[Nagiosplug-help] Nagios plugin used to scan my site

Marc Powell marc at ena.com
Thu Jul 23 19:54:43 CEST 2009

Previous message: [Nagiosplug-help] Nagios plugin used to scan my site
Next message: [Nagiosplug-help] Nagios plugin used to scan my site
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jul 23, 2009, at 12:13 PM, Alex Bond wrote:

> Hello, I run a Drupal-based corporate website.  It’s still in  
> development, so although it is live it is not yet open to the  
> public.  So far, aside from our developers, most of our web traffic  
> comes from user agent check_http/v2053 (nagios-plugins 1.4.13).   
> Your plugins are being used to scan our website for security  
> vulnerabilities in prelude for hacking attempts.  We have received  
> over 19,000 pageviews from this user agent alone, with more from  
> check_http/1.96 (nagios-plugins 1.4.5).  From your website, it does  
> not look like you are intending your software to be used as a  
> hacking tool, but that is exactly how it is being used.
>
> How can I prevent your plugins from being used to attack our website?

This is a users list so I can only respond from that perspective. We  
are just users of the nagios software, much like you are just a user  
of the Drupal software. If Drupal were used nefariously, would you go  
complain to the Drupal users and ask them how to stop some unknown  
person from doing it? Many kinds of software can be used for  
'inappropriate' purposes, even something as humble as 'ping'. In all  
cases, you find out who's doing it and stop _them_, you don't complain  
to other users of that software or even the developers of that  
software. Contacting us is like contacting other users of Microsoft  
Office because someone sent you a virus infected Word document. It's  
pointless.

Personally, I don't see how check_http could be used as a 'hacking'  
tool. check_http cannot be used to 'scan a website for security  
vulnerabilities'. Maybe someone has it configured to check  
availability of your website for some reason. Maybe that someone is on  
this list, maybe not. You've not provided enough information for them  
to know you're addressing them if they are. Whoever it is, they've  
done it on their own. If you did not give them permission to do so,  
that's on them, not us. Perhaps even, the user agent is being spoofed.  
That, in my mind, is more likely if true scanning is happening.

- Standard abuse logic would seem to apply...
	- You should be contacting the owner of the netblock from which the  
abuse is originating and ask them to stop.
	- Why don't you configure your web server to reject or return an  
error when you see those user agents? That'll get their attention.
	- Why don't you configure your firewall to reject connections from  
the source address(es)? That'll get their attention.

--
Marc

Previous message: [Nagiosplug-help] Nagios plugin used to scan my site
Next message: [Nagiosplug-help] Nagios plugin used to scan my site
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Help mailing list