Sunday, May 4, 2014

Defend from DirBuster (avoid brute force directories and files names on web/application servers)

* Trying to brute force directories and files names on deployed servers is ILLEGAL!

Some fake hackers like to hack deployed servers by using tools like "DirBuster"; however, it's easy to defend. Also remember that applying brute force on deployed server is ILLEGAL and that will get you into trouble.

I am using IP 123.123.123.123 as the attacker's IP here.

1. Ban the attacker's IP

In the apache setting file add:
<Location />
        Order deny,allow
        Deny from 123.123.123.123
</Location>

2. Setup mod_evasive

Follow the instruction here, which is:
  • apt-get install apache2-utils
  • make sure module configuration is on in Apache setting:
    • Include mods-enabled/*.load
    • Include mods-enabled/*.conf
  • configure DOS parameters by adding following into .conf file of the site
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify someone@somewhere.com
</IfModule>
To test, run this perl script: https://github.com/KoHead/mod_evasive/blob/master/test.pl

3. Setup Nagios with notifications

Setup a system monitoring program on the server, so if there's anything abnormal the administrator will receive emails immediately. Check: http://www.nagios.org/