02/02/2011
Stopping Plesk Panel attacks with OSSEC
During the past few weeks I’ve noticed increased brute forcing activity on various servers that I manage and run Plesk Panel. Most of the entries look like this:
189.205.227.115 - - [30/Jan/2011:07:14:19 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852 189.205.227.115 - - [30/Jan/2011:07:14:19 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852 189.205.227.115 - - [30/Jan/2011:07:14:19 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852 189.205.227.115 - - [30/Jan/2011:07:14:21 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852 189.205.227.115 - - [30/Jan/2011:07:14:21 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852 189.205.227.115 - - [30/Jan/2011:07:14:23 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852 189.205.227.115 - - [30/Jan/2011:07:14:23 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852
The side effect of all these attacks is increased server load.
Since I already have ossec monitoring these servers the solution was quite simple. I just added a couple more rules to ossec in order to stop these attacks.
Two steps are necessary to stop these attacks:
1) Add plesk panel https log to monitor list in /var/ossec/etc/ossec.conf
<localfile> <log_format>apache</log_format> <location>/opt/psa/admin/logs/httpsd_access_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/opt/psa/admin/logs/httpsd_error_log</location> </localfile>
2) Create some custom rules to block (and notify me) of these attacks.
<rule id="100144" level="1"> <if_sid>31100</if_sid> <id>200</id> <url>/login_up.php3</url> <description>Plesk Login.</description> </rule> <rule id="100145" level="12" frequency="3" timeframe="60"> <if_matched_sid>100144</if_matched_sid> <same_source_ip /> <description>Attack on plesk panel.</description> <group>attack,</group> </rule>
That’s it. Ossec now monitors these files and blocks through iptables any attacks with active-response.
Example notification mail:
Received From: foo->/opt/psa/admin/logs/httpsd_access_log Rule: 100146 fired (level 12) -> "Attack on plesk." Portion of the log(s): 189.205.227.115 - - [02/Feb/2011:20:19:56 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852 189.205.227.115 - - [02/Feb/2011:20:19:55 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852 189.205.227.115 - - [02/Feb/2011:20:19:54 +0100] "GET /login_up.php3?passwd=setup&login_locale=default&login_name=admin HTTP/1.1" 200 5852
Filed by kargig at 22:03 under Internet,Linux
Tags: apache, brute force, https, iptables, Linux, log, monitor, notify, ossec, plesk, security
2 Comments | 10,220 views