[TriLUG] httpd probe issues

Ron Young ronyoung at nc.rr.com
Tue Aug 12 08:32:29 EDT 2008


Shawn,

Thanks.  How do I do that?  Deny to 0.0.0.0-255.255.255.255 ?

And if I am at a new client site and want to demo something on my web site
here I could ssh tunnel a VNC connection and edit my router tables to allow
his IP address.

Is this what you meant?

-- 
Ron Young
919-621-9015


On Tue, Aug 12, 2008 at 8:23 AM, Shawn Taylor <shtaylor at gpi.com> wrote:

> Ron,
>
> Can you not deny everybody and allow the few you would like through? This
> is
> a more common practice.
>
> Shawn
>
>
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
> Behalf
> Of Ron Young
> Sent: Tuesday, August 12, 2008 7:52 AM
> To: Triangle Linux Users Group General Discussion
> Subject: [TriLUG] httpd probe issues
>
> All,
>
> I hope someone can help me understand and fix what I think is a security
> breach on my CentOS 4.x box.  Even though I have blocked ranges of IP
> addresses at the DLink DI-634M router with the following entries in the
> firewall section:
>
> Name Action Source IP Range
> Deny
>
> [image: Edit] <javascript:tryToEdit (0)>
> [image: Delete] <javascript:tryToDelete (0)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (1)>
> [image: Delete] <javascript:tryToDelete (1)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (2)>
> [image: Delete] <javascript:tryToDelete (2)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (3)>
> [image: Delete] <javascript:tryToDelete (3)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (4)>
> [image: Delete] <javascript:tryToDelete (4)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (5)>
> [image: Delete] <javascript:tryToDelete (5)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (6)>
> [image: Delete] <javascript:tryToDelete (6)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (7)>
> [image: Delete] <javascript:tryToDelete (7)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (8)>
> [image: Delete] <javascript:tryToDelete (8)>
>  http_error_log6 Deny 63.64.0.0-63.127.255.255 [image:
> Edit]<javascript:tryToEdit (9)> [image:
> Delete] <javascript:tryToDelete (9)> http_error_log5 Deny
> 60.166.0.0-60.175.255.255 [image: Edit] <javascript:tryToEdit (10)> [image:
> Delete] <javascript:tryToDelete (10)> http_error_log4 Deny
> 63.127.0.0-63.127.255.255 [image: Edit] <javascript:tryToEdit (11)> [image:
> Delete] <javascript:tryToDelete (11)> http_error_log3 Deny
> 60.172.0.0-60.172.255.255 [image: Edit] <javascript:tryToEdit (12)> [image:
> Delete] <javascript:tryToDelete (12)> http_error_log2 Deny
> 66.249.0.0-66.249.255.255 [image: Edit] <javascript:tryToEdit (13)> [image:
> Delete] <javascript:tryToDelete (13)> Dlink Log 2 Deny 208.77.12.13[image:
> Edit] <javascript:tryToEdit (14)> [image: Delete] <javascript:tryToDelete
> (14)> Dlink Log 1 Deny 59.63.157.211 [image: Edit] <javascript:tryToEdit
> (15)> [image: Delete] <javascript:tryToDelete (15)>
> I also have Port Forwarding on the router set up to forward port 22 to this
> server and I have http port 80 to this server's address configured as a
> Virtual Server on the router.  These are the only two entries configured in
> either section.
>
> I still get entries like below in the Logwatch email I have sent to myself
> every morning:
>
> --------------------- httpd Begin ------------------------
>
> A total of 2 sites probed the server
>  69.58.178.37
>  72.44.39.129
>
> Previously when I got 'probes' like this I would open the DLink and add
> another line to the firewall for that address range.  The next morning
> there
> would be probes from a different address.  Seems like there ought to be a
> better way.
>
> Being a relative noob with Linux and never strong with network issues I was
> hoping someone could help me devise a better security installation than I
> now have.
>
> Thanks in advance for your time!
> --
> Ron Young
> 919-621-9015
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>



More information about the TriLUG mailing list