[TriLUG] Denial of Service Attack

3y3 at earthlink.net 3y3 at earthlink.net
Fri Jan 23 01:01:45 EST 2004 

You might want to take a look at these:

http://www.cert.org/tech_tips/root_compromise.html
http://www.cert.org/tech_tips/intruder_detection_checklist.html
http://www.cert.org/tech_tips/denial_of_service.html
http://www.cert.org/archive/pdf/Managing_DoS.pdf

A few other things to keep in mind that I'm not sure are discussed in the above links:

-Review other internal systems for a compromise.  The web-server could have been used as a launching pad to attack other systems in your DMZ or internal side.
-Do your best to determine how the system was compromised.

Web specific:
-Run the latest Apache, built from source, with the bare minimum of modules needed
-Chroot Apache
-Install mod_security

#These are from my generic httpd.conf:
<IfModule mod_security.c>

     # To enable logging of the GET and POST requests.
     SecAuditEngine On
     
     # Location of the audit log.
     SecAuditLog logs/audit_log

     # Enable scanning and filtering.
     SecFilterScanPOST On
     SecFilterEngine On

     # This causes that the server to return the "Internal Server Error" message 
     # when the request contains the search phrase from any SecFilter variable. 
     SecFilterDefaultAction "deny,log,status:500"

     # Filters

	# Generic:

	        # WEB-MISC .htaccess access
        	SecFilter "\.htaccess"

		# Prevent path traversal (..) attacks
		SecFilter "\.\./"

	# CSS attacks:

		# This sets up the filter to search for HTML tags in the GET and POST requests.	
		# This will prevent "some" Cross Site Scripting Attacks.
		SecFilter "<(.|\n)+>"

	# SQL injection attacks:

		# The following set up the filters for protection against SQL injection attacks.
		#SecFilter "'"
		SecFilter "\""
		SecFilter "delete[[:space:]]+from"
		SecFilter "insert[[:space:]]+into"
		SecFilter "select.+from"
</IfModule>

Good luck,
Kyle Behymer CISSP

-----Original Message-----
From: "Roberto J. Dohnert" <webwarrior at gnu-darwin.org>
Sent: Jan 22, 2004 11:54 PM
To: Triangle Linux Users Group discussion list <trilug at trilug.org>
Subject: [TriLUG] Denial of Service Attack

Hey Guys ,

I need a little help here.  I have been dealing with DoS attacks against 
my webserver all day.   And we had a hacker break in, defaced our 
website got access to CVS, didnt steal any source code but we are 
checking it nonetheless.  Luckily we caught it before he could access 
our customer database.  What are some of the things I can do to minimize 
the damage, right now we use SuSE Enterprise Linux 8 and the Apache Web 
Server.  I thought it was secure enough.  What are some practices I can 
incorporate in the future to prevent DoS attacks.  I dont think I will 
be able to make the Installfest because I have a real mess to clean up.

-- 
---
For more information on Me goto http://www.geocities.com/rjdohnert/
For my Linux tip and information page goto http://www.geocities.com/kane121975/


-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc

More information about the TriLUG mailing list