6

I am currently setting up an Apache web server on a Linux machine at my house. I am working on a website project which will allow users to log in to complete certain work. There is no open registration on this website. Accounts must be issued by the administrator (which is currently me).

Since I have this server set up, I also want to make sure that I have it secure, to the best of my abilities. My knowledge is relatively limited in regards to cutting edge security.

I have some Linux packages installed to monitor and actively block suspicious connections.

I am looking through my logs, but I'm not entirely sure that I understand all that I am reading. I have iptables and fail2ban. I have approximately three pages of log entries every hour similar to those examples below. From this information given, does it appear that I have my security set up properly? The entry which concerns me is the ones which contain com.jcraft.jsch.JSchException, which is a known java exploit.

To be honest, I'm not even sure if I am asking the right questions. I am willing learn. I simply need guidance and the resources from which to learn. I can handle constructive criticism.

Here are a couple of examples of the types of entries I am seeing.

Apr 10 10:02:10 gcems sshd[29230]: Unable to negotiate with 103.79.143.42 port 52068: no
+matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Apr 10 10:03:08 gcems sshd[29398]: Did not receive identification string from
+212.83.140.166 port 46529
Apr 10 10:03:43 gcems sshd[29548]: Invalid user support from 163.172.114.203 port 54291
Apr 10 10:03:45 gcems sshd[29548]: error: Received disconnect from 163.172.114.203 port
+54291:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Apr 10 10:03:45 gcems sshd[29548]: Disconnected from 163.172.114.203 port 54291 [preauth]
Anders
  • 64,406
  • 24
  • 178
  • 215
Jim Baize
  • 83
  • 6
  • Welcome to the site, Jim! Try to avoid asking for "recommendations", as those tend to be primarily opinion-based and off-topic for this site. Can you edit your question to be more specific, such as asking about a specific log entry? You may need to split this question into multiple, more specific questions. – browly Apr 10 '18 at 21:31
  • 7
    It is nearly impossible to determine how secure your web server is purely off of log files. I assume this web server is publicly accessible so you will see a ton of noise in the log files. I would recommend reading https://httpd.apache.org/docs/2.4/misc/security_tips.html – pm1391 Apr 11 '18 at 00:40
  • Thank you. This appears to be a good start in my quest for at least some basic knowledge. and yes, the server is publicly accessible. One of the things I am trying to figure out is how to filter out the noise so that I can see what I need to see. – Jim Baize Apr 11 '18 at 02:03
  • 1
    `sshd` is the _SSH_ server which is completely separate from and unrelated to Apache or any other web server, and `JSchException` in itself is not any kind of exploit, although in this case it was caused by failed auth which might indicate an attack depending on data you didn't give. – dave_thompson_085 Apr 11 '18 at 05:06
  • You need something to parse the logs, try Logstash. Again, you will see tons of logs from many different IP's testing out your server for the known vulnerabilities. I would not worry unless your server is vulnerable. – pm1391 Apr 11 '18 at 12:12
  • @dave_thompson_085 -- Perhaps I misspoke. I didn't mean to imply "com.jcraft.jsch.JSchException" in itself was a vulnerability. I should have said there is a vulnerability with that package that people are trying to exploit. Unfortunately, I cannot find the website where I got that information. Perhaps I am remembering wrong. – Jim Baize Apr 11 '18 at 22:31
  • To know how to interpret the logs (and filter out noise) you need to know what is normal for the *expected* running of your server. We cannot possibly know what is expected. As mentioned, this does not appear to be an Apache log, and we cannot possibly tell you if you set up your configuration "securely" from log output. – schroeder Jun 04 '18 at 19:04

1 Answers1

2

The only thing that you can do is to dive into the log and for every record see what that means and what the implications are. That is hard work. I know, and you will expand your security knowledge.

The records that you show, show failures. Though annoying, failures, in general, are not a problem. They indicate that your security measures have worked. You may with firewall rules (or iptables, or router ACLs, or...) deny access to specifiche main po subnets if they become really annoying.

You must also look at the successful connections attempts. Are they logical? Did I expect a connection from this type from this subnet/address?

You should create some base-line of what kind of connections you expect. And you should decide on how bad it is if someone strange gets access to resources, i.e. do a risk analysis, even for a simple home based site.

The log records that you show indicate that you have an ssh server open. Unless you do regular remote administration this is a bad idea. Even when you do remote administration, consider using OpenVPN.

With an open ssh port, you will see a lot of connection attempts. In this case, 103.79.143.42 was not able to do a key exchange, and 163.172.114.203 tried to log in as the user support, but was unable to authenticate himself correctly. In my experience (ssh server on a home connection on the Internet), you should see failed login attempts on ssh at least 10 times per hour, on average. Higher if your website is a bit more high profile.

You must also look at your Apache access logs. There, you will see some standard URLs that every script-kiddie knows roll by, in my experience multiple times per hour (for a home-website). That will be things like:

118.89.38.35 - - [03/Mar/2019:08:09:53 +0000] "GET /s/index.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"
118.89.38.35 - - [03/Mar/2019:08:09:53 +0000] "GET /MyAdmin/index.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"
118.89.38.35 - - [03/Mar/2019:08:09:54 +0000] "GET /phpMyAdmin1/index.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"
118.89.38.35 - - [03/Mar/2019:08:09:54 +0000] "GET /phpMyAdmin123/index.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"
118.89.38.35 - - [03/Mar/2019:08:09:56 +0000] "GET /pwd/index.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"
118.89.38.35 - - [03/Mar/2019:08:09:57 +0000] "GET /phpMyAdmina/index.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"
118.89.38.35 - - [03/Mar/2019:08:09:57 +0000] "GET /phpMydmin/index.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"
118.89.38.35 - - [03/Mar/2019:08:09:57 +0000] "GET /phpMyAdmins/index.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"
118.89.38.35 - - [03/Mar/2019:08:09:58 +0000] "GET /program/index.php HTTP/1.1" 404 442 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0)"

404 in this case means that the page is not found.

Ljm Dullaart
  • 1,897
  • 4
  • 11