Web server attacks

March 19th, 2006 § Leave a Comment

It seems that my web server has been the target of some web attacks. Yesterday, I discovered some log entries like these:

65.67.68.136 – - [18/Mar/2006:12:00:35 +0000] “POST /xmlrpc.php HTTP/1.1″ 200 417
65.67.68.136 – - [18/Mar/2006:12:00:54 +0000] “POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1″ 404 643
65.67.68.136 – - [18/Mar/2006:12:00:55 +0000] “POST /drupal/xmlrpc.php HTTP/1.1″ 404 643
65.67.68.136 – - [18/Mar/2006:12:00:55 +0000] “POST /wordpress/xmlrpc.php HTTP/1.1″ 404 643
65.67.68.136 – - [18/Mar/2006:12:00:55 +0000] “POST /phpgroupware/xmlrpc.php HTTP/1.1″ 404 643
65.67.68.136 – - [18/Mar/2006:12:00:55 +0000] “POST /blog/xmlrpc.php HTTP/1.1″ 404 643
65.67.68.136 – - [18/Mar/2006:12:00:55 +0000] “POST /blog/xmlsrv/xmlrpc.php HTTP/1.1″ 404 643
65.67.68.136 – - [18/Mar/2006:12:00:59 +0000] “POST /xmlsrv/xmlrpc.php HTTP/1.1″ 404 643
65.67.68.136 – - [18/Mar/2006:12:00:59 +0000] “POST /xmlrpc.php HTTP/1.1″ 200 417
65.67.68.136 – - [18/Mar/2006:12:01:00 +0000] “POST /xmlrpc/xmlrpc.php HTTP/1.1″ 200 417

And, although WordPress has been resisting these trials, they are definitively consuming some precious CPU cycles in my machine, and I don’t know if, some day, they will succeed. So, I’ve started a short study of alternatives for increasing the security of my Web server.

In an ideal case, the defense should be at the server, in order to avoid the execution of PHP code (something expensive for a G3) or to use any security error (ie, a writable directory, a forgotten script…). The easiest option could be some kind of black list system, but, even when they are easy to check (and, by the way, they don’t require too much CPU), they are neither flexible nor reliable. I should use something that could check the web requests at a higher level, using some sort of rules.

And I have found the solution in Modsecurity, a module for security in Apache. Installing the mod_security module provides a very flexible way of filtering requests before they are processed. It uses a system based on regular expressions, applied to any field of the request (ie, IP addresses, the request URI, a single string, etc), and they have a repository with a huge list of rules that can be used out of the box. Nice, isn’t it?

I have installed the module today, and now my server seems to be much better. I have created an automatic update script for the rules, so they are downloaded once a month, and I haven’t noticed any performance penalty in the system, even when they say in the web page that Apache 1 uses a very slow PCRE implementation.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«

»

What’s this?

You are currently reading Web server attacks at Inercia.

meta

Follow

Get every new post delivered to your Inbox.