So I have a ClearOS box with plenty of horsepower connected to my server (WAMP, also beefy). Yesterday early morning I my server started giving out timeout requests. Looking into it, I found I had many hundreds of incoming TCP connections on my server from many tens of IP addresses. Each one was looking for multiple ports like N, N+1, N+2,N+3,N+4. Then they would timeout and look for the next ones.
The fact the web server is not dishing out the pages is an Apache problem. It should work as there are lots of resources for it. It currently sits at 0.1% CPU and 150MB of 16GB of RAM used by it. But that's a different story, input welcome if known though.
The problem as I see it, is how is this not detected? All the incoming traffic is coming into TCP Port 80, but the remote port is whatever. I (think) I need a rule that says "if an ip tries scanning 3 or more concurrent ports within 5 seconds, add to the intrustion prevention list". 3 and 5 randomly chosen. How do I even go about doing this?
Any advice? My server is currently "down" requesting all these stupid port scan requests...
Setup:
Google Search Appliance running ClearOS
Custom Desktop Server running Windows/Apache/PHP/MySQL
Connection: 100Mbps/45Mbps U/D Internet Pipe
The fact the web server is not dishing out the pages is an Apache problem. It should work as there are lots of resources for it. It currently sits at 0.1% CPU and 150MB of 16GB of RAM used by it. But that's a different story, input welcome if known though.
The problem as I see it, is how is this not detected? All the incoming traffic is coming into TCP Port 80, but the remote port is whatever. I (think) I need a rule that says "if an ip tries scanning 3 or more concurrent ports within 5 seconds, add to the intrustion prevention list". 3 and 5 randomly chosen. How do I even go about doing this?
Any advice? My server is currently "down" requesting all these stupid port scan requests...
Setup:
Google Search Appliance running ClearOS
Custom Desktop Server running Windows/Apache/PHP/MySQL
Connection: 100Mbps/45Mbps U/D Internet Pipe
Share this post:
Responses (6)
-
Accepted Answer
-
Accepted Answer
Ok, I don't understand this. I have certain IP's blocked in my firewall, yet I am still getting requests on my server for them... So how are they even getting through to my server? (Yes I notice some of them are redundant, I just added them as I saw them crop up).
Here is a screenshot: http://imageshack.us/photo/my-images/27/whyfirewall.jpg/
I would put it on my server, but this problem prevents me from doing so! -
Accepted Answer
OK, well I am editing the firewall manually now, I just would rather have it edited automatically and smartly instead of brute force with me punching in numbers potentially blocking real people.
I was hoping there was an AJAX terminal window so I could just type in my browser. I guess that's why I haven't seen it. -
Accepted Answer
-
Accepted Answer
I am running both IPS and IDS. IPS is picking up 1-2 IPs per day and blacklisting them. I have added exemptions for me because before I did that it would blacklist me from my server externally doing a lot of FTP transfrers and web development! This is why I don't understand why it is not picking up these attacks. It seems much more malicious then me doing an ftp transfer.
One thing I don't understand about ClearOS is how the heck do I get a terminal. I only use the web interface and unlike even the famous DD-WRT, I have yet to find the magic "make me a terminal" window.
At any given time, it is a good chunk of subnets. But those do change. I am thinking of just doing a Russia/China country block but I have legitimate users in those countries that I don't want to cut off.
The ClearOS box has Dual Xeons and 12GB of RAM with RAID0 drives. I am all for upping the CPU load in favour of checking. Downloading black-lists daily/hourly would be fine. -
Accepted Answer
Are you running IPS/IDS (snort/snortsam)? If so, do you have the scan rules enabled? Enable them if you don't. These will add firewall blocks if necessary.
If no scanning is picked up, you could try downloading the latest Emerging Threats scan rules to /etc/snort but back up the original file first. These will only detect the scanning. If you edit the scan.rules file and for any rule with $EXTERNAL_NET to the left of "->" replace every occurrence of
with
and any rule with $HOME_NET to the left of the "->" use; fwsam: src, 1 day
then restart snort, these rules will activate 1 day blocks. Ignore rules beginning with a #. Offhand I can't remember the triggering threshold.; fwsam: dst, 1 day
Note snort only adds firewall blocks. If they are from the same subnet or from a few subnets you could just consider adding INPUT firewall blocks manually to the whole subnet(s).
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »