[TriLUG] httpd probe issues
Shawn Taylor
shtaylor at gpi.com
Tue Aug 12 08:23:20 EDT 2008
Ron,
Can you not deny everybody and allow the few you would like through? This is
a more common practice.
Shawn
-----Original Message-----
From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On Behalf
Of Ron Young
Sent: Tuesday, August 12, 2008 7:52 AM
To: Triangle Linux Users Group General Discussion
Subject: [TriLUG] httpd probe issues
All,
I hope someone can help me understand and fix what I think is a security
breach on my CentOS 4.x box. Even though I have blocked ranges of IP
addresses at the DLink DI-634M router with the following entries in the
firewall section:
Name Action Source IP Range
Deny
[image: Edit] <javascript:tryToEdit (0)>
[image: Delete] <javascript:tryToDelete (0)>
Deny
[image: Edit] <javascript:tryToEdit (1)>
[image: Delete] <javascript:tryToDelete (1)>
Deny
[image: Edit] <javascript:tryToEdit (2)>
[image: Delete] <javascript:tryToDelete (2)>
Deny
[image: Edit] <javascript:tryToEdit (3)>
[image: Delete] <javascript:tryToDelete (3)>
Deny
[image: Edit] <javascript:tryToEdit (4)>
[image: Delete] <javascript:tryToDelete (4)>
Deny
[image: Edit] <javascript:tryToEdit (5)>
[image: Delete] <javascript:tryToDelete (5)>
Deny
[image: Edit] <javascript:tryToEdit (6)>
[image: Delete] <javascript:tryToDelete (6)>
Deny
[image: Edit] <javascript:tryToEdit (7)>
[image: Delete] <javascript:tryToDelete (7)>
Deny
[image: Edit] <javascript:tryToEdit (8)>
[image: Delete] <javascript:tryToDelete (8)>
http_error_log6 Deny 63.64.0.0-63.127.255.255 [image:
Edit]<javascript:tryToEdit (9)> [image:
Delete] <javascript:tryToDelete (9)> http_error_log5 Deny
60.166.0.0-60.175.255.255 [image: Edit] <javascript:tryToEdit (10)> [image:
Delete] <javascript:tryToDelete (10)> http_error_log4 Deny
63.127.0.0-63.127.255.255 [image: Edit] <javascript:tryToEdit (11)> [image:
Delete] <javascript:tryToDelete (11)> http_error_log3 Deny
60.172.0.0-60.172.255.255 [image: Edit] <javascript:tryToEdit (12)> [image:
Delete] <javascript:tryToDelete (12)> http_error_log2 Deny
66.249.0.0-66.249.255.255 [image: Edit] <javascript:tryToEdit (13)> [image:
Delete] <javascript:tryToDelete (13)> Dlink Log 2 Deny 208.77.12.13 [image:
Edit] <javascript:tryToEdit (14)> [image: Delete] <javascript:tryToDelete
(14)> Dlink Log 1 Deny 59.63.157.211 [image: Edit] <javascript:tryToEdit
(15)> [image: Delete] <javascript:tryToDelete (15)>
I also have Port Forwarding on the router set up to forward port 22 to this
server and I have http port 80 to this server's address configured as a
Virtual Server on the router. These are the only two entries configured in
either section.
I still get entries like below in the Logwatch email I have sent to myself
every morning:
--------------------- httpd Begin ------------------------
A total of 2 sites probed the server
69.58.178.37
72.44.39.129
Previously when I got 'probes' like this I would open the DLink and add
another line to the firewall for that address range. The next morning there
would be probes from a different address. Seems like there ought to be a
better way.
Being a relative noob with Linux and never strong with network issues I was
hoping someone could help me devise a better security installation than I
now have.
Thanks in advance for your time!
--
Ron Young
919-621-9015
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
More information about the TriLUG
mailing list