which /etc/services actually needed?
I'm just worried that if i don't comment something out my system will act a little wacky
Thanks,
John
13 Replies
~JW
@anderiv:
What were the "suspicious" log entries? There are many that, to an untrained eye, could look suspicious when they're actually quite benign.
Like the gazillion (hopefully) unsuccessful ssh login attempts, or the gazillion and 2 (hopefully) unsuccessful relay attempts by spammers against your mail server.
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET HTTP/1.1 HTTP/1.1" 400 272 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /zen/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /zencart/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /zen-cart/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /cart/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /shop/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /store/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /E-commerce/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /e-commerce/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET /commerce/includes/general.js HTTP/1.1" 500 585 "-" "Toata dragostea mea pentru diavola"
and some more :
218.107.132.124 - - [02/Oct/2009:06:12:19 +0000] "GET /rails/info/properties HTTP/1.0" 500 948 "-" "larbin_2.6.3 gqnmgsp@ruc.edu.cn"
208.80.193.27 - - [02/Oct/2009:06:18:53 +0000] "GET / HTTP/1.0" 500 948 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; YPC 3.2.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; yplus 5.3.03b)"
66.249.67.140 - - [02/Oct/2009:07:17:08 +0000] "GET /dudes.html HTTP/1.1" 500 585 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.140 - - [02/Oct/2009:07:17:19 +0000] "GET / HTTP/1.1" 500 585 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.67.179 - - [02/Oct/2009:07:39:23 +0000] "GET /images/showImg.png HTTP/1.1" 500 585 "-" "Googlebot-Image/1.0"
74.63.66.236 - - [02/Oct/2009:08:03:32 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 345 "-" "-"
208.80.193.30 - - [02/Oct/2009:08:20:46 +0000] "GET / HTTP/1.0" 500 948 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SIMBAR={7056D3EB-D11E-4d6c-958E-F3B9F21FFDCB}; .NET CLR 1.1.4322; Alexa Toolbar)"
65.55.115.154 - - [02/Oct/2009:08:39:24 +0000] "GET /robots.txt HTTP/1.1" 200 204 "-" "msnbot/2.0b (+http://search.msn.com/msnbot.htm)"
92.241.182.25 - - [02/Oct/2009:09:02:38 +0000] "GET /robots.txt HTTP/1.1" 200 204 "-" "Mozilla/5.0 (compatible; Tagoobot/3.0; +http://www.tagoo.ru)"
92.241.182.25 - - [02/Oct/2009:09:03:15 +0000] "GET / HTTP/1.1" 500 948 "-" "Mozilla/5.0 (compatible; Tagoobot/3.0; +http://www.tagoo.ru)"
24.196.156.163 - - [02/Oct/2009:09:09:40 +0000] "GET /robots.txt HTTP/1.1" 200 204 "-" "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/spider.html;) Gecko/2008032620"
24.196.156.163 - - [02/Oct/2009:09:09:40 +0000] "GET / HTTP/1.1" 500 585 "-" "Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/spider.html;) Gecko/2008032620"
74.6.22.153 - - [02/Oct/2009:09:17:07 +0000] "GET /robots.txt HTTP/1.0" 200 167 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
74.6.22.153 - - [02/Oct/2009:09:17:08 +0000] "GET / HTTP/1.0" 500 585 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)"
the auth.log is where i'd see login attempts right? it doesn't look like there have been too many attempts to ssh into my node.
@johnonlinode:
looks like vulnerability scanners after doing a google search:
67.210.97.166 - - [02/Oct/2009:14:12:27 +0000] "GET HTTP/1.1 HTTP/1.1" 400 272 "-" "Toata dragostea mea pentru diavola" > > Google search shows this as "all my love to the devil". > > My current user agent blocks, which all get 404's if this text is found anywhere in the user agent string - and blocks this one: > > 'Scanner', > 'diavola', > 'mywbs.com', > 'heritrix', > 'turnitin', > 'searchme.com', > 'cuil', > 'baidu', > 'Yahoo! Slurp', > 'GingerCrawler', > '80legs', > 'plukkie', > 'scoutjet'
Do you just do that in an .htaccess file? where do you place the file on the server (which directory)?
thanks,
John
@johnonlinode:
Do you just do that in an .htaccess file?
See the section "How to Block by User Agent String" here:
to use .htaccess.
James