Is the malicious botting, how to prevent? - apache

I recently set up a subdomain on my website with the intention to soon clone my website for testing purposes. Subdomain was "beta", so beta.example.com
It was set up and password protected via htaccess and is directed through Cloudflare, it's about three days old and was never announced publicly (only I know of it).
Today I notice this on my Apache Server Stats page:
Also, CPU load was increasing and very, very high. Upon refreshing, this continued and is actually still continuing right now. Is this some sort of botting/brute force attack? I can't imagine how/why else so many IPs would be accessing this unlinked/private subdomain. I've since taken it down from Cloudflare DNS and the IPs are still connecting somehow, I assume it will take time for it to propagate.
Is this malicious? And how can it be prevented? I assume it was/is attempting to brute force the htaccess password? Is it because it's a common subdomain name? ("beta") - would it matter? Again, it's only been about three days so damn they work fast.

It can be search engine robots, It can be script kiddies, It can be brute force, you can have more information in your log file or by analyzing IP address.
I'm not sure to really understand your problem and what you want.
If you website is online, so yes some people/bots/robots will try to access to it, like any other website.
If you don't want than anybody access to your website, you can add an IP restriction.

Related

Domain URL masking

I am currently hosting the contents of a site with ProviderA. I have a domain registered with ProviderB. I want users to access the contents (www.providerA.com/sub/content) by visiting www.providerB.com. A domain forward is easy enough and works as intended, however, unless I embed the site in a frame (which is a big no-no), the actual URL reads www.providerA.com/sub/content despite the user inputting www.providerB.com.
I really need a solution for this. A domain masking without the use of a frame. I'm sure this has been done before. An .htaccess domain rewrite?
Your help would be hugely appreciated! I'm going nuts trying to find a solution.
For Apache
Usual way: setup mod_proxy. The apache on providerB becomes a client to providerA's apache. It gets the content and sends it back to the client.
But looks like you only have .htaccess. So no proxy, you need full configuration access for that.
So you cannot, see: How to set up proxy in .htaccess
If you have PHP on providerB
Setup a proxy written in PHP. All requests to providerB are intercepted by that PHP proxy. It gets the content from providerA and sends it back. So it does the same thing as the Apache module. However, depending on the quality of the implementation, it might fail on some requests, types, sizes, timeouts, ...
Search for "php proxy" on the web, you will see a couple available on GitHub and others. YMMV as to how difficult it is to setup, and the reliability.
No PHP but some other server side language
Obviously that could be done in another language, I checked PHP because that is what I use the most.
The best solution would be to transfer the content to providerB :-)

How to create a friendly url in Tomcat?

I want to modify my application URL from //localhost:8080/monitor/index.html to just monitor , so that on putting monitor on browser, my application should open. Is there a way to achieve this, can someone suggest the configuration changes which will be required for this.
Can I map my short URL to the existing one may be somewhere in web.xml. I am not sure about the approach any suggestions will be great.
Thanks and regards
Deb
You're mixing up several different protocol layers in your question.
If you just enter nothing but "monitor" in the browser URL bar the browser is going to first lookup "monitor" in DNS and finding nothing it will then probably send a query to Google or your configured search engine. In the past browsers have taken other steps, such as appending ".com" and prepending "www." but I don't think modern browsers do that any more.
So far, your server is not even remotely involved.
If you're a large ISP user (TimeWarner, Comcast) and use their DNS it's also possible the ISP will intercept your failed DNS lookup and route the request to a "helpful" search page (i.e. SPAM) of their own.
At this point the request is still nowhere near your server.
I suppose you could mess with the /etc/hosts file on your local system to resolve "monitor" to the proper hostname, but that's an extremely brittle solution that has to be hard coded on each machine you want to have this "shortcut" link (and which breaks when the hostname changes).
You're much better off just setting up a web shortcut in your browser that points to the right place.

Is there any way to (temporarily) block an IP based on the requests it makes?

Background: we're running Drupal 6 on an Apache server. I've scoured the internet but can't seem to find anything on exactly what I'm looking for, maybe someone here has an idea.
As a website with a decent amount of traffic, we tend to get a lot of low-level attack attempts. Any time I look through logs, there's at least a handful of "page not found" errors from script kiddies and bots trying to access pages like wp-login.php or admin.php. Obviously these attacks never get very far, but it's still a sometimes significant load on our server to serve up all the 404s.
These attempts are often quite amateurish. Generally, they all come from one IP address over a period of a few minutes. So I'm wondering if there's some way to implement temporary blocks by IP address for anyone who tries something that's obviously an attack. For example, maybe there's a way to configure .htaccess to say:
If (bot_IP tries to access wp_login.php, admin.php, administer/index.php, phpmyadmin.php and so on)
Deny from bot_IP for next four hours
Has anyone ever tried anything like this? It would be wonderful if we could reduce the amount of time we spend sending 404s to attackers, and it seems to me like a lot of people could find it useful.
Thanks!
If you do this in a Drupal module, you'll spend more resources checking logs and filtering requests than you do sending 404's. If you have root access to the server, http://www.fail2ban.org/wiki/index.php/Main_Page will work very well. It scans the apache error logs, uses regex based rules to match log entries and updates the OS firewall rules to handle the blocking.

