swisspig.net - To hell with the pig... I'm going to Switzerland.

Network Security Auditing (Friday, January 6, 2006)

Well, I've made another jump forward in my fight against network pollution. Being moderately paranoid, I closely review every line of all of my logs, rather regularly. And in my web server logs, I frequently find entries that indicate attempts by the client hosts to compromise the security of swisspig.net. Some of them run through a long list of well-known exploits of popular web applications, and others looking for exploits for particular web servers or configurations. And still others just barrage me with malformed requests. It wouldn't bother me so much if the exploits attempts were less brain-dead... but they aren't — I'm not running any of the popular applications that they're trying to exploit, so it just fills up my logs with useless garbage.

So... I've written a new library to add some new features to my web server. Now, I can configure my web server to identify particular IP addresses from which connections should be refused (like TCP wrappers), and I can also configure patterns that indicate likely attacks and temporarily block those hosts from connecting. So, if an attacker were about to send thirty non-sensical requests, I can detect the attack at the first request and drop the connections of all the subsequent requests.

I've also added a feature to detect repeated attempts to access parts of the site protected by HTTP authentication. Now any more than three requests returning a status of 401 will result in that host being rejected for a short while. This will help prevent brute force attempts at gaining access.

It's not bulletproof, but it seems to work, and has already begun reducing the bogus traffic to my site. Once I've got it more thoroughly tested, I may release a patch for thttpd so that others can take advantage of my modifications.

—Brian (1/6/2006 12:46 AM)
(0 comments)

Comments

No comments.

Name
URL
Comment
(no html)
 

Disclaimer: Opinions on this site are those of Brian Ziman and do not necessarily
reflect the views of any other organizations or businesses mentioned.