1

Since last week I am running a web server (Apache2 on Ubuntu, accessible by IP only) and I reckon that I am most vulnerable now that I don't know well what to pay attention to, so I'll ask the experts just in case.

When looking at the access logs, I can trace back most of the accesses to myself. Then there are several innocent looking single GET requests, but also some more suspicious accesses: wget accesses to configuration files, an intended php injection attack, intended accesses to what look like database servers, etc. All of these requests were denied btw.

Should I do something about this beyond keeping the software updated etc, like reporting them or taking additional security measures? Should I keep monitoring the access logs?

Community
  • 1
doetoe
  • 111
  • 3

1 Answers1

1

You may want to get acquainted with fail2ban: it's a software that monitors log files for suspicious activity and bans the originating IP address for the desired amount of time, even indefinitely. It is also able to send you an email notification with the threat details and the action taken.

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

simlev
  • 1,037
  • 2
  • 14
  • 22