[SOLVED] error log from apache with strangers....

[sime]

I am worryied about security on my security

I found unknown IP adress in the error.log of apache :

Code: Select all

[Sun Feb 08 08:51:20 2015] [error] [client 203.176.168.157] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Sun Feb 08 11:34:52 2015] [error] [client 151.66.78.242] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Sun Feb 08 20:29:09 2015] [error] [client 70.231.130.31] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Sun Feb 08 22:23:54 2015] [error] [client 82.192.234.203] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Mon Feb 09 00:01:42 2015] [error] [client 81.149.60.161] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Mon Feb 09 07:57:45 2015] [error] [client 162.83.219.228] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Mon Feb 09 09:25:03 2015] [error] [client 2.244.7.123] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Mon Feb 09 10:37:01 2015] [error] [client 84.155.75.106] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Mon Feb 09 21:02:37 2015] [error] [client 194.123.159.14] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Mon Feb 09 21:36:42 2015] [error] [client 182.171.234.167] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Mon Feb 09 22:52:37 2015] [error] [client 95.154.19.43] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 01:59:31 2015] [error] [client 78.141.76.134] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 02:55:30 2015] [error] [client 2.228.251.228] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 03:17:07 2015] [error] [client 220.144.150.82] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 05:18:03 2015] [error] [client 113.159.136.250] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 12:14:16 2015] [error] [client 160.79.129.68] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 13:13:22 2015] [error] [client 149.135.117.104] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 16:25:08 2015] [error] [client 203.214.11.54] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 19:41:24 2015] [error] [client 31.154.253.110] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 21:58:28 2015] [error] [client 64.121.244.249] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 22:20:52 2015] [error] [client 103.226.93.58] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Tue Feb 10 23:31:56 2015] [error] [client 87.25.80.101] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Wed Feb 11 02:22:50 2015] [error] [client 178.19.156.141] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Wed Feb 11 06:49:37 2015] [error] [client 61.238.246.170] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Wed Feb 11 11:09:08 2015] [error] [client 162.157.152.179] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Wed Feb 11 16:27:18 2015] [error] [client 82.13.77.109] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Wed Feb 11 21:07:14 2015] [error] [client 222.118.196.12] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Wed Feb 11 21:07:43 2015] [error] [client 91.12.129.213] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Wed Feb 11 23:03:36 2015] [error] [client 200.85.36.190] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Thu Feb 12 01:14:50 2015] [error] [client 2.229.25.217] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Thu Feb 12 01:17:35 2015] [error] [client 117.55.242.5] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Thu Feb 12 02:41:50 2015] [error] [client 212.147.49.40] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Thu Feb 12 06:19:10 2015] [error] [client 78.194.58.174] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Thu Feb 12 06:22:37 2015] [error] [client 76.105.185.153] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi
[Thu Feb 12 07:06:57 2015] [error] [client 110.143.86.95] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi

are they trying to enter my system?

I Halready switched SSL on on apache... what else can I do to make the security system more secure?

Simon

[knight-of-ni]

Likely a bot looking for vulnerabilities on your webserver.
Happens all the time. Hardly a day goes by when I don't see something funny going on in my apache logs.
Make sure you are keeping your server up to date on software updates.

It is kind of amazing how quickly this can happen. I can open up port 22 on my home firewall, which has a dynamic ip address, and in mere minutes I'll see a foreign ip address trying to brute force its way into my server via the root account. Naturally, I've got root access disabled, but the speed at which this starts happening is amazing.

The best approach to combat this is to have multiple levels of security. Hardware firewall, software firewall, Intrustion Dectection System (a.k.a. snort), and other tools.

The one tool that applies most directly to the issue you've posted is called "fail2ban". It will take a bit of reading to learn how to configure it. You can create rules that will block ip addresses based on their http request.

For example, I've got a rule configured to block any ip that that sends any request with certain keywords in it such as: login, auth, admin, w00t, webdav, etc. ....I basically watch my apache logs for 404 errors. If the requested url is suspicous, I'll add a keywrod from that url to the list so the next time that happens, I bring the hammer down.

It gets, better. If that rule is tripped, fail2ban adds a block into your iptables for 1 hour. If, after 1 hour, that IP ever comes back and trips an alert again, it is put into a repeat offender list and blocked for a month.

fail2ban is really cool.

[sime]

thank you very much!


very funny tough that the first ip adress on top runs a QNAP in shanghai with default login pass


I'll kindly change credential for him/her

I'll give a try to fail2ban

[sime]

correction, most of the listed IP's seems to have a QNAP on 8080... some with default pass, some with password changed...

I guess they're all rooted....

[Nerre]

Code: Select all

[Sun Feb 08 08:51:20 2015] [error] [client 203.176.168.157] script not found or unable to stat: /usr/share/zoneminder/cgi-binauthLogin.cgi

To me it looks like a path missing a trailing slash.

On my system /usr/share/zoneminder/cgi-bin is a directory so I would guess that the correct path should be /usr/share/zoneminder/cgi-bin/auth/Login.cgi