Does the server is scanned by some vulnerability scanner?

Discussion in 'Installation/Configuration' started by Poliman, Dec 27, 2018.

  1. Poliman

    Poliman Member

    Hello. I have (Perfect Server setup) Ubuntu 16.04 LTS with apache 2.4.37 and in apache error.log file is a lot:
    Code:
    [Wed Dec 26 08:45:57.649682 2018] [access_compat:error] [pid 10835] [client 180.76.15.142:59430] AH01797: client denied by server configuration: /var/www/html/robots.txt
    [Wed Dec 26 08:48:15.444509 2018] [access_compat:error] [pid 10976] [client 180.76.15.12:37345] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 08:50:02.133953 2018] [access_compat:error] [pid 11358] [client 127.0.0.1:40910] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 08:51:07.155109 2018] [access_compat:error] [pid 11224] [client 5.62.43.34:5515] AH01797: client denied by server configuration: /var/www/html/cpanel
    [Wed Dec 26 12:36:31.976661 2018] [access_compat:error] [pid 19592] [client 185.244.25.106:41956] AH01797: client denied by server configuration: /var/www/html/index.php
    [Wed Dec 26 12:40:02.538578 2018] [access_compat:error] [pid 21489] [client 127.0.0.1:50744] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 12:45:01.921430 2018] [access_compat:error] [pid 22918] [client 127.0.0.1:51294] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:15:02.149298 2018] [access_compat:error] [pid 32447] [client 127.0.0.1:53898] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:15:09.242782 2018] [access_compat:error] [pid 304] [client 88.135.47.227:19376] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:20:01.960645 2018] [access_compat:error] [pid 2361] [client 127.0.0.1:54674] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:23:20.585811 2018] [access_compat:error] [pid 3893] [client 5.255.250.180:39644] AH01797: client denied by server configuration: /var/www/html/robots.txt
    [Wed Dec 26 13:23:24.394489 2018] [access_compat:error] [pid 3893] [client 5.255.250.180:39644] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:25:02.086940 2018] [access_compat:error] [pid 4077] [client 127.0.0.1:56846] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:30:02.510932 2018] [access_compat:error] [pid 5674] [client 127.0.0.1:59564] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:35:02.698305 2018] [access_compat:error] [pid 7324] [client 127.0.0.1:33512] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:37:36.640703 2018] [access_compat:error] [pid 8375] [client 27.78.123.251:34494] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:37:43.465513 2018] [access_compat:error] [pid 8635] [client 103.229.86.186:44925] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:40:01.895182 2018] [access_compat:error] [pid 8982] [client 127.0.0.1:34086] AH01797: client denied by server configuration: /var/www/html/
    [Wed Dec 26 13:45:02.482745 2018] [access_compat:error] [pid 9969] [client 127.0.0.1:35064] AH01797: client denied by server configuration: /var/www/html/
    
    What it can be and how to prevent this? And why localhost client tries access blocked directory. There is only default apache website inside /var/www/html.
     
    Last edited: Dec 27, 2018
  2. Jesse Norell

    Jesse Norell Well-Known Member

    As that says, it's denied by your configuration. ISPConfig does not setup a default website nor configure the main /var/www/html, likely your OS has configured some defaults for the main document root, and you may have additionally created a default website yourself. Find the config for that and you will see why it's denied (apachectl -S will tell you the config file for any vhosts; for the main document root you have to read through all the global (not inside a virtual host) config).
     
  3. Poliman

    Poliman Member

    Yes, I understand that it's denied by my configuration and I of course know which one it is (apache's default one) - /etc/apache2/sites-enabled/000-default.conf. I added there:
    Code:
    <Directory /var/www/html>
    Require all denied
    </Directory>
    but I am curious why localhost ip 127.0.0.1 tries access this directory. I don't know how to interpret it. Second thing is how to block attempts to access to this directory from external ip addresses.
    PS
    I have blocked access to this due to a lot of these attempts from external ips.

    [EDIT]
    I also have found something:
    Code:
    apache2   11178         www-data  132u     IPv6           48746480       0t0        TCP s1.example.net:https->185-39-163-17.wdm.pl:65484 (ESTABLISHED)
    apache2    6015         www-data  132u     IPv6           48681774       0t0        TCP s1.example.net:http->sogouspider-218-30-103-24.crawl.sogou.com:16533 (ESTABLISHED)
    apache2   32701         www-data  132u     IPv6           48635422       0t0        TCP s1.example.net:http->sogouspider-218-30-103-24.crawl.sogou.com:42631 (CLOSE_WAIT)
    apache2   27093         www-data  132u     IPv6           48605480       0t0        TCP s1.example.net:http->li-lon-uk-gp3-wk105.internet-census.org:47588 (CLOSE_WAIT)
    
    Are they some kind of scanning bots?
     
    Last edited: Dec 28, 2018
  4. Jesse Norell

    Jesse Norell Well-Known Member

    All requests which do not include a hostname or where the hostname doesn't match a virtual host definition will hit the default; my guess is maybe it's ispconfig's "HTTPD monitoring" of the local web server. You could turn that setting off and see if the requests stop, or you could monitor http traffic on the loopback interface and you might see the request if it's port 80 (try `ngrep -Wbyline -d lo host 127.0.0.1 and port 80`), or you could check the access.log to see what details it records from the request. There's probably a way to debug/save traffic from a specific address (127.0.0.1) if needed, but I've never looked into that offhand.

    Try `Require local` or you can get more complex, see https://httpd.apache.org/docs/2.4/howto/access.html and https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html

    Sure, the majority of requests on most sites comes from bots. They may or may not be malicious.
     
    Poliman likes this.
  5. Poliman

    Poliman Member

    Thank you Jesse. That was I needed. Time to start testing.

    PS
    Best wishes in new year. ;)
     

Share This Page