I've had the issue recently where an attacker would try to brute force his way into a phpmyadmin installation... phpmyadmin is not installed on my server... and using modsecurity does 403 his attempts but it puts such a load on the server itself that it slows everything else down. Now normally I just stop apache, add his IP to the firewall (usually 1 IP, but changes every so often) and restart Apache...

But this has made me started to wonder. If I can get apache to respond with a Microsoft IIS server signature instead of it's normal response... do you think this will thwart any potential attacks like that?

Either that, or if you guys know of a way for me to block this **** at the firewall level it would be great. I was thinking of dropping modsecurity entirely and just create a "honeypot" for **** like this and add the IP immediately when said honeypot has been hit via some code...

Would love to pick a more experienced admin's brain...

I guess we only have a bunch of CPanel-n00bies around these forums

Have you had a look at Fail2ban. You can write matchers to look at your logs, and add the IPs to iptables.

http://www.fail2ban.org/wiki/index.php/Apache

I guess we only have a bunch of CPanel-n00bies around these forums

Did you actually expect a reasonable answer with a criticizing comment like that?

AcidRazor,since you're such a know-it-all and think everyone else are n00bs in every thing on this forum, did you bother looking at the Apache configuration file? You can easily change the signture to say IIS 7 if you wanted to. You could also make it say JBoss if you felt like it.

PCI compliancy recommends disabling the signature altogether though. You should also have disabled phpinfo if youi have / had it running anywhere on the server.

Your idea of creating a honeypot and blocking the IP with iptables is also a very good idea, but make sure you have some backdoor in, just for in-case you lock yourself out. Generally you would exclude / whitelist your fixed IP in the firewall for this very reason. BUT, this would easily deny a lot of legit client requests as well if you don't know what you're doing exactly.




P.S. I'm giving this adice since this particular hack is causing a LOT of problems for many hosts all over the world right now.

But this has made me started to wonder. If I can get apache to respond with a Microsoft IIS server signature instead of it's normal response... do you think this will thwart any potential attacks like that?

No. You can host phpMyAdmin on IIS too and many people do. Why do you catch those with mod_security? If phpMyAdmin isn't there, apache will just give a 404 and get on with life - that doesn't add much load at all. You can even use the Location directive to deny access to it even if it exists:


<Location /phpmyadmin>
Order Deny,Allow
Deny from all
</Location>

In the logs you'll get:


==> /var/log/apache2/access.log <==
192.168.0.12 - - [05/Sep/2011:13:42:51 +0100] "GET /phpmyadmin HTTP/1.1" 403 466 "-" "-"

==> /var/log/apache2/error.log <==
[Mon Sep 05 13:42:54 2011] [error] [client 192.168.0.12] client denied by server configuration: /var/www/phpmyadmin



I was thinking of dropping modsecurity entirely and just create a "honeypot" for **** like this and add the IP immediately when said honeypot has been hit via some code...

Don't bother. It's not worth the trouble.

...Apache configuration file? You can easily change the signture to say IIS 7 if you wanted to.

How?


P.S. I'm giving this adice since this particular hack is causing a LOT of problems for many hosts all over the world right now.

It's giving lots of problems because people run code from 2008, for which totally free and easily installable updates are available. Really, there's no excuse.

Instead of honeypotting, try tarpitting so his connection will be slow, except for the rest of normal users.

And, no, I haven't implement tarpitting. Yet. http://en.wikipedia.org/wiki/Tarpit_%28networking%29

Also keep in mind that tarpitting might be illegal in some cases.

Why is Apache throwing 403 and why is it being caught with modsecurity.

If phpmyadmin is not installed it should throw a 404 and that puts absolutely no load on the server if it does then your server sucks. In fact modsecurity should still not place a noticeable load the server to the extend that you have to restart apache.

Lastly php is not exclusive to Apache so why would sending an IIS signal confuse anybody.

In fact modsecurity should still not place a noticeable load the server to the extend that you have to restart apache.

That would hugely depend on how optimised the ruleset(s) are.