A home server and brute force scan

PrzemoF

IP 87.106.21.239 was making a brute force scan (~2400 requests) of that kind:

87.106.21.239 - - [29/May/2014:13:42:32 +0100] "HEAD /archive.tar.bz2 HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:32 +0100] "HEAD /archive.tar.gz HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:32 +0100] "HEAD /archive.tar.lzma HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:32 +0100] "HEAD /archive.tar.xz HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /archive.tbz HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /archive.tbz2 HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /archive.tgz HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /archive.txz HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /archive.xz HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /archive.zip HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /authorized_keys HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /authorized_keys2 HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /_backup.7z HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /backup.7z HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /_backup.bkp HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:33 +0100] "HEAD /backup.bkp HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:34 +0100] "HEAD /_backup.bz2 HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:34 +0100] "HEAD /backup.bz2 HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:34 +0100] "HEAD /_backup.dump HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:34 +0100] "HEAD /backup.dump HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:34 +0100] "HEAD /_backup.gz HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:34 +0100] "HEAD /backup.gz HTTP/1.1" 404 163 "-" "Opera"
87.106.21.239 - - [29/May/2014:13:42:34 +0100] "HEAD /_backup.lzma HTTP/1.1" 404 163 "-" "Opera"

Should I ban that IP for a month or just ignore it? I have fail2ban installed, but those are normal http requests. I'm not affraid or a breach, but the server is based on raspberry pi, so it cannot handle too much.

gctest50

Report it to the ISP because it may be a box that has been taken over and the owner of the box may be unaware

Send the relevent bit of the logs etc

abuse@oneandone.net


87.106.0.0/16 1&1 Internet AG

PrzemoF

Done!

gctest50, thank you!

gctest50

offtopic but sale on with them at the moment - 99p / month

http://www.1and1.co.uk

oscarBravo

You can configure fail2ban to respond to a high rate of 404s; that's a pattern that points firmly to a brute force attack.

PrzemoF

If I read it right it's just a matter of switching on a filter that is already in part of standard configuration. It's "apache-noscript" in /etc/fail2ban/jail.conf.

failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
            ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$

and that's what I had in apache error log log during the attack:

[Thu May 29 13:43:16 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.$$$
[Thu May 29 13:43:16 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.1
[Thu May 29 13:43:16 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.2
[Thu May 29 13:43:16 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.bak
[Thu May 29 13:43:16 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.bkp
[Thu May 29 13:43:16 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.bup
[Thu May 29 13:43:16 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.inc
[Thu May 29 13:43:16 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.lib
[Thu May 29 13:43:17 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.new
[Thu May 29 13:43:17 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.old
[Thu May 29 13:43:17 2014] [error] [client 87.106.21.239] File does not exist: /var/www/curl.php.temp

so it should catch it nicely.

Thanks for help!

P.S. Default number of hits for that filter is 2 - it seems to be way to low, so I set it to 10

oscarBravo

PrzemoF wrote: »

P.S. Default number of hits for that filter is 2 - it seems to be way to low, so I set it to 10

It's a function of how carefully you manage your website. For example, browsers will always send a request for a favicon if you haven't explicitly linked on in the page, and if there isn't a favicon there then that request will 404. If you're confident that 404s won't be a routine part of normal use of your site, you can set it quite low; otherwise you might want to leave some wiggle room.

PrzemoF

oscarBravo wrote: »

It's a function of how carefully you manage your website. For example, browsers will always send a request for a favicon if you haven't explicitly linked on in the page, and if there isn't a favicon there then that request will 404. If you're confident that 404s won't be a routine part of normal use of your site, you can set it quite low; otherwise you might want to leave some wiggle room.

I'm sure 404 will be part of normal usage - it's my development server, so 404 it the part of the game.