[TriLUG] Denial of Service Attack
3y3 at earthlink.net
3y3 at earthlink.net
Fri Jan 23 01:01:45 EST 2004
You might want to take a look at these:
http://www.cert.org/tech_tips/root_compromise.html
http://www.cert.org/tech_tips/intruder_detection_checklist.html
http://www.cert.org/tech_tips/denial_of_service.html
http://www.cert.org/archive/pdf/Managing_DoS.pdf
A few other things to keep in mind that I'm not sure are discussed in the above links:
-Review other internal systems for a compromise. The web-server could have been used as a launching pad to attack other systems in your DMZ or internal side.
-Do your best to determine how the system was compromised.
Web specific:
-Run the latest Apache, built from source, with the bare minimum of modules needed
-Chroot Apache
-Install mod_security
#These are from my generic httpd.conf:
<IfModule mod_security.c>
# To enable logging of the GET and POST requests.
SecAuditEngine On
# Location of the audit log.
SecAuditLog logs/audit_log
# Enable scanning and filtering.
SecFilterScanPOST On
SecFilterEngine On
# This causes that the server to return the "Internal Server Error" message
# when the request contains the search phrase from any SecFilter variable.
SecFilterDefaultAction "deny,log,status:500"
# Filters
# Generic:
# WEB-MISC .htaccess access
SecFilter "\.htaccess"
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# CSS attacks:
# This sets up the filter to search for HTML tags in the GET and POST requests.
# This will prevent "some" Cross Site Scripting Attacks.
SecFilter "<(.|\n)+>"
# SQL injection attacks:
# The following set up the filters for protection against SQL injection attacks.
#SecFilter "'"
SecFilter "\""
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
</IfModule>
Good luck,
Kyle Behymer CISSP
-----Original Message-----
From: "Roberto J. Dohnert" <webwarrior at gnu-darwin.org>
Sent: Jan 22, 2004 11:54 PM
To: Triangle Linux Users Group discussion list <trilug at trilug.org>
Subject: [TriLUG] Denial of Service Attack
Hey Guys ,
I need a little help here. I have been dealing with DoS attacks against
my webserver all day. And we had a hacker break in, defaced our
website got access to CVS, didnt steal any source code but we are
checking it nonetheless. Luckily we caught it before he could access
our customer database. What are some of the things I can do to minimize
the damage, right now we use SuSE Enterprise Linux 8 and the Apache Web
Server. I thought it was secure enough. What are some practices I can
incorporate in the future to prevent DoS attacks. I dont think I will
be able to make the Installfest because I have a real mess to clean up.
--
---
For more information on Me goto http://www.geocities.com/rjdohnert/
For my Linux tip and information page goto http://www.geocities.com/kane121975/
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
More information about the TriLUG
mailing list