0 Replies Latest reply: Apr 25, 2014 8:40 AM by Carlos1327 RSS

    FMS 4.5/Apache server security: brute force and failed log-ins

    Carlos1327

      My apologies if this has been previously discussed (did not find anything in the forums). I recently started seeing the following in our FMS 4.5 and Apache logs (Windows 2008 R2):

      • script not found or unable to stat: H:/Program Files/Adobe/Flash Media Server 4.5/Apache2.2/cgi-bin/* (hundreds of entries with different file names in this folder, e.g., cgi-bin/php cgi-bin/php5…)
      • File does not exist: H:/Program Files/Adobe/Flash Media Server 4.5/webroot/ (hundreds of entries in this folder, e.g., webroot/admin, webroot/administrator…
      • /w00tw00t.at.blackhats.romanian.anti-sec

       

      There are literally hundreds and hundreds of these entries in the logs (errors, access, etc) and they’ve increased to the point that these entries far outnumber the legitimate clients/connections in the access.log, for example. At first I asked our admin to block the offending IPs from accessing our network, but the attackers just changed their IPs and the attacks have continued to increase.

       

      So yeah, the server is being probed and brute forced. So what can I do to stop this? I’ve looked at the following:

      1. Mod_sec (http://www.modsecurity.org): I set up mod_sec, but it blocked all http requests so that the server would not serve any pages on the server or stream via http. I have no idea why mod_sec blocked everything or how to fix it, so I disabled it.
      2. Fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page): Fail2ban would be perfect for this because it can be set up to block IPs based on failed log in attempts and “the script not found” and “file does not exist” errors. Fail2ban is not available for Windows, however. We might switch to CentoOS when we upgrade our server (I’m better in Unix environments) so this might be an option in the future.
      3. Snort (http://www.snort.org) and IP Ban (http://www.digitalruby.com/securing-your-windows-dedicated-server/): Has anyone used either of these?

       

       

      Any advice on what steps I can take to deal with this problem will be greatly appreciated.

       

      Thanks