What response should be made to a continued web-app crack attempt?

Question

I've issues with a continuous, concerted cracking attempt on a website (coded in php). The main problem is sql-injection attempts, running on a Debian server.

A secondary effect of the problem is being spidered or repeatedly spammed with urls that, though a security hole has been closed, are still obviously related attempts to crack the site, and continue to add load to the site, and thus should be blocked.

So what measures can I take to:

A: Block known intruders/known attack machines (notably making themselves anonymous via botnet or relaying servers) to prevent their repeated, continuous, timed access from affecting the load of the site,

and B: report & respond to the attack (I'm aware that the reporting to law enforcement is almost certainly futile, as may be reporting to the ip/machine where the attacks are originating, but other responses to take would be welcome).

Answer 1

For option A you can investigate mod_security, however this is something you should thoroughly test, initially in a reporting mode.

I presume your application is reasonably hardened:

• the database user php connects as only has enough permissions to do what they require
• your php config is hardened

And that the box it is running on is fully patched and has all inessential services disabled.

Furthermore you could considering running the database on a different host.

Answer 2

In my experience there isn't much you can do but block the offending IPs. It probably wouldn't hurt to get an external company to do a security audit if you've become a regular target and weaknesses have been found in the past. We've used a company called 7safe to do this.

If the IP originates from your own country, and the hack attempt has been successful, involving the police isn't a bad idea. We've had a bit of luck with that here in the UK.

I was watching some hack attempts unfold against my own site earlier today. Needless to say they didn't get anywhere! But hacking is a fact of life on the internet.

Answer 3

My standard response to this remains the same: You can't stop people from trying to do bad things on the internet. The attacks you're seeing are undoubtedly automated, and wide-band: they aren't after your site particularly, they're after any vulnerable site anywhere.

You can spend a huge amount of effort chasing down 'known bad' hosts, following up leads, doing the detective bit; but the only ultimately useful thing you can do is secure your system against its application (app runs as non-privileged user, possibly chrooted, reasonable ulimits, up-to-date kernel, etc), secure the app against its users (reliable authentication and authorization, placeholder SQL query building, pen-testing with web security tools), and monitor for successful attempts at unauthorized access.

Answer 4

In my experience reporting the behaviour to the netblock owner in a polite email, while not very often effective, is still likely to have a more satisfactory outcome than relying on either your local or the attacker's local law enforcement. Particularly if they provide an 'abuse' address.

Just provide them with log entries showing the problem (remember to provide details of any time zone conversions for dates/times).

While you can start blocking access from those addresses, you might want to consider implementing something like 'fail2ban' via a PHP autoprepend - so if you detect someone being naughty you can automatically block their access using the OS firewall.