Protecting web servers with OSSEC

Being an administrator for multiple public facing web servers can be very stressful. Seems like there is an infinite amount of spammers and attackers. One of the tools I’ve found to be extremely useful in securing my web servers has been OSSEC. OSSEC is an IDS, Intrusion Detection System, developed by Trendmicro.

Recently someone made an “information gathering” attempt on one of my sites by attempting to scan for applications like phpmyadmin and mysqladmin web applications. OSSEC saw that the same IP generated multiple 404 errors in my Apache logs and notified me of this and also took action using build in Active Responses. By default OSSEC only enables the host-deny and firewall-drop active-responses. As I don’t use IPtables the build in firewall-drop response was not useful, and host-deny wouldn’t stop this type of traffic. So I had to add another one, route-null. Below I briefly outline the configuration changes I made and also how to successfully test them.

The attack log

This is the email sent by my OSSEC server to alert me of this information gathering attempt.

OSSEC HIDS Notification.
2011 May 07 03:17:27

Received From: (hostname) 0.0.0.0 ->/var/log/httpd/access_log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip."
Portion of the log(s):

"GET /phpadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "ZmEu"
"GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
"GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 305 "-" "ZmEu"
"GET /mysql/scripts/setup.php HTTP/1.1" 404 300 "-" "ZmEu"
"GET /myadmin/scripts/setup.php HTTP/1.1" 404 302 "-" "ZmEu"
"GET /dbadmin/scripts/setup.php HTTP/1.1" 404 302 "-" "ZmEu"
"GET /db/scripts/setup.php HTTP/1.1" 404 297 "-" "ZmEu"
"GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
"GET /admin/pma/scripts/setup.php HTTP/1.1" 404 304 "-" "ZmEu"
"GET /admin/scripts/setup.php HTTP/1.1" 404 300 "-" "ZmEu"
"GET /scripts/setup.php HTTP/1.1" 404 294 "-" "ZmEu"

--END OF NOTIFICATION

Adding Active Response

This is the active response I added to the OSSEC server’s ossec.conf file.

1
2
3
4
5
6
7
8
<!-- Active response to block http scanning -->
    <active-response>
        <command>route-null</command>
        <location>local</location>
    <!-- Multiple web server 400 error codes from same source IP -->
        <rules_id>31151</rules_id>
        <timeout>600</timeout>
    </active-response>
  • command – calls the route-null.sh script provided by OSSEC. The default active-response scripts are located in /var/ossec/active-responses/bin
  • location – where to execute the command. local tells OSSEC to run the active-response on the agent that triggers this response
  • rules_id – what rules will trigger this active-response. This can be a comma-separated list.
  • timeout – the amount of time before OSSEC runs the commands “undo” action.

Testing new active-response

Once the response is added restart the OSSEC management service.

You can view available active responses by running this command

$ bin/agent_control -L

OSSEC HIDS agent_control. Available active responses:

   Response name: route-null600, command: route-null.sh

Now we test the response on one of the OSSEC clients.

$ bin/agent_control -b 2.3.4.5 -f route-null600 -u 083

OSSEC HIDS agent_control: Running active response 'route-null600' on: 083

The above blocks IP 2.3.4.5 using active-response route-null600 on agent 083.

To verify the response was run correctly on the client look in the /var/ossec/logs/active-responses.log for something similar to this,

 active-response/bin/route-null.sh add - 2.3.4.5 (from_the_server) (no_rule_id)

Now to verify the addition to route table

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
2.3.4.5         -               255.255.255.255 !H    0      -        0 -

and also another verification

# ip route get 2.3.4.5
RTNETLINK answers: Network is unreachable

Conclusion

That’s it!

Now OSSEC will block all traffic from any IPs that generate too many 404 errors in your Apache log files.

Special thanks to OSSEC’s mailing list users for helping me get this working. See here.

Update

See the following article where I cover how to enable email notifications when these active-responses are triggered, OSSEC E-mail Alerts on Active Responses.

Comments (0)

› No comments yet.

Leave a Reply


*

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>