1

On a typical day in the internet, there would be numerous botnets commanding zombie computers to scan for servers with vulnerabilities. Every now and then, a new exploit would be discovered. Then, the zombie computers would be reprogrammed to look for the new flaw. If a server is not updated immediately when an exploit for a particular software that the server is running is discovered, then it will be susceptible to an attack.

Monitoring and tracking malicious activities and actively blocking them takes time and effort and may consume more resources than just issuing a 403 or a 404 error. How does one decide if a certain scanning pattern is cause for concern to warrant taking pre-emptive measures such as totally blocking them?

Question Overflow
  • 5,220
  • 6
  • 27
  • 48
  • You could put your server behind an NDP like snort, and set up active deny response rules on behavior it finds suspicious. If you pay for a subscription, you get daily updates of current attack signatures. – John Deters Jan 21 '14 at 06:23

2 Answers2

3

Ideally you would like to manually inspect any abnormal occurrence. Since there are only 24 hours per day, this necessarily implies some heavy pruning, in which you automatically filter out the bulk of the automated scans. For instance, I see in my logs many attempts at accessing phpMyAdmin. I don't have this tool on my server, therefore I can safely ignore all attempts at exploiting its flaws. With similar rules for some other common attacks, I can lower the level of noise in my logs sufficiently so that I can afford to manually check the remainder.

Any attack attempt is cause of concern until you have fully understood and analysed the attack, and concluded that "it cannot work" (e.g. my case with phpMyAdmin), at which point you can ignore it. On the bright side, experience shows that between the discovery of a vulnerability, and its wide scale industrialization by bot nets, there usually is a delay of a few weeks, so patches will come first if you maintain your server properly.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Can I clarify that you do not block those malicious traffic that you have determined as noise (as long as they are not consuming too much of your server resource), or in any case, whatever traffic that you have yet to analyse? – Question Overflow Jan 28 '14 at 03:08
1

Number of scans is important and so is the ports that are being scanned (if you get a continuous scan of a range of your ports from somewhere there is probably something fishy going on). Also you can always check the vulnerabilities of the services that your computer is using/running by checking the security changelogs of the software that you have installed and analyse them in order to see what can possibly go wrong. When it comes to exploiting the installed software on a target-machine once a hacker finds out which ports are opened there and what's running on it (using various port scanners incl. stealth port scanners that don't establish an actual connection!), he/she starts digging online with the purpose of finding vulnerabilities (there are also various "dark" sites that handle such precious information and where black hat hackers can brag about new exploits they have found). That's why it's always a good thing to not only have the latest version of a software but also keep it on the latest patch-level.

rbaleksandar
  • 111
  • 2
  • Yes, having the latest patch is definitely important. If I am always up to date with the patches, I am not sure what is the value-add of analysing those scans when a) it is time consuming, b) I wouldn't be able to tell if it is a vulnerability unless I am always keeping a lookout. – Question Overflow Jan 28 '14 at 03:17
  • This sort of analysis should not be done manually (for the reasons you've mentioned and then some more :)). That's why people write filters that do those things for them. Of course based on the language, on the programming style, on the algorithms etc. used those filters can also expose one or more vulnerabilities and/or be as effective as others. So my advice here is to start digging and learning how filtering works. Additional protection can also be added based on the hardware you have (example: consumer vs business class routers). Penetration testing your network is also a good thing to do. – rbaleksandar Jan 29 '14 at 05:55