[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] .htpasswd hacking

Subject: Re: [cobalt-security] .htpasswd hacking
From: "Graeme Fowler" <graeme.f@xxxxxxxxxxxxxxx>
Date: Thu, 7 Sep 2000 12:13:52 +0100

Henk wrote:

> Someone is trying to guess one of my .htaccess sites. He uses some
> robot, I guess. I see him trying 50 times per second in my access
> logfile and error logfiles.
> He keeps feeding up the pressure untill my RaQ3 goes doen.
> Anyone any idea what can be done to  prevent this kind of attacks?

This is a difficult one to call in some respects. Whatever you do you
need to prevent the requests reaching your machine in the first place,
since they're causing high load on not only the machine but probably
also the network it's plugged into.

You can't use (as has been suggested) a simple firewall (and note that
Firewall-1 is a *commercial* product - it can be downloaded for
evaluation but not for use in a commercial environment) since that would
negate the object of you running a web server. It would also mean that
you'd have to have another box in front of your server which is probably
not possible; and you'd have to configure it to do precivtive blocking
which is difficult. From the question you asked I think this might be
outside your experience, somehow...

/etc/hosts.deny only works for services which run from inetd so is also
not applicable in this case.

Make sure you have 'deny from aaa.bbb.ccc.ddd' in your .htaccess file;
where aaa.bbb.ccc.ddd is the IP address of the source of the attack.
That way you will deny them access but they will however still be
contacting your machine.

The next step is to contact (a) your network administrator and get them
to drop traffic from that source. Failing that deal with your upstream
provider. In any case, contact the owner of the box - acquaint yourself
with using 'whois' at ARIN, RIPE or APNIC:

http://www.arin.net/whois/index.html
http://www.ripe.net/cgi-bin/whois
http://www.apnic.net/apnic-bin/whois.pl

stick in the IP of the attacker and see who 'owns' the network they're
using. Get in touch with that contact and make them aware of the
problem.

Hope that helps.

Regards,

Graeme Fowler
Systems Administrator
WebFusion Internet Solutions Ltd.
graeme.f@xxxxxxxxxxxxxxx

References:
- [cobalt-security] .htpasswd hacking
  - From: Henk van der Veen

Prev by Date: RE: [cobalt-security] .htpasswd hacking
Next by Date: Re: [cobalt-security] URGENT Hacking
Previous by thread: RE: [cobalt-security] .htpasswd hacking
Next by thread: RE: [cobalt-security] .htpasswd hacking

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index