WHY IS YOUR IP ADDRESS PROBING MY WEBSITE FOR VULNERABILITIES?

[blackflame7000]

It is a federal offense to attempt to breach another server. Either this IP is yours or someone is Phishing your login page.

22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): handle new connection" 22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): read input" 22:26:54: Debug: "HttpRequest: read request" 22:26:54: Debug: "HttpRequest: read header" 22:26:54: Debug: "HttpRequest: received header host: (REDACTED)" 22:26:54: Debug: "HttpRequest: read header" 22:26:54: Debug: "HttpRequest: received header accept: /" 22:26:54: Debug: "HttpRequest: read header" 22:26:54: Info: "HttpRequest: received header user-agent: python-requests/2.18.4" 22:26:54: Debug: "HttpRequest: read header" 22:26:54: Debug: "HttpRequest: received header accept-encoding: gzip, deflate" 22:26:54: Debug: "HttpRequest: read header" 22:26:54: Debug: "HttpRequest: received header x-forwarded-for: 138.68.24.205" 22:26:54: Debug: "HttpRequest: read header" 22:26:54: Debug: "HttpRequest: headers completed" 22:26:54: Debug: "HttpRequest: expect no body" 22:26:54: Debug: "HttpRequest: extract and decode request parameters" 22:26:54: Debug: "HttpRequest: extract cookies" 22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): received request" 22:26:54: Debug: "RequestMapper: path=/admin/images/tango.png" 22:26:54: Debug: StaticFileController: Cache miss for /admin/images/tango.png 22:26:54: Debug: StaticFileController: Open file /home/john/medicareunion/Server/etc/docroot/admin/images/tango.png 22:26:54: Debug: "RequestMapper: finished request" 22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): finished request" 22:26:54: Debug: "HttpConnectionHandler (0x562f8c2ec770): disconnected"

[asternic]

Hello,

Issabel does not scan anything, anywhere. Issabel can be installed by anyone, anywhere, as it is not a hosted service. Besides, the IP address you list is not from the Issabel project,

In any case, where are you seeing that log file? Why do you think it is scanning the system for vulnerabilities?

This particular file: /admin/images/tango.png is part of Issabel regular web pages, and it is normal to receive a request for such image as it is referenced from those web pages when you log into your Issabel system via web browser (it is a small logo file).

If you do not want to allow access to your Issabel admin web pages, then you might want to consider enabling the firewall and blocking relevant ports. And if you are concerned about probing or scanning, you could also enable fail2ban (in the Security menu).

Best regards,

[blackflame7000]

Hello and thank you for your response. I am terribly sorry but I misdiagnosed an attack from you when rather it was an attack probing for vulnerabilities with Issabel. Since I am not familiar with your service, I regretfully wrongfully accused you of a deed for which you are innocent and I'm sorry! For the record, be wary that there are remote crawlers mostly originating from China probing for unlinked config files mistakenly left in the Docroot. Should double check those config files are not left in the Docroot

Best,

On Tue, Jun 12, 2018 at 6:58 PM Nicolas notifications@github.com wrote:

Hello,

Issabel does not scan anything, anywhere. Issabel can be installed by anyone, anywhere, as it is not a hosted service. Besides, the IP address you list is not from the Issabel project,

In any case, where are you seeing that log file? Why do you think it is scanning the system for vulnerabilities?

This particular file: /admin/images/tango.png is part of Issabel regular web pages, and it is normal to receive a request for such image as it is referenced from those web pages when you log into your Issabel system via web browser (it is a small logo file).

If you do not want to allow access to your Issabel admin web pages, then you might want to consider enabling the firewall and blocking relevant ports. And if you are concerned about probing or scanning, you could also enable fail2ban (in the Security menu).

Best regards,

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/IssabelFoundation/issabel/issues/30#issuecomment-396789006, or mute the thread https://github.com/notifications/unsubscribe-auth/AFajtNEGcf-KyMy_7dQpA5yriUrE4F8gks5t8HGzgaJpZM4T8Snr .

[asternic]

Hi,

We know that Issabel is a potential target for probes, script kiddies and malware bots and crawlers. That is why we added some security tools to it, like GeoIP firewall rules, dynamic firewall via fail2ban, etc. We also removed known vulnerable modules from it. Best option for Issabel users is always to enable firewall and allow web connections from known/trusted sources, or use the openvpn module for it. At the end, security is in the hands of the system administrator of each system, we will always try to make the life of such administrators a little bit easier.

Best regards,

[blackflame7000]

Relying on generic Fail2Ban tools for Linux doesn't address the root cause of why so many people are targetting your service specifically. Its because clearly, your implementation is susceptible to accidentally put admin files in a web directory that the attackers apparently know. SOOO don't put any root or privileged users files in the DOCROOT period. Furthermore, run a script at program start to check for vulnerabilities and alert the system admin.

On Tue, Jun 12, 2018 at 7:21 PM Nicolas notifications@github.com wrote:

Hi,

We know that Issabel is a potential target for probes, script kiddies and malware bots and crawlers. That is why we added some security tools to it, like GeoIP firewall rules, dynamic firewall via fail2ban, etc. We also removed known vulnerable modules from it. Best option for Issabel users is always to enable firewall and allow web connections from known/trusted sources, or use the openvpn module for it. At the end, security is in the hands of the system administrator of each system, we will always try to make the life of such administrators a little bit easier.

Best regards,

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/IssabelFoundation/issabel/issues/30#issuecomment-396792504, or mute the thread https://github.com/notifications/unsubscribe-auth/AFajtABRhMIsUklEXc_mDpXaaTjwMHOKks5t8HcUgaJpZM4T8Snr .

[asternic]

Hi,

Can you specify which configuration files with sensitive information are put inside the web root on Issabel? I agree that if there is any, it should be removed asap. I am not aware of such files, but as the project includes 3rd party components, it might include some that I am not aware off.

Best regards,

[blackflame7000]

Unfortunately I am not familiar enough with your product to know what’s necessary for config. I run a special webservice that acts like a honey pot to analyze the evolution of computer viruses and so we are intentionally attacked millions of times per month. Here is an output of some of the more common probing expeditions though they may not effect you:

On Wed, Jun 13, 2018 at 9:56 AM Nicolas notifications@github.com wrote:

Hi,

Can you specify which configuration files with sensitive information are put inside the web root on Issabel? I agree that if there is any, it should be removed asap. I am not aware of such files, but as the project includes 3rd party components, it might include some that I am not aware off.

Best regards,

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/IssabelFoundation/issabel/issues/30#issuecomment-397010494, or mute the thread https://github.com/notifications/unsubscribe-auth/AFajtM_ccBam3_GET5rpsAh-R8CHVOljks5t8URbgaJpZM4T8Snr .