Often the key to web security is being proactive. We need to make sure to correctly set permissions for files and firewalls, limit our login process, and update the system in a timely basis. What about the reactive side of thinking? Observing what is being accessed on your server is crucial. There is almost unlimited creativity used by hackers to constantly evolve their methods. Monitoring hacking attempts and implementing a defense based on what can be learned aids towards lowering a server’s susceptibility to intrusion. LogWatch is an easy tool to install, configure, review, and take steps that will improve security from the data it provides. LogWatch will scan the log files of major operating system components, like SSH and Apache, and email a summary containing interesting items. Using Ubuntu, you can setup the LogWatch package with the following commands:
sudo apt-get install logwatch sudo mkdir /var/cache/logwatch sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/ sudo cp /usr/share/logwatch/default.conf/logfiles/http.conf \ /etc/logwatch/conf/logfiles/
Now create a custom configuration to go through the web server logs.
sudo vi /etc/logwatch/conf/logfiles/http.conf
The file should contain the following text. Adjust for your specific installation. (Copy this text, then press “i” in the vi terminal and paste it in. Save it by pressing the escape key, typing “:wq” and return).
LogFile = apache2/*access.log.1
LogFile = apache2/*access.log
LogFile = apache2/*access_log
# If the archives are searched, here is one or more line
# (optionally containing wildcards) that tell where they are…
#If you use a “-” in naming add that as well -mgt
# Expand the repeats (actually just removes them now)
# Keep only the lines in the proper date range…
The package’s installation automatically creates a daily log that is emailed to the root account. Some of the items really interesting. There are five immediate steps you can take from looking at the report that will help prevent attacks:
- Deny probers in an .htaccess using the Deny directive
- Avoid storing backup files in web directory
- Avoid multiple configuration files
- Review and analyze the mail queue
- Use DenyHosts to protect against SSH attacks
Let’s take a look at these steps in detail.
Step 1 – Deny probers in an .htaccess using the Deny directive
LogWatch will show you IP addresses that probed your server. Probing involves scanning a server for potential weak areas. Perhaps the probe will identify a running service that can be exploited. Unless you use an external security service, these addresses are probably safe just to block and prevent further actions. When using an external service to scan your server, ignore any IP addresses that service may own. Use the Apache Deny directive in your .htaccess file or httpd.conf. Here is an example of what LogWatch will create regarding probing IP addresses after it runs a scan:
A total of 19 sites probed the server
Take the lines of IP addresses and add the text ‘Deny from ‘ in front. Add these to the end of your .htaccess file or httpd.conf and Apache will not authorize any requests from those addresses. For example, the IP addresses above may be added to the Apache configuration as this text:
Deny from 22.214.171.124
Deny from 126.96.36.199
Deny from 188.8.131.52
Step 2 – Avoid storing backup files in web directory
Now that you are actively denying probers, consider what the probes might be looking for. Especially the first few times LogWatch runs, pay close attention to the errors it reports. I witnessed several specific requests to files that did not exist. These are likely attempts to download backup files or gain access to the configuration files in WordPress.
Example file requests that did not exist:
It’s a good thing my backups are stored off the server. Check your website directory and make sure backups are not being stored where they are accessible to everyone.
Step 3 – Avoid multiple configuration files
Along the same lines as not exposing your backup files, storing multiple configuration files is a dangerous idea. This is especially true if the file extension is changed. The file might not be interpreted as PHP and treated like a text file. Now anyone guessing a URL can see the settings, including passwords. Store configuration backups or environment specific files outside your website root directory. Attempts to find these files might look like this in the request log:
Step 4 – Review and analyze the mail queue
Other than web requests, LogWatch will also output interesting things regarding your local email server. Use this information to better secure your server or identify an attack that has occurred. I recommend using an external email delivery service for your applications. Most applications, like WordPress are easy to configure with an SMTP extension. (SocketLabs is easy to use with a WordPress SMTP plugin). Many hacking scripts are only designed to take advantage of the local email server. You can turn off that internal server and monitor the queue. If LogWatch is showing a lot of email activity that should not be there, check the mail queue to find out if there is a script involved. When stopping the email service (Postfix users can do this by the command sudo service postfix stop), the email to be delivered will be stored in the queue. You can read the mail queue by the mailq command. This will show you the message identifier you may use to read the message and find out which file produced added it to the queue. That file mail be suspect and something to investigate. Here is more information regarding how to manage the email queue.
Step 5 – Use DenyHosts to protect against SSH attacks
The final step you can take immediately helps harden the secure shell service (SSH). SSH is used to access your command shell over an encrypted connection. If you noticed suspicious activity in the SSH section of the report, DenyHosts is a great tool to help prevent intrusion attempts via that service. Below is an example of the SSH section LogWatch created one day on my server:
Illegal users from:
undef: 28 times
184.108.40.206: 10 times
220.127.116.11 (blade-server.leasevps.com): 7 times
18.104.22.168: 2 times
22.214.171.124 (118-175-5-100.totisp.net): 2 times
126.96.36.199 (v157-7-48-127.z1d18.static.cnode.jp): 1 time
188.8.131.52 (ndata.com.br): 9 times
184.108.40.206: 17 times
DenyHosts monitors the SSH connections and locks out IP addresses out that fail too many times to gain access. To install, the following commands should work on a Ubuntu server. Change the source URL to the latest version or go to SourceForge directly.
cd /tmp/ && wget http://downloads.sourceforge.net/project/denyhost/denyhost-2.10/denyhosts-2.10.tar.gz
tar xzf denyhosts*.tar.gz
sudo python setup.py install
cp /usr/local/bin/daemon-control-dist /etc/init.d/denyhosts
Now create the specific configuration files:
sudo vi /etc/init.d/denyhosts
Look for the DENYHOSTS_BIN and you may need to correct it to the following:
DENYHOSTS_BIN = “/usr/local/bin/denyhosts.py”
To prevent locking yourself out, add your IP address by editing the following file:
LogWatch is a great tool to help stay on top of attacks and prevent some of them. These steps also may slightly improve your server’s performance. Keep checking the LogWatch report and identify further things you can implement.