Security :: Suspicious Requests In Haproxy Log From Multiple Sources To The Same Target - Block?
Apr 12, 2011
I have suspicious requests in my haproxy logs from multiple sources to the same target. I could deny them in /etc/hosts.deny, but there are too many to keep track of. Is there a way to deny all requests to a specific target either in haproxy or through iptables?
Here's an example of the request: Apr 12 15:11:37 127.0.0.1 haproxy[28672]: 41.105.42.150:27072 [12/Apr/2011:15:11:37.315] web_servers frontend_farm/######## 3/0/1/1/169 404 1073 - - --NI 3/3/2/1/0 0/0 "GET /images/comment_icon.gif HTTP/1.1"
I've commented out my amazon instance id for security purposes. The request is for comment_icon.gif which does not exist. All requests go to that. The source IPs are from different countries as well. Blocking a certain country won't work either. Basically, if there was a way to send all requests for comment_icon.gif to /dev/null or something it would work.
View 2 Replies
ADVERTISEMENT
Oct 17, 2010
I run a small home server (Debian 4), which acts as my gateway to the internet (ie, firewall) and runs a web server, dhcp, dns, and acts as a file server to the rest of the machines on my home network. Now I know it's never a smart idea to have all those services running on the same machine that is acting as a firewall, but I don't fancy running multiple servers just for home use, as it's mainly allowing me to learn system administration.
I noticed a few days ago that my internet had become unbearably slow, to the point where I could sometimes not load web pages. I spent a while searching through log files on my gateway, to try and find out what was eating up all of my bandwidth. When I came to apache's access.log file, I was confronted with this:
Code:
204.45.41.82 - - [17/Oct/2010:06:25:10 +0100] "GET http://vewice6.nightmail.ru/marriott-grand-cayma.html HTTP/1.1" 200 36921 "-" "Mozilla/4.0 (compatible; M$
204.45.41.82 - - [17/Oct/2010:06:25:11 +0100] "GET http://malaysiapodcaster.blogspot.com/2006/05/blog-post_11.html HTTP/1.1" 200 58681 "-" "Mozilla/4.0 (com$
[code]........
Multiple requests to my server, for totally random websites. I didn't even know it was possible to make those types of queries to a webserver. The only thing that is on the web server is a browser based torrent client. I have only shown a small snippet of the log file, but there are around 90k lines to different web addresses, from many different IPs. What I want to know, is what is happening? :S Why is someone querying MY web server, for web sites totally unrelated to it? And most of all, how can I stop it. My initial was to try and use iptables to block multiple requests from the same ip within a certain time frame, which I think would work as the server shouldn't really get many queries from external networks.
View 9 Replies
View Related
Apr 30, 2010
i've tried blocking ping requests with iptables.. and it didnt work Quote: iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
also tried editing sysctl.conf.. which worked perfectly but after i restarted the system i was able to ping my ubuntu machine from my lappy here is what i added to sysctl.conf and then executed it with sysctl -p
Quote: net.ipv4.icmp_echo_ignore_all = 1 here is another atempt to block.. this one worked too... but again after the restart i was able to ping my machine.. Quote: echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
View 8 Replies
View Related
Oct 26, 2010
My Firestarter logs show periodic outgoing connection attempts to IP addresses in countries such as Malaysia, China, Russian Federation etc... Fortunately, Firestarter appears to be blocking them. I suspect these are not good and want to find out exactly what process is initiating these outgoing connections.
View 6 Replies
View Related
Nov 19, 2010
In my logs for Apache I have lots and lots of failed attempts for incorrect incarnations of [URL]. None of them are anywhere near my alias for the index.php but yet phpmyadmin is broken. Is there away I can mess up robots like this. Send IP's that create multiple wrong page requests on my server back to their own IP address maybe? I would then just set thresholds to decide how strict to be. I did try fail-to-ban before but it is cryptic. I don't have it on this particular server.
View 2 Replies
View Related
Mar 22, 2011
I am running a ubuntu server 10.10 with SSH, and OpenVPN. I use it mainly for the VPN, but I have seen log in attempts such as:
Mar 22 14:52:53 UbuntuSvr sshd[2397]: Invalid user support from 85.217.190.69
Mar 22 14:52:55 UbuntuSvr sshd[2399]: Invalid user student from 85.217.190.69
Mar 22 14:52:57 UbuntuSvr sshd[2401]: Invalid user transfer from 85.217.190.69
Mar 22 14:52:59 UbuntuSvr sshd[2403]: Invalid user user from 85.217.190.69
[Code]...
Is it possible to make it so when some one has tried logging in 5 times with an invalid user/pass that the ip is banned for 10 minutes? I have password auth set to no and am using keys.
View 7 Replies
View Related
Aug 17, 2010
I am having a web server (apache) and 3 sites are hosted in it, named as www.web1.com,www.web2.com and www.web3.com.
I need to restrict www.web2.com to Internet users and allow only to local network. At same time I need to allow www.web1.com and www.web3.com to both Internet and LAN users.
View 2 Replies
View Related
Mar 18, 2010
What the most harmful thing can malware program started as separate limited user account do if it has access to the X server? Network and filesystem things are already considered by chroot and netfilter.
It obviously can lock the screen and I will need to switch to other vt and kill it manually. Can it for example disrupt other GUI programs on the same X server (access a root terminal in nearby window)?
I know that it is safer to run it in separate X server, for example, in Xtightvnc or even some virtual machine, but how dangerous is to just run it like other programs?
View 3 Replies
View Related
Aug 10, 2010
I got this warning in the log of rkhunter:Quote:
Checking /dev for suspicious file types [ Warning ]
[13:37:16] Warning: Suspicious file types found in /dev:
[13:37:16] /dev/shm/pulse-shm-43136623: data
[code]....
View 2 Replies
View Related
Apr 1, 2010
I have been running rkhunter but how do i view the /var/log/rkhunter.log? I have tried using: sudo /var/log/rkhunter.log but all i got was "Command not found?
View 6 Replies
View Related
Mar 15, 2011
I know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here. In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...
In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?) Open ports show: 22 ssh openSSH 4.4 v. 1.99 23 telnet Openwall GNU/*/Linux telnetd
At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...
Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on? Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?
View 5 Replies
View Related
May 30, 2011
My computer shares an internet connection using an ADSL router.There are other three machines.I have set up a Apache server for learning purpose and I want it to be inaccessible from anywhere else including the PCs in the network.When I enter my ip-address assigned in the network (192.168.1.1xx) from other computer,I get my ppages and I dont want that.
How can I block HTTP requests from other computers?
View 6 Replies
View Related
Dec 8, 2010
I come to Ubuntu with the notion that it is much more secure than Windows. In XP I had an anti-virus, third-party firewall and sundry softwares against spybots, rootkits etc. The anitivirus blocked the suspicious web pages while browsing. I generally avoided public networks, carrying a portable internet device Do I need similar stuff with Ubuntu.
View 9 Replies
View Related
Aug 1, 2010
I ran a chkrootkit scan and found this: The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.8/.autoreg /usr/lib/firefox 3.6.8/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo
How do I get rid of this suspicious file?
View 4 Replies
View Related
Jan 3, 2011
My server is probaly hacked and sending spam emails. I see them randomly in maillog (/usr/local/psa/var/log/maillog, server has a plesk panel), sometimes a few in a long time, sometimes a lot of them.Here is a sample of it:
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: Handlers Filter before-remote for qmail started ...
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: from=root@acv360.com
[code].....
View 7 Replies
View Related
Sep 21, 2010
Is there anything suspicious about this auth.log? I find the many CRON outputs and the part with gconftool weird. Also, why don't I have the permission to view "/var/log/btmp1". It has never happened before.
I'm using GNOME's log viewer.
[Code]...
View 2 Replies
View Related
May 28, 2010
say you've got the following file structure:
Code:
ls -l *
lrwxrwxrwx 1 briank cg 1 2010-05-28 15:23 a -> b
lrwxrwxrwx 1 briank cg 3 2010-05-28 15:23 b -> d/c
d:
total 0
-rw-rw-r-- 1 briank cg 0 2010-05-28 15:23 c
code....
if I use python's os.readlink on 'b', it reports what I want, which is that it points to 'c'.
however, if I os.readlink('a'), it reports that 'a' points to 'b', which is true, but then 'b' points to 'c'.... so really, when I ask for 'a', I will eventually get 'c', but python isn't reporting that.
I know I can do an if test - if os.islink(os.readlink('a')): blah blah, but is there a more built-in or one-liner way of doing this? I'm looking to get to the last file in a list of symlinks, i.e. the regular file that they all point to.
View 3 Replies
View Related
May 28, 2011
I've lately been getting some strange nfs mount requests for non existant users' home directories on a F14 machine to my file server (CentOS).The message log on the file server shows the following
May 23 03:10:53 data mountd[4835]: can't stat exported dir /export/home/httpd: No such file or directory
May 24 03:21:13 data mountd[4835]: can't stat exported dir /export/home/httpd: No such file or directory
May 25 03:26:53 data mountd[4835]: can't stat exported dir /export/home/httpd: No such file or directory
[code]....
