[TriLUG] httpd probe issues

Ron Young ronyoung at nc.rr.com
Tue Aug 12 07:52:19 EDT 2008 

All,

I hope someone can help me understand and fix what I think is a security
breach on my CentOS 4.x box.  Even though I have blocked ranges of IP
addresses at the DLink DI-634M router with the following entries in the
firewall section:

Name Action Source IP Range
Deny

[image: Edit] <javascript:tryToEdit (0)>
[image: Delete] <javascript:tryToDelete (0)>

Deny

[image: Edit] <javascript:tryToEdit (1)>
[image: Delete] <javascript:tryToDelete (1)>

Deny

[image: Edit] <javascript:tryToEdit (2)>
[image: Delete] <javascript:tryToDelete (2)>

Deny

[image: Edit] <javascript:tryToEdit (3)>
[image: Delete] <javascript:tryToDelete (3)>

Deny

[image: Edit] <javascript:tryToEdit (4)>
[image: Delete] <javascript:tryToDelete (4)>

Deny

[image: Edit] <javascript:tryToEdit (5)>
[image: Delete] <javascript:tryToDelete (5)>

Deny

[image: Edit] <javascript:tryToEdit (6)>
[image: Delete] <javascript:tryToDelete (6)>

Deny

[image: Edit] <javascript:tryToEdit (7)>
[image: Delete] <javascript:tryToDelete (7)>

Deny

[image: Edit] <javascript:tryToEdit (8)>
[image: Delete] <javascript:tryToDelete (8)>
 http_error_log6 Deny 63.64.0.0-63.127.255.255 [image:
Edit]<javascript:tryToEdit (9)> [image:
Delete] <javascript:tryToDelete (9)> http_error_log5 Deny
60.166.0.0-60.175.255.255 [image: Edit] <javascript:tryToEdit (10)> [image:
Delete] <javascript:tryToDelete (10)> http_error_log4 Deny
63.127.0.0-63.127.255.255 [image: Edit] <javascript:tryToEdit (11)> [image:
Delete] <javascript:tryToDelete (11)> http_error_log3 Deny
60.172.0.0-60.172.255.255 [image: Edit] <javascript:tryToEdit (12)> [image:
Delete] <javascript:tryToDelete (12)> http_error_log2 Deny
66.249.0.0-66.249.255.255 [image: Edit] <javascript:tryToEdit (13)> [image:
Delete] <javascript:tryToDelete (13)> Dlink Log 2 Deny 208.77.12.13 [image:
Edit] <javascript:tryToEdit (14)> [image: Delete] <javascript:tryToDelete
(14)> Dlink Log 1 Deny 59.63.157.211 [image: Edit] <javascript:tryToEdit
(15)> [image: Delete] <javascript:tryToDelete (15)>
I also have Port Forwarding on the router set up to forward port 22 to this
server and I have http port 80 to this server's address configured as a
Virtual Server on the router.  These are the only two entries configured in
either section.

I still get entries like below in the Logwatch email I have sent to myself
every morning:

--------------------- httpd Begin ------------------------

A total of 2 sites probed the server
 69.58.178.37
 72.44.39.129

Previously when I got 'probes' like this I would open the DLink and add
another line to the firewall for that address range.  The next morning there
would be probes from a different address.  Seems like there ought to be a
better way.

Being a relative noob with Linux and never strong with network issues I was
hoping someone could help me devise a better security installation than I
now have.

Thanks in advance for your time!
-- 
Ron Young
919-621-9015

More information about the TriLUG mailing list