Detectar ataques enumeracion http

Con este comando se pueden listar las ips que nos han echo un ataques de enumeracion.
Puede ser muy util pasar esas ips a la lista negra del cortafuegos.

Recuerda que la enumeracion es una fase previa a un ataque. si en la fase de enumeracion se encuentran vulnerabilidades.
Estas seran utilizadas en la fases de analisis y explotacion.

Dia actual: cat /var/log/apache2/access.log |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head

root@jejo.es ~# cat /var/log/apache2/access.log |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head
      4 124.123.188.179
      3 183.82.36.176
      3 167.71.4.97
      2 206.189.23.43
No se detectan ataques porque esta activa la defensa httpenum que bloquea las ips que intentan enumerarnos via http. **Dia anterior:** `cat /var/log/apache2/access.log.1 |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head`
root@jejo.es ~# cat /var/log/apache2/access.log.1 |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head
    830 187.122.248.165
    486 118.24.38.122
      4 49.207.238.102
      4 106.51.2.127
      3 66.249.66.52
Se ven claramente dos enumeraciones. una de 800 y otra de 400. **Ultimos 10 Dias:** `zcat /var/log/apache2/access.log.?.gz |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head`
root@jejo.es ~# zcat /var/log/apache2/access.log.?.gz |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head
    841 106.12.52.142
    836 129.211.22.24
    823 189.129.210.248
    787 175.139.154.207
     14 66.249.66.52
     14 202.134.175.161
     12 66.249.79.204
     10 106.51.2.127
      9 49.207.178.104
Como se puede apreciar nos han enumerado __descaradmente__ 4 veces **Usando todo el historico:** `zcat /var/log/apache2/access.log.*.gz |awk '/" 40/&&!/jcloud/&&!/favicon/&&!/robots/{print $1}'|sort|uniq -cd|sort -r|head`
root@jejo.es ~# zcat /var/log/apache2/access.log.*.gz |awk '/" 40/&&!/favicon/&&!/robots/{print $1}'|sort|uniq -cd|sort -r|head
    841 106.12.52.142
    836 129.211.22.24
    829 212.64.25.196
    823 189.129.210.248
    787 175.139.154.207
     74 166.70.207.2
     17 49.206.252.127
     14 66.249.66.52
     14 202.134.175.161
     14 106.51.2.127




Bien si investigamos alguna ip (solo por curiosidad).

root@jejo.es ~# zcat /var/log/apache2/access.log.*.gz |awk '/106.12.52.142/{print $1 $7}'|sort|uniq -cd|sort -r     
      9 106.12.52.142/test.php
      8 106.12.52.142/1.php
      6 106.12.52.142/qq.php
      5 106.12.52.142/x.php
      5 106.12.52.142/shell.php
      5 106.12.52.142/cmd.php
      4 106.12.52.142/ss.php
      4 106.12.52.142/log.php
      4 106.12.52.142/confg.php
      4 106.12.52.142/api.php
      3 106.12.52.142/zzz.php
      3 106.12.52.142/z.php
      3 106.12.52.142/q.php
      3 106.12.52.142/jsc.php
      3 106.12.52.142/hell.php
      3 106.12.52.142/aaa.php
      3 106.12.52.142/2.php
      3 106.12.52.142/123.php
      3 106.12.52.142/
      2 106.12.52.142/zxy.php
      2 106.12.52.142/zxc1.php
      2 106.12.52.142/zxc.php
      2 106.12.52.142/xx.php
      2 106.12.52.142/xiaoxi.php
      2 106.12.52.142/xiao.php
      2 106.12.52.142/www.php
      2 106.12.52.142/ww.php
      2 106.12.52.142/v.php
Podemos sacar que diccionario ha utilizado.

