> On Thu, May 28, 2009 at 1:39 PM, Harold Hallikainen > wrote: > >> By the way, I see a lot of requests for >> ../../../../etc/passwd on my server logs. I have a script that blocks the >> IP address of people that try to do that (along with a bunch of other things). > > On a secure system they won't get anything particular from that file -- if > your server configured correctly you cannot get any files that does not belong to the wwwroot. And of course on most modern unix/linux you will have > shadow passwords so even if they could get that file they will not able to > do an offline dictionary or brute force attack. They could get the user names out of it so they could try to do it online, but again then your system should be able to block these. And of course you should never enter > real names and phone numbers or any valuable information to the passwd file > so that they will be hard to do the old style of social engeneering either. > > BTW: What are you doing with the IP addresses that are coming from a provider that gives the IPs dynamically to their users? > > Tamas I think leases tend to be fairly long term (a month or more). I'm blocking the IP for a month. While Apache properly prevents access to /etc/passwd (and I am using the shadow password file), attempts to access this show an attempt to break in to the server, so I block them. I also see a fair number of attempts to get at MSOffice (which is certainly not on my Fedora server), so I block those also. In general, I'm blocking anything that appears to be a break in attempt. I block for about a month, then let them try again. Recent blocks are: 6:16 am 123.27.127.224 being blocked because of authentication ... Wed, 5:10 pm 218.1.64.133 being blocked because of ../../../../... Wed, 4:36 pm 212.34.140.136 being blocked because of Failed pas... Wed, 4:13 pm 194.8.74.124 being blocked because of NeuerKomment... Wed, 8:55 am 66.249.71.237 being blocked because of NeuerKommen... Wed, 7:55 am 81.88.124.30 being blocked because of CONNECT Tue, 10:59 pm 124.128.83.222 being blocked because of authentication ... Tue, 9:30 am 61.142.208.164 being blocked because of Failed pas... Sun, 11:53 pm 61.172.243.233 being blocked because of Failed pas... Sun, 8:46 pm 65.55.109.167 being blocked because of WikiBlogPlu... Sun, 4:51 pm 67.202.2.132 being blocked because of Failed passw... Sun, 3:59 pm 213.92.8.21 being blocked because of authentication ... Sun, 9:16 am 202.100.219.81 being blocked because of authentication ... Sun, 4:26 am 61.6.65.252 being blocked because of authentication ... Sat, 5:54 pm 63.217.29.66 being blocked because of NeuerKomment... The NeuerKomment and WikiBlogPlugin are attempts at wiki spam, so I block them. The Failed Password are ssh login attempts. Before I started running these scripts, I'd find thousands of failed logins in reviewing the logs each morning. Now there are maybe 5 or 10. Harold -- FCC Rules Updated Daily at http://www.hallikainen.com - Advertising opportunities available! -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist