[AusNOG] Some pointers on dealing with a botnet targeting an application server
Eric Pinkerton
Eric.Pinkerton at stratsec.net
Fri Mar 2 09:11:26 EST 2012
Hi Shane,
Welcome to the internet....this is a brute force directory traversal attack, and is common, so trying to block this traffic by IP yourself will just be playing whack a mole, even if you automate it. Furthermore this may just be one vector of attack in a lengthy sequence, that may or not be specifically targeting you - so you could spend hours tweaking fail2ban only to find you get it working just as they start fuzzing sql injection attacks etc etc etc.. (You will be effectively trying to reinvent the wheel - it's called IPS)
Web Application firewalls are a simple way to approach this but they are not cheap and can be evaded, similarly fancy application layer inspection and IDS functionality on firewalls bring with them additional issues, not least the reduction in throughput that may impair legitimate traffic so if you want to take this approach, make sure you warn your bank manager first.
As Peter suggests mod_sec if it's an Apache server will help, but there is no substitute for hardening, patching and testing your web servers and applications, also segregate your network properly, so if the server is compromised, it does not give the attacker a strong foothold to further attack your network. Make sure you passwords are |000000ooooooong!, and make sure you don't use the same one across all your devices.
PS I know a few good pen testers if you are not up to the task of hardening and testing these boxes yourself ;-)
Regards
Eric Pinkerton
Principal Consultant
STRATSEC.NET PTY LTD
Level 6, 62 Pitt Street, Sydney NSW 2000
M +61 419 827 312 | AU 1300 027 001 | Intl +61 2 6260 8878 | F +61 2 9251 6393 |E eric.pinkerton at stratsec.net | W www.stratsec.net
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg
More information about the AusNOG
mailing list