Topic: Advice on preventing http attacks

[ghorst352]

**SME Server 7.6**



I was greeted with a bunch of http probes while skimming through my logwatch file this morning.   

Here is the log entry->


--------------------- httpd Begin ------------------------

 0.86 MB transferred in 1226 responses  (1xx 0, 2xx 1224, 3xx 0, 4xx 2, 5xx 0)
    1226 Content pages (0.86 MB),
 
 Attempts to use known hacks by 2 hosts were logged 4 time(s) from:
    193.144.51.53: 2 Time(s)
       /\.\./\.\./\.\./ 2 Time(s)
    204.110.9.189: 2 Time(s)
       /\.\./\.\./\.\./ 2 Time(s)
 
 A total of 2 sites probed the server
    193.144.51.53
    204.110.9.189
 
 A total of 1 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):
 
    /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP Response 200
 
 Requests with error response codes
    404 Not Found
       /vtigercrm/modules/com_vtiger_workflow/sor ... mportal.conf%00: 2 Time(s)
 
 ---------------------- httpd End -------------------------


I took these 2 ip addresses and plugged them into iptables to prevent any access to the server from those ip's.  I also found a way by using iptables to prevent probes such as the example below which says that if a user attempts 10 new connections to any ports in any order within 30 seconds, start dropping their packets.   I tried port scanning my server from outside my network with nmap and sure enough this works.

$IPTABLES -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --set
$IPTABLES -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
$IPTABLES -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --set
$IPTABLES -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP

This is still not enough and I am not really knowledgeable on http attacks and would appreciate if somebody can give me advice on tightening up my server to prevent http attacks.

Thanks. 

[Stefano]

you have nothing to fear as long as you keep you server and your webapps up to date

[ghorst352]

Just an added note to the entries I posted in regards to iptables.  I would almost request that this be converted in a How-TO after being tested.  This is probably some of the most significant simple 4 lines of syntax to prevent port scans.  My port scans have ceased after introducing this into iptables.  I would think from a systems administration stand point that this info would be valuable.  I always hear conversations or read that "Oh, yeah I was reviewing my logs this morning and came across the usual script kiddies or bots scanning my network"  Will how bout not having your bandwidth consumed by port scans?  How bout added security?  How bout not having this conversation with yourself in the morning?  Let me know what you think or if you have anything to add to this that would make it even better.


Substitute eth0 for the Wan facing adapter.


$IPTABLES -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --set
$IPTABLES -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
$IPTABLES -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --set
$IPTABLES -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP

[Stefano]

Just an added note to the entries I posted in regards to iptables.  I would almost request that this be converted in a How-TO after being tested.  This is probably some of the most significant simple 4 lines of syntax to prevent port scans.  My port scans have ceased after introducing this into iptables.  I would think from a systems administration stand point that this info would be valuable.  I always hear conversations or read that "Oh, yeah I was reviewing my logs this morning and came across the usual script kiddies or bots scanning my network"  Will how bout not having your bandwidth consumed by port scans?  How bout added security?  How bout not having this conversation with yourself in the morning?  Let me know what you think or if you have anything to add to this that would make it even better.

IMHO, if you are worried about these issues, you should put a different firewall in front of your SME and play with it.. SME is aimed toward security, can act as a (secure) firewall, but you need (again, IMVHO) a different tool.

in any case, your security is as high as you keep your server up to date and, of course, you check your webapps against bugs or programming errors (who said "php"?)

Substitute eth0 for the Wan facing adapter.


$IPTABLES -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --set
$IPTABLES -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
$IPTABLES -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --set
$IPTABLES -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP

this must be done via fragments and/or db entries

[ghorst352]

Thanks Stefano...Just to clarify in reference to, http://wiki.contribs.org/Firewall, this is how the entries would be entered as I did not clarify that beforehand.  Please correct me if this is not the correct proc.

Custom templates


mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
/sbin/iptables -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --set
/sbin/iptables -A INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
/sbin/iptables -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --set
/sbin/iptables -A FORWARD -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP


expand and restart

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

[piran]

May I suggest that you use <nano -w> instead of <pico -w>
as the latter got dropped in SME8 and that you use something
like <40DenyPortScanner> instead of <40DenyRiffRaff>?

The 40DenyRiffRaff fragment was something I provided
to silently drop an incoming IP or IP range on
a *generic* basis.

To aid the audit trail further variations can be used eg
40DenySpam 40DenyPhishing 40DenyBots and all these can
be put into play or withdrawn at a moment's notice by the
usual unloading and subsequent masq restart. However by
re-using that generic fragment name for the specific task
of port scanning logistics then the original functionality
could become less simple to understand or implement.

I have not tested or yet implemented your suggestion. Are
you able to substantiate your concern over these scans?

[ghorst352]

Piran,

I reused the name from the article for no reason, just because I am only testing and I intend to change it when I am finished testing, so yes I agree with you on that as it makes more sense in terms of the audit trail.  I also don't use pico but rather copy n pasted the article posted, if I thought it was significant at the time I would of changed it.  In fact, I never heard of pico until I read the article.  I use nano religiously. 


