On Mon, Aug 29, 2011 at 2:25 PM, Always Learning <centos at u61.u22.net> wrote: > >> For light use you could drop in VMware server or player or virtualbox >> without much effect on the current system. It shouldn't be necessary, >> though, unless you'd like to install otherwise conflicting rpm >> packages or give root access to someone on the virtual server only. > > I've use Virtual Box successfully for Windoze 98 to run Ami Pro 3.1. > >> So why can't you do that for your new virtualhost instead of running >> on a different IP? > > A mentally deranged lunatic has sent 30,000+ wrong URLs to a tiny web > site. Its started about 5 August but significantly escalated on 22 > August. Ummm, 30,000 isn't a particularly big number of hits to an apache server, especially if all it has to do is respond with a 'file not found'. But you are probably wise to be defensive. > My Apache routine can add the IPs to iptables and block them. Since 22 > August the lunatic has used over 100 different IPs from around the world > to send those wrong URLs which always seem to include one of these:- > > forgotten_password.php > > login.php > > contact.php That probably means the intrusion is self-propagating. That is, if the target is running some vulnerable php version or application, it is able to install a copy of itself and start over. > Assigning a spare IP address to this small web site should make it > easier for me to experiment with IP tables and examine TCP packets > without disturbing the server's normal workings. For example no valid > HTTP request sent to that IP address should contain 'pas' or 'log' or > 'con' so if I detect these the packets can be dropped - that is the > theory. With dropped packets I lose the ability to easily record IP > address and host name. However my web page has over 100 entries of > machines compromised in the current abuse, so loosing new details is > worth the satisfaction of blocking the loony. As long as you aren't vulnerable yourself, I don't see the point of wasting human hours to save machine microseconds. And this is a tiny bit of the viruses and automated intrusion attempts happening in the wild so unless you can generalize it into a fail2ban type of process your time would be better spent making sure your systems are up to date and inherently secure. >> If you are just firewalling there, apache can permit/deny ip ranges on >> its own for a location or virtualhost. > It is amazing so many machines can be broken-into or misused by one > deranged lunatic. I wonder if those machines run on Windoze. If that is the first instance you've seen, you must have a low-profile site. And no, web applications have their own bugs and vulnerabilities on Linux too. And if you aren't fairly close to up-to-date on the base distribution, those exploits can get root access. The last one I bothered tracking down used a java/spring vulnerability to run something to trigger a local root exploit in glibc (that I think was fixed in the 5.4 or 5.5 update) but there are probably newer ones - and more we don't know about. -- Les Mikesell lesmikesell at gmail.com