On Mon, Aug 29, 2011 at 2:25 PM, Always Learning centos@u61.u22.net wrote:
For light use you could drop in VMware server or player or virtualbox without much effect on the current system. It shouldn't be necessary, though, unless you'd like to install otherwise conflicting rpm packages or give root access to someone on the virtual server only.
I've use Virtual Box successfully for Windoze 98 to run Ami Pro 3.1.
So why can't you do that for your new virtualhost instead of running on a different IP?
A mentally deranged lunatic has sent 30,000+ wrong URLs to a tiny web site. Its started about 5 August but significantly escalated on 22 August.
Ummm, 30,000 isn't a particularly big number of hits to an apache server, especially if all it has to do is respond with a 'file not found'. But you are probably wise to be defensive.
My Apache routine can add the IPs to iptables and block them. Since 22 August the lunatic has used over 100 different IPs from around the world to send those wrong URLs which always seem to include one of these:-
forgotten_password.php
login.php
contact.php
That probably means the intrusion is self-propagating. That is, if the target is running some vulnerable php version or application, it is able to install a copy of itself and start over.
Assigning a spare IP address to this small web site should make it easier for me to experiment with IP tables and examine TCP packets without disturbing the server's normal workings. For example no valid HTTP request sent to that IP address should contain 'pas' or 'log' or 'con' so if I detect these the packets can be dropped - that is the theory. With dropped packets I lose the ability to easily record IP address and host name. However my web page has over 100 entries of machines compromised in the current abuse, so loosing new details is worth the satisfaction of blocking the loony.
As long as you aren't vulnerable yourself, I don't see the point of wasting human hours to save machine microseconds. And this is a tiny bit of the viruses and automated intrusion attempts happening in the wild so unless you can generalize it into a fail2ban type of process your time would be better spent making sure your systems are up to date and inherently secure.
If you are just firewalling there, apache can permit/deny ip ranges on its own for a location or virtualhost.
It is amazing so many machines can be broken-into or misused by one deranged lunatic. I wonder if those machines run on Windoze.
If that is the first instance you've seen, you must have a low-profile site. And no, web applications have their own bugs and vulnerabilities on Linux too. And if you aren't fairly close to up-to-date on the base distribution, those exploits can get root access. The last one I bothered tracking down used a java/spring vulnerability to run something to trigger a local root exploit in glibc (that I think was fixed in the 5.4 or 5.5 update) but there are probably newer ones - and more we don't know about.