My claims are substantiated by my own testing as well as the website in which I grabbed it from http://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_portscans


I would say test it in a non-prod mode for anybody who is interested in adding this to their toolbox. 

[piran]

If you don't extend or port forward any ports and otherwise
keep them closed then what is the point of using up
further CPU cycles and/or memory over counting any
apparent scans of stuff that is closed? Off the top of
my head my IP gets more port scanning and various other
malevolent exploit attention than it gets 'nice' or 'proper'
traffic packets. Why make either SME or the CPU work
any harder on account of the black hat brigade as
opposed to everyday stuff?

[piran]

...I never heard of pico until I read the article.  I use nano religiously. 

Wiki edited to show nano instead of the old pico.

[ghorst352]

If you don't extend or port forward any ports and otherwise
keep them closed then what is the point of using up
further CPU cycles and/or memory over counting any
apparent scans of stuff that is closed? Off the top of
my head my IP gets more port scanning and various other
malevolent exploit attention than it gets 'nice' or 'proper'
traffic packets. Why make either SME or the CPU work
any harder on account of the black hat brigade as
opposed to everyday stuff?

The reason is that I do have ports forwarded but additionally this is an exposed server, why not?  I think in the event of a non successful port scan that perhaps my bandwidth will be better off than without this implemented and also more secure?  If I can sit there and free wheely your webserver until my eyes bleed will how does that benefit you? 

I am looking at my processes right now and I do not see anything significantly related to extra cpu cycles or memory that would make me not want to initiate tighter security at the recourse of some fractional cpu cycles.  The server I have implemented this on is also a proxy server and have not noticed any difference whatsoever?  In fact I just did a speedtest and there is no difference.   Security through obscurity but also additional layers is always my MO. 

I suppose if I was running a legacy server that perhaps I would agree more in your direction but I don't see any reason why not to.  Please opine as I am not afraid of being wrong believe me.

[piran]

I would rather that 'they' carried out what ever it is they
wanted to carry out, have it confirmed to them that it's
a tight ship on my IP and then they will move on to the
next target. By selectively blocking them, IMHO, you
are raising the stakes on the basis that 'they' now don't
actually know that it's a tight ship, that they might be
otherwise able to find some open port or something and
finally that whatever they are doing is feared and possibly
because of the high value or low security of the property
behind the defenses. There is no being right or wrong,
we just have different viewpoints:-)

[ghorst352]

Will, we both have points to be taken and your point of view is interesting as well.   All be it, I feel that brute force attacks on my network would fail miserably with my entries but this is the part of learning so we will see.   

[CharlieBrady]

I also found a way by using iptables to prevent probes such as the example below which says that if a user attempts 10 new connections to any ports in any order within 30 seconds, start dropping their packets.

The problem with this approach is that if you have a vulnerable application it may only take one access to exploit it. You may find that this also interferes with some legitimate accesses. Probably not though.

This is still not enough and I am not really knowledgeable on http attacks and would appreciate if somebody can give me advice on tightening up my server to prevent http attacks.

You can't prevent the attacks - you can just ensure that the attacks aren't successful. As Stefano hints, disabling/removing PHP would help a lot. But that will rule out many web applications. If you must have PHP, make sure that you keep the applications up to date, and make sure that they are configured with good security protection.

The log extract you showed suggests an attack against php5-cgi.

http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html

However, if you have a plain HTML index.html, the query string would have been ignored/discarded, so the 200 response doesn't indicate a successful exploit. Your tool only says "potential exploit" anyway.

What tool did you use to analyse your logs?

[ghorst352]

Charilie,

Thanks for your reply.

The problem with this approach is that if you have a vulnerable application it may only take one access to exploit it. You may find that this also interferes with some legitimate accesses. Probably not though.

The server in question is my Web Proxy and Nagios server.  It has not interfered with any applications or processes at this point, nor do I forsee any issues.

You can't prevent the attacks - you can just ensure that the attacks aren't successful. As Stefano hints, disabling/removing PHP would help a lot. But that will rule out many web applications. If you must have PHP, make sure that you keep the applications up to date, and make sure that they are configured with good security protection.

I am kind of ignorant of PHP but like I said this is only used for Web filtering and Nagios, I don't think I need PHP?  I would like to uninstall it if I don't need it.  The server is using the VMWARE contrib to run Nagios, Squidguard for filtering, and that's about it.

What tool did you use to analyse your logs?

The first indication came from my daily logwatch query for which the httpd section comes from the httpd logs if that's what your asking.

[Stefano]

if you are using SME only as web proxy and nagios server you should have (almost) no port/services exposed to wan

I don't know how do you connect to internet, but I would change to server only mode  and use nat/fw on the router.. in this way you have nothing exposed and no one can attack you.. and you can continue to use SME as a proxy server and Nagios server..

my 2c