Si la ip es un atacante habitual. (disclaimer)
jejo@em50l:~$ curl -s https://www.badips.com/get/info/106.12.52.142/Report |grep listed
{
"ReporterCount":{"sum":2,"apache":1,"wordpress":1},
"Categories":["apache","wordpress"],"
Score":{"apache":0,"wordpress":0},"
LastReport":{"apache":1566860200,"wordpress":1566690496},"
"IP 106.12.52.142 is listed on badips.com!"
}
En este caso **1566Millones de notificaciones** Apache Y wordpress.
jejo@em50l:~$ curl ipinfo.io/106.12.52.142
{
  "ip": "106.12.52.142",
  "city": "",
  "region": "Beijing",
  "country": "CN",
  "loc": "39.9289,116.3880",
  "org": "AS38365 Beijing Baidu Netcom Science and Technology Co., Ltd.",
  "readme": "https://ipinfo.io/missingauth"
}




Si el servidor no es Debian/Ubuntu. el comando puede cambiar ligeramente.
Ej para un CentOS Seria algo asi: cat /var/log/httpd/access_log-* |awk '/" 40/&&!/jcloud/&&!/favicon/&&!/robots/{print $1}'|sort|uniq -cd|sort -r|head

[root@centos1 ~]# cat /var/log/httpd/access_log-* |awk '/" 40/&&!/jcloud/&&!/favicon/&&!/robots/{print $1}'|sort|uniq -cd|sort -r|head
    827 112.78.161.101
      6 94.102.50.96
      6 77.154.194.148
      6 41.216.186.201
      4 35.190.141.79
     42 95.88.161.201
      4 209.141.53.82
      4 193.188.22.56
     41 62.173.140.193
      4 134.209.216.67

Para ver la enumeracion de una IP por ejemplo seria:

[root@centos1 ~]# cat /var/log/httpd/access_log-* |awk '/112.78.161.101/{print $1,$7}'|sort|uniq -cd|sort -r
      9 112.78.161.101 /test.php
      8 112.78.161.101 /1.php
      6 112.78.161.101 /qq.php
      5 112.78.161.101 /x.php
      5 112.78.161.101 /cmd.php
      4 112.78.161.101 /ss.php
      4 112.78.161.101 /shell.php
      4 112.78.161.101 /log.php
      4 112.78.161.101 /confg.php
      4 112.78.161.101 /api.php
      3 112.78.161.101 /zzz.php
      3 112.78.161.101 /z.php
      3 112.78.161.101 /q.php
      3 112.78.161.101 /jsc.php
      3 112.78.161.101 /hell.php
      3 112.78.161.101 /aaa.php
      3 112.78.161.101 /2.php
      3 112.78.161.101 /123.php
      3 112.78.161.101 /
      2 112.78.161.101 /zxy.php
      2 112.78.161.101 /zxc.php
      2 112.78.161.101 /zxc1.php
      2 112.78.161.101 /xx.php
      2 112.78.161.101 /xiaoxi.php
      2 112.78.161.101 /xiao.php
      2 112.78.161.101 /www.php
      2 112.78.161.101 /ww.php
      2 112.78.161.101 /v.php
      2 112.78.161.101 /uuu.php
      2 112.78.161.101 /uu.php
      2 112.78.161.101 /up.php
      2 112.78.161.101 /test404.php
      2 112.78.161.101 /test123.php
      2 112.78.161.101 /sss.php
      2 112.78.161.101 /ssaa.php
      2 112.78.161.101 /s.php
      2 112.78.161.101 /secure.php
      2 112.78.161.101 /qwq.php
      2 112.78.161.101 /qqq.php
      2 112.78.161.101 /qiqi.php
      2 112.78.161.101 /python.php
      2 112.78.161.101 /ppp.php
      2 112.78.161.101 /php.php
      2 112.78.161.101 /paylog.php
      2 112.78.161.101 /payload.php
      2 112.78.161.101 /ooo.php
      2 112.78.161.101 /my.php
      2 112.78.161.101 /muhstik.php
      2 112.78.161.101 /MCLi.php
      2 112.78.161.101 /lucky.php
      2 112.78.161.101 /lr.php
      2 112.78.161.101 /lanyecn.php
      2 112.78.161.101 /izom.php
      2 112.78.161.101 /infos.php
      2 112.78.161.101 /info.php
      2 112.78.161.101 /index.php
      2 112.78.161.101 /help.php
      2 112.78.161.101 /hello.php
      2 112.78.161.101 /hack.php
      2 112.78.161.101 /dns.php
      2 112.78.161.101 /ddd.php
      2 112.78.161.101 /data.php
      2 112.78.161.101 /c.php
      2 112.78.161.101 /conf.php
      2 112.78.161.101 /conflg.php
      2 112.78.161.101 /config.php
      2 112.78.161.101 /code.php
      2 112.78.161.101 /cnm.php
      2 112.78.161.101 /can.php
      2 112.78.161.101 /app.php
      2 112.78.161.101 /a.php
      2 112.78.161.101 /ak.php
      2 112.78.161.101 /aa.php
      2 112.78.161.101 /7.php
      2 112.78.161.101 /3.php
      2 112.78.161.101 /1ndex.php
      2 112.78.161.101 /12.php