View 2 Replies
View Related
Jul 11, 2010
I use Ubuntu 10.04 and I want to be able to move around the system without having to frequently enter my password. For example, when waking up the system from a power save state or when accessing Synaptic Package Manager I do not want to be asked to enter my password. There is nothing on my system that matters if its security is breached. Is there a way to turn off these requests for a password?
View 9 Replies
View Related
Mar 1, 2011
Ok i think Tor has some way of making the dns queries anonymous by default. I did the DNS nameserver spoofablity test here at [URL] and the results i got showed about 30 different dns servers. Normally when i carry out this test on my standard isp connection or the vpn i use i just get one dns servers settings consistently.
View 1 Replies
View Related
Jan 19, 2011
If I have a icecast program broadcasting to the net, and I want ppl from around the world to connect to it and mix their own audio into the stream ,what do I do?
View 6 Replies
View Related
Jul 12, 2010
I've been trying to configure ufw to drop ping requests for a couple days now, and I can't figure it out. I've tried a couple different methods in some different guides, still nothing. Anyone know how to do this?
View 4 Replies
View Related
Apr 13, 2011
Below is the print out of requests, with the website address "#.com". The requests are listed in the order in which they appear on the stats page. What does it mean?:
Code:
#.com/
#.com/?Mode=debug
[code]....
View 7 Replies
View Related
May 14, 2009
I have to implement a client/server solution that pretty much does this:
1) Client broadcasts UDP packet;
2) client receives answer packet from multiple servers - it includes the TCP port to use next and a list of files;
3) user picks file from list;
4) client downloads from server via TCP.
I got the client to broadcast and the servers reply. However, i'm not yet getting the client to be able to receive multiple packets.
I'm very inclined and have tried to implement select, but most examples i find are for stream sockets. Once the fsSet shows a read event would i create a new socket or just use the main socket for recvfrom()ing? I assume i need at least two sockets. However i'm not sure if this will allow the client to actually receive simultaneously... so i'm kinda not wanting to guess that this implies fork and threads... Also, i assume the socket must be nonblocking (done), although i've read somewhere select would take care of this?
View 3 Replies
View Related
Mar 31, 2010
I'm in the process of building a security team and want each individual of the team to concentrate on the GIAC certifications mentioned in the [URL] website. I was wondering if any inputs on how can I structure this team and how can I target customers?
View 7 Replies
View Related
Aug 25, 2010
i'm using optical s/pdif output, called "hda intel, ad198x digital (iec958 (s/pdif) digital audio output)" in phonon preferences. sounds works just fine -- except i can't use multiple audio sources simultaneously: for example amarok+videos is a no-no. only the first audio source plays, so i have to close amarok in order to listen to any flash videos. i had this problem already with opensuse 11.2, but couldn't figure it out (using 11.3 now).
i just recently got a hunch that it might have something to do with mixing and the s/pdif, and i tried using analog output ("hda intel (ad198x analog)"). lo and behold, it works! amarok+flash that isash still doesn't still consider this a major leap forward.however, i'd like to keep using my optical output.
View 1 Replies
View Related
Apr 5, 2010
i need a mod with the option multiple alternate sources download.
View 9 Replies
View Related
May 8, 2009
I want to run ISCSI target on CentOS. Both "scsi-target-utils" and "iscsi-target" can be used.
They seem to have the same function.
Is there any significant difference between them, on performance or stability?
View 4 Replies
View Related
Aug 21, 2010
how to block multiples ports from my internal lan going out to the internet?, I want to prevent LAN user's in accessing this kind of ports for example port from 1500-10000.
im making a personal firewall script, im just testing it for just curiositie's sake.
will i use the foreward chain policy?? to drop all packets, like port 1500:10000
note '#' stands for root
#iptables -A FORWARD -s 192.168.0.1/24 -p tcp --dport 1500:10000 -j DROP
#iptables -A FORWARD -s 192.168.0.1/24 -p udp --dport 1500:10000 -j DROP
View 1 Replies
View Related
Mar 22, 2011
Just leads to a list of packages. Are these taken down and installed if needed? I take it these are installed from main component right?Is this just to let people know there's a new version in main? If you didn't have "deb http://security.debian.org/ distrib/updates main", wouldn't the updates be pulled from "deb http://whatever/debian distrib main" anyway when you did an apt-get update (by logical reasoning that they'd be new?)
Or is it that you can't detect new versions directly from main and you need the updates package to point out which ones have updated versions?
View 3 Replies
View Related
