webserver is getting attacked by flood bots from
> time to time, so I needed to develop a wall (using Shorewall firewall) for
> it, and an easy manage script.
>
> The two script files (ip.sh and log.sh) are the swiss army knife for me
> right now. (You need to put them into your webserver log folder
> (/var/log/apache2))
> What I am asking for, knowing that people here are developers with more
> knowledge than me
> - log.sh: lists the access.log (or anything else log file specified in the
> first argument) and filters out the "banned" IP-list
> - ip.sh: (needs to run as root) manages the IP filtering (also adjusts
> Shorewall's blacklist)
>
> There are some awkward, flood-like entries in my webserver's log. They
> seems to be some sort of vulnearability checks, should I be worried? Can
> you please give me some more tips on how to improve my server's security?
>
A single server is a huge weakness, so the first tip I'd give you is to
get a second server, in a second physical location. Be ready to scale
out when you get legitimate traffic, and you'll have no problem handling
malicious traffic while you find and ban the bad actors.
Second, consider an application level firewall such as mod_security:
http://www.modsecurity.org/
Most of those probes you are seeing are just mindless zombies looking
for known vulnerable versions of old webapps, and can be ignored. I'd
recommend filtering them out. Some packages, like logwatch, already
do that.
Finally, consider using apparmor to confine your application so that if
somebody finds a hole in your application's security you can at least
keep it confined to the files/directories/capabilities that you expect.
Its actually a pretty straight forward process:
https://help.ubuntu.com/11.10/serverguide/C/apparmor.html
https://help.ubuntu.com/community/AppArmor
More information about the ubuntu-server
mailing list