[TriLUG] httpd probe issues

Shawn Taylor shtaylor at gpi.com
Tue Aug 12 08:59:09 EDT 2008 

Well, no not really!!

:)

You need to look at what all of your needs are and build a plan around that.

Currently, you allow SSH through your firewall for mgmt purposes?

Essentially, if you have five clients (Hypothetically)

You might say something like:


Allow http/https/ftp/ssh from 10.10.10.0/24 (Client1)

Allow http/https/ftp/ssh from 10.10.20.0/24 (Client2)

Allow http/https/ftp/ssh from 10.10.30.0/24 (Client3)

Allow http/https/ftp/ssh from 10.10.40.0/24 (Client4)

Allow http/https/ftp/ssh from 10.10.50.0/24 (Client5)

Deny anything else from every where else


This would let the services through (No matter what they are) for the ip
ranges you want to trust. Then it would drop any other packet from
anyone/anything else.

Shawn

Ron Wrote:
Shawn,

Thanks.  How do I do that?  Deny to 0.0.0.0-255.255.255.255 ?

And if I am at a new client site and want to demo something on my web site
here I could ssh tunnel a VNC connection and edit my router tables to allow
his IP address.

Is this what you meant?

--
Ron Young
919-621-9015


On Tue, Aug 12, 2008 at 8:23 AM, Shawn Taylor <shtaylor at gpi.com> wrote:

> Ron,
>
> Can you not deny everybody and allow the few you would like through? This
> is
> a more common practice.
>
> Shawn
>
>
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
> Behalf
> Of Ron Young
> Sent: Tuesday, August 12, 2008 7:52 AM
> To: Triangle Linux Users Group General Discussion
> Subject: [TriLUG] httpd probe issues
>
> All,
>
> I hope someone can help me understand and fix what I think is a security
> breach on my CentOS 4.x box.  Even though I have blocked ranges of IP
> addresses at the DLink DI-634M router with the following entries in the
> firewall section:
>
> Name Action Source IP Range
> Deny
>
> [image: Edit] <javascript:tryToEdit (0)>
> [image: Delete] <javascript:tryToDelete (0)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (1)>
> [image: Delete] <javascript:tryToDelete (1)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (2)>
> [image: Delete] <javascript:tryToDelete (2)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (3)>
> [image: Delete] <javascript:tryToDelete (3)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (4)>
> [image: Delete] <javascript:tryToDelete (4)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (5)>
> [image: Delete] <javascript:tryToDelete (5)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (6)>
> [image: Delete] <javascript:tryToDelete (6)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (7)>
> [image: Delete] <javascript:tryToDelete (7)>
>
> Deny
>
> [image: Edit] <javascript:tryToEdit (8)>
> [image: Delete] <javascript:tryToDelete (8)>
>  http_error_log6 Deny 63.64.0.0-63.127.255.255 [image:
> Edit]<javascript:tryToEdit (9)> [image:
> Delete] <javascript:tryToDelete (9)> http_error_log5 Deny
> 60.166.0.0-60.175.255.255 [image: Edit] <javascript:tryToEdit (10)>
[image:
> Delete] <javascript:tryToDelete (10)> http_error_log4 Deny
> 63.127.0.0-63.127.255.255 [image: Edit] <javascript:tryToEdit (11)>
[image:
> Delete] <javascript:tryToDelete (11)> http_error_log3 Deny
> 60.172.0.0-60.172.255.255 [image: Edit] <javascript:tryToEdit (12)>
[image:
> Delete] <javascript:tryToDelete (12)> http_error_log2 Deny
> 66.249.0.0-66.249.255.255 [image: Edit] <javascript:tryToEdit (13)>
[image:
> Delete] <javascript:tryToDelete (13)> Dlink Log 2 Deny 208.77.12.13[image:
> Edit] <javascript:tryToEdit (14)> [image: Delete] <javascript:tryToDelete
> (14)> Dlink Log 1 Deny 59.63.157.211 [image: Edit] <javascript:tryToEdit
> (15)> [image: Delete] <javascript:tryToDelete (15)>
> I also have Port Forwarding on the router set up to forward port 22 to
this
> server and I have http port 80 to this server's address configured as a
> Virtual Server on the router.  These are the only two entries configured
in
> either section.
>
> I still get entries like below in the Logwatch email I have sent to myself
> every morning:
>
> --------------------- httpd Begin ------------------------
>
> A total of 2 sites probed the server
>  69.58.178.37
>  72.44.39.129
>
> Previously when I got 'probes' like this I would open the DLink and add
> another line to the firewall for that address range.  The next morning
> there
> would be probes from a different address.  Seems like there ought to be a
> better way.
>
> Being a relative noob with Linux and never strong with network issues I
was
> hoping someone could help me devise a better security installation than I
> now have.
>
> Thanks in advance for your time!
> --
> Ron Young
> 919-621-9015
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
--
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions

More information about the TriLUG mailing list