Security any additional tips
Posted: Thu Feb 12, 2009 11:56 am
I was wondering what the general concensus on security was. I have implemented the htaccess files as suggested in the small guide, I can't get at the core php.ini etc (I run my websites on a VPS from WebFusion and I can't get access through normal ftp, I would have to use the shell access, which I'm afraid I no nothing about. Seems to be more difficult from a Mac as well).
I haven't increased the settings on the read write access to directories beyond those given for the initial set up, I had a few problems with not being able to access the admin properly etc.
However, I have been keeping an eye on my logs and have noticed that I am getting quite a few errors noted when there is a request for non-existant files. ie
[Wed Feb 04 02:38:59 2009] [error] [client 94.136.34.86] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Wed Feb 04 12:16:35 2009] [error] [client 75.149.76.99] File does not exist: /var/www/vhosts/italianbev.co.uk/httpdocs/roundcube
[Wed Feb 04 12:16:37 2009] [error] [client 75.149.76.99] File does not exist: /var/www/vhosts/italianbev.co.uk/httpdocs/webmail
[Wed Feb 04 12:16:37 2009] [error] [client 75.149.76.99] File does not exist: /var/www/vhosts/italianbev.co.uk/httpdocs/mail
[Wed Feb 04 20:36:40 2009] [error] [client 92.48.70.150] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /test.w00t:)
Also log files reading:
94.136.34.86 - - [04/Feb/2009:02:38:59 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 505 "-" "-"
75.149.76.99 - - [04/Feb/2009:12:16:35 +0000] "GET /roundcube/index.php HTTP/1.0" 404 1497 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)"
75.149.76.99 - - [04/Feb/2009:12:16:35 +0000] "GET /index.php HTTP/1.0" 200 11138 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)"
75.149.76.99 - - [04/Feb/2009:12:16:37 +0000] "GET /webmail/index.php HTTP/1.0" 404 1497 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)"
75.149.76.99 - - [04/Feb/2009:12:16:37 +0000] "GET /mail/index.php HTTP/1.0" 404 1497 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)"
92.48.70.150 - - [04/Feb/2009:20:36:40 +0000] "GET /test.w00t:) HTTP/1.1" 400 505 "-" "-"
Should I be worried by these? I have noted this activity since I started getting my log reports sent through email.
Any comments suggestions would be appreciated.
I haven't increased the settings on the read write access to directories beyond those given for the initial set up, I had a few problems with not being able to access the admin properly etc.
However, I have been keeping an eye on my logs and have noticed that I am getting quite a few errors noted when there is a request for non-existant files. ie
[Wed Feb 04 02:38:59 2009] [error] [client 94.136.34.86] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Wed Feb 04 12:16:35 2009] [error] [client 75.149.76.99] File does not exist: /var/www/vhosts/italianbev.co.uk/httpdocs/roundcube
[Wed Feb 04 12:16:37 2009] [error] [client 75.149.76.99] File does not exist: /var/www/vhosts/italianbev.co.uk/httpdocs/webmail
[Wed Feb 04 12:16:37 2009] [error] [client 75.149.76.99] File does not exist: /var/www/vhosts/italianbev.co.uk/httpdocs/mail
[Wed Feb 04 20:36:40 2009] [error] [client 92.48.70.150] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /test.w00t:)
Also log files reading:
94.136.34.86 - - [04/Feb/2009:02:38:59 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 505 "-" "-"
75.149.76.99 - - [04/Feb/2009:12:16:35 +0000] "GET /roundcube/index.php HTTP/1.0" 404 1497 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)"
75.149.76.99 - - [04/Feb/2009:12:16:35 +0000] "GET /index.php HTTP/1.0" 200 11138 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)"
75.149.76.99 - - [04/Feb/2009:12:16:37 +0000] "GET /webmail/index.php HTTP/1.0" 404 1497 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)"
75.149.76.99 - - [04/Feb/2009:12:16:37 +0000] "GET /mail/index.php HTTP/1.0" 404 1497 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)"
92.48.70.150 - - [04/Feb/2009:20:36:40 +0000] "GET /test.w00t:) HTTP/1.1" 400 505 "-" "-"
Should I be worried by these? I have noted this activity since I started getting my log reports sent through email.
Any comments suggestions would be appreciated.