Who is trying to access my server and why?

I want to share some genealogy records and decided to see if I could host them myself.

I installed Apache HTTP 2.2 on a Windows machine at home. It is configured to serve only a few files from one folder. I enabled password access.

I have not yet given anyone the IP or user/password info.

Looking at the access log file, I see a lot of incoming traffic from IPs all over the place. Are these bots? are they a potential threat to my security?

Most of the attempts look like this: - - [07/Feb/2011:21:28:52 -0400] “GET / HTTP/1.0” 401 401

This looks a bit more threatening: - - [06/Feb/2011:17:57:59 -0400] “GET /admin/config.php HTTP/1.1” 401 401

I’m a total newb at this stuff. Am I exposing myself to threats or am I worrying about tnothing?


List of HTTP codes here: List of HTTP status codes - Wikipedia

You’ll get many, many more. There are many people/computers that just troll along hit every IP number. A search engine might be trying to index your site (if you password protected it – I assume with .htaccess – they can’t. I wouldn’t be surprised if that’s what the first hit was.

The second one is someone looking for a vulnerability. I imagine the admin/config.php file is often unprotected or has a default password that folks don’t often change. The hit failed because you don’t have that path.

There are some little “script kiddie” apps out there that will just flood your site with a list of, say, 100 possible URLs. They’re probing you for vulnerabilities. It’s the nature of the web. It’s like the wild west :slight_smile:

Thanks for the info!

I used .htaccess for the password protection. I guess people will keep looking for vulnerabilites. I’d better do some reading before I go live.

Given that you are getting hits now, you are live! (Unless you pulled the server.)

Given that Apache logged as 401 it means (I believe!) that your security worked. Be sure the rest of the box is secure as well. They are likely hitting things other than HTTP (port 80). I assume you have a firewall set up? You might want to configure it to flat out block any ports you don’t need (most of them) for that computer.

Remember: Defense in depth! Don’t rely on a single system to save you. Use many!

There are people out there constant just hitting every IP address. The process goes ike this:
First you scan with a tool that tells you what operating system and other applicatoins (i.e. web server) are on there.
From the first scan, the next step is to try known vulnerabilities on those systems; i.e. did the version of Apache you use have a known bug when hit with a specific malformed packet?
Also, they will try to download any useful files that you may have accidentally left exposed.
Ultimately, the goal is to plant a trojan and remote access on your machine.

If you are going to run your own server, be sure to stay up to date on any new patches that come out. The very first internet worm, for example, took down servers based on a hole that had been documented for years but nobody had bothered to patch. You don’t have that luxury today.

In the 90’s when almost nobody had routers or firewalls, I recall helping one guy who had a virus that could be contracted from an incoming packet on Windows 98. (forget which virus). Run the command to clean the virus out, and within a few minutes, before you could finish downloading the fix, a new infection would arrive.

The number of @$$h0les out there hasn’t gotten any smaller since then.

>Given that you are getting hits now, you are live! (Unless you pulled the server.)

I disabled the server until I have a better understanding of the security implications of what I am doing.
I recently got a new router. A Cisco E3000. I enabled port forwarding for 80 only and only for the machine which will host the files. I don’t run any other firewall. I’m starting to think that I am being naive…

In theory, the router with port forwarding for port 80 only should be secure. In practice, some routers aren’t as secure as they should be, though most are fine. You may want to consider setting up a firewall at your server, too.

Also: check that your Apache install does not come with other stuff enabled for remote use. Again, you should be fine, but in the past (years ago) it did come with a pretty unsafe default configuration on some systems. If you’re only serving static files, you should check that CGI, PHP etc are disabled.

Oh, and the “people trying to connect to the server” thing; those are bots, and they’re not friendly. Get used to it. It won’t stop.

You don’t have to run it on the port everyone comes knocking on. I run ssh on a random high numbered port and don’t see a single unauthorized connection attempt in a week’s worth of logs. That doesn’t make it secure, but it sure helps.