Strange domains in mod_pagespeed cache folder

About a year ago I have installed mod_pagespeed on my VPS server, set it up and left it running. Recently I was exploring files on my server, went to pagespeed cache folder and discovered some strange folders.
All folders usually named this way ,2Fwww.mydomain.com or ,2F111.111.111.111 for IP addresses. I was surprised to see some domains that does not belong to me, like:
24x7-allrequestsallowed.com
allrequestsallowed.com
m.odnoklassniki.ru
www.fbi.gov
www.securitylab.ru
It looks like something dodgy is going on, was my server compromised, is there any reasonable explanation?
That does look peculiar. Everything in the cache folder should be files that mod_pagespeed tried to rewrite. There are two ways that I know of that this can happen:
1) You reference some third-party resource (say an image from another domain, or google analytics script) and you have explicitly enabled rewriting of that domain with ModPagespeedDomain www.example.com or ModPagespeedDomain *.
2) If your server accepts HTTP requests with invalid Host headers. Try (for example) wget --header="Host: www.fbi.gov" www.yourdomain.com/foo/bar.html. If your server accepts requests like that it may be providing mod_pagespeed with an incorrect base domain, and then subresources would be fetched from the same domain (so if www.yourdomain.com/foo/bar.html references some.jpeg, and your server accepts invalid host headers, we could fetch www.fbi.gov/foo/some.jpeg as the resource). There was a recent security release that makes sure all of these subrequests are done against localhost (not arbitrary third-party websites). Please see: https://developers.google.com/speed/docs/mod_pagespeed/CVE-2012-4001
You might want to look through these folders and see what specific resources are in there. I think that the biggest concern you should have is that someone might be trying to perform an XSS attack on your users or maybe a DDoS attack against another website (like www.fbi.gov), using your server as one vector. I do not think that these folders are indicative that your server itself is compromised.
If you would like to discuss this more, https://groups.google.com/forum/?fromgroups#!forum/mod-pagespeed-discuss is a good list to join and email.

How to hide distributed servers under a single domain?

I currently host my company's website and blog on separate servers, reached by separate domain names - www.example.com and www.example.net. This is so I can give blog server access to our partners without compromising security on our main server. However, our SEO guy is now demanding that the blog be put on our main server, as www.example.com/blog.
I would like to maintain the current server separation rather than putting both on the same server. Is there any good way to keep them separated, but have them both under a single domain name? A subdomain would also be acceptable (blog.example.com).
My main website server is a Debian box running Apache 2, and I have full root access to it. The blog server is run by Hostgator, and I have limited access.
Edit: Thanks, all. In this particular situation I don't particularly want to transfer the blog again, and I don't have easy access to the DNS records, so i went with mod_proxy and it worked like a charm. I wish I could give you all "preferred answer" status, though, because all of your information was awesome.
A subdomain would be easy: just create an A record in DNS which maps blog.example.com to the IP address of the blog server, and have another A record in DNS which maps www.example.com to the main website server (this latter record probably already exists).
Would the SEO guy be happy with blog.example.com? It's not the same from an SEO perspective, but it might be good enough for him. I work at a company where SEO is at least 1/3 of what we do, and that's our setup: blog.example.com and www.example.com.
You could try to get fancy and proxy requests to /blog to the 2nd server, if you insist on keeping the blog off your box, but I think you can find a secure way to share space. Proxying like that could get annoying, and it basically doubles the latency to your blog.
Give the blog guys an account on your box; don't give them root/special privileges. If you can get away with it, don't even give them SSH access -- just give them a FTP login (make sure they can't access /var/www), and maybe a mysql account or something. (As you can see, this all depends on how much control/power the blog folks demand.)
Then, just make a symlink to the blog root, so they can write to a restricted area like /home/blog/www and still have it included in the website:
ln -s ~blog/www /var/www/blog
If a subdomain is for some reason not a possible way for you to go, you could use Apache's mod_proxy module to proxy requests to /blog to your second server.