Topic: Blocking unauthorized attempts

[ale]

Hi everyone!
My SME server is responding as expected in denying unauthorized access from http ports,  but every time I check log files there is a lot of attempts trying to get some kind of files or privileges....(sometimes they assume is a Windows server)

"......[Tue Sep 17 20:48:44 2002] [error] [client 200.72.52.11] File does not exist: /home/e-smith/files/primary/html/c/winnt/system32/cmd.exe

[Tue Sep 17 22:58:55 2002] [error] [client 218.17.84.154] Client sent malformed Host header

[Wed Sep 18 00:09:09 2002] [error] [client 200.50.199.218] File does not exist: /home/e-smith/files/primary/html/scripts/root.exe..."

 There are a lot of this in my log files!!!

I'm pretty sure that the most of them will never get anything..... but It would be great if I could use the intruder IP number to keep it blocked for a wile as a disuasive measure, something like this: "you try to do something wrong, you will get blocked for any kind of access to this server for a reasonable period of time...."

Any Ideas? I'm not a unix programmer but I could learn something to wright some script or file modification to deny this attempts if someone gives me a clue or an idea to begin!

As always, many thanks in advance for any help or idea...
Alejandro

[Guck Puppy]

FYI :
This is from those CodeRed (etc, etc, ad infinitum) type worms that plague unpatched IIS servers.

(right?)

[ale]

Thanks Guck,
so there is no problem with those lines?
A.

[Guck Puppy]

No problem with the attempts, no...

unless you have IIS running inside your network and are port forwarding to it... then you should patch IIS on it I guess...

It's the ".exe" in the log that's the give away - they're totally looking for a crappy IIS server.

G

[Bill Talcott]

Yup, those are worms scanning for the files that get shared on unpatched IIS servers. There's no way it can do anything to your SME. Install the apachehits PHP script if you want to see how many times you get scanned for it weekly... http://www.chrouch.com/worms/ is the script running on our server...

[Peter Hollandare]

Problem with these attacks, are that they generate HUGE unwanted traffic, since they dont try once only. Same host (ip), can be trying several times per day, and upto a few days. Theres an easy way to filter them off (read about ipchains).

On my server they try once, and are direct filtered.

[guestHH]

Hi,

This one will do the trick:
http://www.marari.net/downloads/snort/acid-howto.htm

Include the guardian part to automaticlly block IP numbers that try the worm attempts.

Regards,
guestHH

[ale]

Many thanks all of you!!!
RequestedDeletion: thas was what I was looking for, many thanks
Just one thing: current rpm versions in this howto ave changed for more recent ones so it can be confusing (and apear like broken links).
just changing versions in links and instructions would make it work great.
the rest of the procedure is ok
Thanks again
Alejandro