From: Timothy Murphy gayleard@eircom.net
Every few days I see in the logwatch on my Centos-5.5 web-server what seems like a rather feeble break-in attempt. Eg today I see
I get proxy scans and phpmyadmin (and others) vulnerabilities scans everyday... They just get 404s in return... You can check the IPs in apache error_log In the beginning I was reporting them to their ISPs but, with the high numbers of daily scans, I just gave up... Either they are part of a botnet (so clueless users infected pcs), or they are abroad (Asia) and the ISP will just mostly ignore your email... Maybe just make sure your set apache ServerSignature to Off... One annoying "bug" about logwatch is that it does not cope with the lack of year in yum.log dates, so it will happily report packages installs from last years as if it just happened...
JD
John Doe wrote:
Every few days I see in the logwatch on my Centos-5.5 web-server what seems like a rather feeble break-in attempt.
Maybe just make sure your set apache ServerSignature to Off...
Thanks for the suggestion.
I looked at my /etc/httpd/conf/httpd.conf and I saw that ServerSignature was indeed set to On. This must have been the default, as I certainly would not have changed it, since I found the explanation of its purpose completely incomprehensible: ------------------------------------ # Optionally add a line containing the server version and virtual host # name to server-generated pages ------------------------------------
I have changed it to Off, and restarted the httpd service.
-
John Doe -
Timothy Murphy