Active Response ban on multiple http requests
347 views
Skip to first unread message
treydock
May 7, 2011, 4:32:36 AM5/7/11
to ossec-list
Below is a message I received from OSSEC that is obviously someone
trying to scan for database management tools. Fortunately I don't use
any on the address they were scanning, but I'd like to be able to have
OSSEC automatically block that IPs attempts. Can HTTP requests block
IPs using hosts.deny?
OSSEC HIDS Notification.
2011 May 07 03:17:27
Received From: (host) xxx.xxx.xxx.xxx->/var/log/httpd/access_log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes
from same source ip."
Portion of the log(s):
120.101.70.54 - - [07/May/2011:03:17:26 -0500] "GET /phpadmin/scripts/
setup.php HTTP/1.1" 404 303 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:26 -0500] "GET /typo3/phpmyadmin/
scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:25 -0500] "GET /mysqladmin/
scripts/setup.php HTTP/1.1" 404 305 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:25 -0500] "GET /mysql/scripts/
setup.php HTTP/1.1" 404 300 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:25 -0500] "GET /myadmin/scripts/
setup.php HTTP/1.1" 404 302 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:24 -0500] "GET /dbadmin/scripts/
setup.php HTTP/1.1" 404 302 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:24 -0500] "GET /db/scripts/
setup.php HTTP/1.1" 404 297 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:23 -0500] "GET /admin/phpmyadmin/
scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:23 -0500] "GET /admin/pma/scripts/
setup.php HTTP/1.1" 404 304 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:23 -0500] "GET /admin/scripts/
setup.php HTTP/1.1" 404 300 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:22 -0500] "GET /scripts/setup.php
HTTP/1.1" 404 294 "-" "ZmEu"
--END OF NOTIFICATION
trying to scan for database management tools. Fortunately I don't use
any on the address they were scanning, but I'd like to be able to have
OSSEC automatically block that IPs attempts. Can HTTP requests block
IPs using hosts.deny?
OSSEC HIDS Notification.
2011 May 07 03:17:27
Received From: (host) xxx.xxx.xxx.xxx->/var/log/httpd/access_log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes
from same source ip."
Portion of the log(s):
120.101.70.54 - - [07/May/2011:03:17:26 -0500] "GET /phpadmin/scripts/
setup.php HTTP/1.1" 404 303 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:26 -0500] "GET /typo3/phpmyadmin/
scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:25 -0500] "GET /mysqladmin/
scripts/setup.php HTTP/1.1" 404 305 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:25 -0500] "GET /mysql/scripts/
setup.php HTTP/1.1" 404 300 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:25 -0500] "GET /myadmin/scripts/
setup.php HTTP/1.1" 404 302 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:24 -0500] "GET /dbadmin/scripts/
setup.php HTTP/1.1" 404 302 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:24 -0500] "GET /db/scripts/
setup.php HTTP/1.1" 404 297 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:23 -0500] "GET /admin/phpmyadmin/
scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:23 -0500] "GET /admin/pma/scripts/
setup.php HTTP/1.1" 404 304 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:23 -0500] "GET /admin/scripts/
setup.php HTTP/1.1" 404 300 "-" "ZmEu"
120.101.70.54 - - [07/May/2011:03:17:22 -0500] "GET /scripts/setup.php
HTTP/1.1" 404 294 "-" "ZmEu"
--END OF NOTIFICATION
Frank Stefan Sundberg Solli
May 7, 2011, 9:05:41 AM5/7/11
to ossec...@googlegroups.com
Hi.
Yes you can do ban on the "multiple 400 errors from same source IP"
Take this example
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5720, 11210</rules_id> <!-- Multiple SSHD auth failures, proftpd -->
<timeout>600</timeout>
</active-response>
Yes you can do ban on the "multiple 400 errors from same source IP"
Take this example
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5720, 11210</rules_id> <!-- Multiple SSHD auth failures, proftpd -->
<timeout>600</timeout>
</active-response>
treydock
May 7, 2011, 3:30:51 PM5/7/11
to ossec-list
I run CentOS 5.5 on the system with iptables. How does iptables have
to be configured to allow this?
On May 7, 8:05 am, Frank Stefan Sundberg Solli <frankste...@gmail.com>
wrote:
to be configured to allow this?
On May 7, 8:05 am, Frank Stefan Sundberg Solli <frankste...@gmail.com>
wrote:
Jeremy Lee
May 7, 2011, 4:00:52 PM5/7/11
to ossec...@googlegroups.com
You could also try using the route-null/null-route script to drop offending IPs. I find this less "intrusive" and complicated versus dealing with iptables.
treydock
May 7, 2011, 6:42:39 PM5/7/11
to ossec-list
The route-null idea might be best for me as I don't use IPtables
regularly. How could I use route-null with the configuration Frank
provided?
Thanks
- Trey
regularly. How could I use route-null with the configuration Frank
provided?
Thanks
- Trey
Jeremy Lee
May 7, 2011, 6:50:12 PM5/7/11
to ossec...@googlegroups.com
Check out the how-to here: http://www.ossec.net/main/manual/manual-active-response/bin
The route null script is called "route-null.sh" - you would specify the script in the AR configuration (in ossec.conf) per the doc.
Also, just so you know, all AR scripts live in /var/ossec/active-responses/bin
Message has been deleted
Message has been deleted
treydock
May 7, 2011, 9:25:23 PM5/7/11
to ossec-list
Thanks both for the help!! I got this working and tested that the
active-response indeed works.
For other's reference I blogged this here,
http://itscblog.tamu.edu/protecting-web-servers-with-ossec/
Thanks again
- Trey
active-response indeed works.
For other's reference I blogged this here,
http://itscblog.tamu.edu/protecting-web-servers-with-ossec/
Thanks again
- Trey
Reply all
Reply to author
Forward
0 new messages