-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WHY IS YOUR IP ADDRESS PROBING MY WEBSITE FOR VULNERABILITIES? #30
Comments
Hello, Issabel does not scan anything, anywhere. Issabel can be installed by anyone, anywhere, as it is not a hosted service. Besides, the IP address you list is not from the Issabel project, In any case, where are you seeing that log file? Why do you think it is scanning the system for vulnerabilities? This particular file: /admin/images/tango.png is part of Issabel regular web pages, and it is normal to receive a request for such image as it is referenced from those web pages when you log into your Issabel system via web browser (it is a small logo file). If you do not want to allow access to your Issabel admin web pages, then you might want to consider enabling the firewall and blocking relevant ports. And if you are concerned about probing or scanning, you could also enable fail2ban (in the Security menu). Best regards, |
Hello and thank you for your response. I am terribly sorry but I
misdiagnosed an attack from you when rather it was an attack probing for
vulnerabilities with Issabel. Since I am not familiar with your service, I
regretfully wrongfully accused you of a deed for which you are innocent and
I'm sorry!
For the record, be wary that there are remote crawlers mostly originating
from China probing for unlinked config files mistakenly left in the
Docroot. Should double check those config files are not left in the Docroot
Best,
…On Tue, Jun 12, 2018 at 6:58 PM Nicolas ***@***.***> wrote:
Hello,
Issabel does not scan anything, anywhere. Issabel can be installed by
anyone, anywhere, as it is not a hosted service. Besides, the IP address
you list is not from the Issabel project,
In any case, where are you seeing that log file? Why do you think it is
scanning the system for vulnerabilities?
This particular file: /admin/images/tango.png is part of Issabel regular
web pages, and it is normal to receive a request for such image as it is
referenced from those web pages when you log into your Issabel system via
web browser (it is a small logo file).
If you do not want to allow access to your Issabel admin web pages, then
you might want to consider enabling the firewall and blocking relevant
ports. And if you are concerned about probing or scanning, you could also
enable fail2ban (in the Security menu).
Best regards,
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#30 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFajtNEGcf-KyMy_7dQpA5yriUrE4F8gks5t8HGzgaJpZM4T8Snr>
.
|
Hi, We know that Issabel is a potential target for probes, script kiddies and malware bots and crawlers. That is why we added some security tools to it, like GeoIP firewall rules, dynamic firewall via fail2ban, etc. We also removed known vulnerable modules from it. Best option for Issabel users is always to enable firewall and allow web connections from known/trusted sources, or use the openvpn module for it. At the end, security is in the hands of the system administrator of each system, we will always try to make the life of such administrators a little bit easier. Best regards, |
Relying on generic Fail2Ban tools for Linux doesn't address the root cause
of why so many people are targetting your service specifically. Its because
clearly, your implementation is susceptible to accidentally put admin files
in a web directory that the attackers apparently know. SOOO don't put any
root or privileged users files in the DOCROOT period. Furthermore, run a
script at program start to check for vulnerabilities and alert the system
admin.
…On Tue, Jun 12, 2018 at 7:21 PM Nicolas ***@***.***> wrote:
Hi,
We know that Issabel is a potential target for probes, script kiddies and
malware bots and crawlers. That is why we added some security tools to it,
like GeoIP firewall rules, dynamic firewall via fail2ban, etc. We also
removed known vulnerable modules from it. Best option for Issabel users is
always to enable firewall and allow web connections from known/trusted
sources, or use the openvpn module for it. At the end, security is in the
hands of the system administrator of each system, we will always try to
make the life of such administrators a little bit easier.
Best regards,
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#30 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFajtABRhMIsUklEXc_mDpXaaTjwMHOKks5t8HcUgaJpZM4T8Snr>
.
|
Hi, Can you specify which configuration files with sensitive information are put inside the web root on Issabel? I agree that if there is any, it should be removed asap. I am not aware of such files, but as the project includes 3rd party components, it might include some that I am not aware off. Best regards, |
Unfortunately I am not familiar enough with your product to know what’s
necessary for config. I run a special webservice that acts like a honey pot
to analyze the evolution of computer viruses and so we are intentionally
attacked millions of times per month. Here is an output of some of the more
common probing expeditions though they may not effect you:
…On Wed, Jun 13, 2018 at 9:56 AM Nicolas ***@***.***> wrote:
Hi,
Can you specify which configuration files with sensitive information are
put inside the web root on Issabel? I agree that if there is any, it should
be removed asap. I am not aware of such files, but as the project includes
3rd party components, it might include some that I am not aware off.
Best regards,
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#30 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFajtM_ccBam3_GET5rpsAh-R8CHVOljks5t8URbgaJpZM4T8Snr>
.
|
It is a federal offense to attempt to breach another server.
Either this IP is yours or someone is Phishing your login page.
22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): handle new connection"
22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): read input"
22:26:54: Debug: "HttpRequest: read request"
22:26:54: Debug: "HttpRequest: read header"
22:26:54: Debug: "HttpRequest: received header host: (REDACTED)"
22:26:54: Debug: "HttpRequest: read header"
22:26:54: Debug: "HttpRequest: received header accept: /"
22:26:54: Debug: "HttpRequest: read header"
22:26:54: Info: "HttpRequest: received header user-agent: python-requests/2.18.4"
22:26:54: Debug: "HttpRequest: read header"
22:26:54: Debug: "HttpRequest: received header accept-encoding: gzip, deflate"
22:26:54: Debug: "HttpRequest: read header"
22:26:54: Debug: "HttpRequest: received header x-forwarded-for: 138.68.24.205"
22:26:54: Debug: "HttpRequest: read header"
22:26:54: Debug: "HttpRequest: headers completed"
22:26:54: Debug: "HttpRequest: expect no body"
22:26:54: Debug: "HttpRequest: extract and decode request parameters"
22:26:54: Debug: "HttpRequest: extract cookies"
22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): received request"
22:26:54: Debug: "RequestMapper: path=/admin/images/tango.png"
22:26:54: Debug: StaticFileController: Cache miss for /admin/images/tango.png
22:26:54: Debug: StaticFileController: Open file /home/john/medicareunion/Server/etc/docroot/admin/images/tango.png
22:26:54: Debug: "RequestMapper: finished request"
22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): finished request"
22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): disconnected"
The text was updated successfully, but these errors were encountered: