How-to Lighttpd, PHP, MySQL and Eaccelerator

[reiten]

I observe similar queries in logs of my web-server too (I have lighttpd+mysql running small forum on top of RT-N16).

Someone is scanning internet looking for admin pages of typical services and other common vulnerabilities exposed to internet. That's pretty common and there's no good way to block them (at least I don't know any).

I wouldn't worry about them unless you found something relevant to your web site (like multiple strange requests to some script).

[wpte]

Its hard to block scanners like that trough iptables, you would need different software for that.

What you can do is chroot your website directory, you have several how-to's on the internet for that sort of stuff.
Even if they get in, they won't be able to access the router completely, just the webpages.

I do agree that you have to watch out these days, so many pages are being injected with weird stuff... damn hackers with their botnets

[ryzhov_al]

Someone is scanning internet looking for admin pages of typical services and other common vulnerabilities exposed to internet. That's pretty common and there's no good way to block them (at least I don't know any).

Yes. But if someone scans my router several times, i block them that way:

Code:

$ cat /tmp/local/sbin/post-firewall
#!/bin/sh
...
for banned_ip in `cat /tmp/local/sbin/banned_ips.txt`;
do
    iptables -I INPUT -s $banned_ip -j DROP
done

Code:

$ cat /tmp/local/sbin/banned_ips.txt
109.230.220.35
109.230.251.94
109.236.81.56
111.228.1.5
116.255.163.100
118.129.154.165
119.188.7.161
...

Its ugly way, i know, but some scanners are really annoying.

[jeremees]

Will that blocking thing slow down webserver? Becaus I think they use everytime different IP, and that banned_ips.txt file will get long after some time.

And what is a good way to follow access and error.log files? I made them to rotate like system log, and sended to my email as text. But email breaks those access log lines so that's hard to follow it.

[wpte]

Will that blocking thing slow down webserver? Becaus I think they use everytime different IP, and that banned_ips.txt file will get long after some time.

And what is a good way to follow access and error.log files? I made them to rotate like system log, and sended to my email as text. But email breaks those access log lines so that's hard to follow it.

iptables will block anything from that ip... it's on a low level, but yes it will slow down your system slightly. Probably it won't be noticable tho.

I'm actually working on getting snort installed and working: http://www.snort.org/
not sure how fast it is so far... but I have the idea that it's too heavy
snort is able to detect illegal attempts and able to block it

[newbiefan]

Will that blocking thing slow down webserver? Becaus I think they use everytime different IP, and that banned_ips.txt file will get long after some time.

And what is a good way to follow access and error.log files? I made them to rotate like system log, and sended to my email as text. But email breaks those access log lines so that's hard to follow it.

Well, you can use my ban list as well as the script (iptables) from here: http://wl500g.info/showthread.php?t=27852
it should be up to date....and I suggest to have a closer look to my avoid brute force script, scanners are detected and blocked for a complete day by iptables.
I have not recognized that anything is slow on my rtn when using this blocklist.
Further, there are several ways how I control my webserver.
When needed, I can help you to adapt my avbf2_6 script for gateway-usage.
Just translate by google - and no worry - someone will guide you when any problem occurs.
HTH
Have fun
newbiefan

EDIT:
Ah, I forgot: a good starting point to block Scanners and Script-Kiddies is to use url.access-deny capabilities of your lighttpd. Configure your lighty.conf to block scanners like ZmEU or Morpheus fucking scanner or without any agent aso....
Here you have a sample config to do so: http://pastebin.com/PQuMbF3Y