___ ### Como mitigarlos. Los ataques en su fase de enumeracion pueden acabar tirando nuestro servidor abajo. Muchos son un ataque de diccionario y otros un ataque de fuerza bruta. Mara mitigarlo podemos instalar `mod_evasive` y `mod_security`. **Debian/Ubuntu** ```txt sudo apt-get install libapache2-mod-evasive sudo a2enmod evasive sudo /etc/init.d/apache2 force-reload ```
root@deb1:/# sudo apt-get install libapache2-mod-evasive
Reading package lists... Done
Building dependency tree       
Reading state information... Done
libapache2-mod-evasive is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@deb1:/# ls /etc/apache2/mods-available/|grep evasive
evasive.conf
evasive.load
root@deb1:/# sudo a2enmod evasive         
Module evasive already enabled
root@deb1:/# apache2ctl -M |grep evasive              
 evasive20_module (shared)

CentOS, Fedora, RHEL: sudo yum install mod_evasive && /etc/init.d/httpd restart

[root@centos1]# yum install mod_evasive
Complementos cargados:fastestmirror, presto, priorities
Configurando el proceso de instalación
Loading mirror speeds from cached hostfile
epel/metalink                                                                                    |  31 kB     00:00
* base: mirrors.prometeus.net * epel: mirror.de.leaseweb.net * extras: mirrors.prometeus.net * updates: mirrors.prometeus.net base | 3.7 kB 00:00
extras | 3.4 kB 00:00
iRedMail | 2.9 kB 00:00
updates | 3.4 kB 00:00
Resolviendo dependencias –> Ejecutando prueba de transacción —> Package mod_evasive.x86_64 0:1.10.1-10.el6 will be instalado –> Resolución de dependencias finalizada

Dependencias resueltas

========================================================================================================================

Paquete Arquitectura Versión Repositorio Tamaño

Instalando: mod_evasive x86_64 1.10.1-10.el6 epel 24 k

Resumen de la transacción

Instalar 1 Paquete(s)

Tamaño total de la descarga: 24 k Tamaño instalado: 52 k Está de acuerdo [s/N]:s Descargando paquetes: Setting up and reading Presto delta metadata epel/prestodelta | 2.4 kB 00:00
Processing delta metadata Package(s) data still to download: 24 k mod_evasive-1.10.1-10.el6.x86_64.rpm | 24 kB 00:00
Ejecutando el rpm_check_debug Ejecutando prueba de transacción La prueba de transacción ha sido exitosa Ejecutando transacción Instalando : mod_evasive-1.10.1-10.el6.x86_64 11 Verifying : mod_evasive-1.10.1-10.el6.x86_64 11

Instalado: mod_evasive.x86_64 0:1.10.1-10.el6

¡Listo! [root@centos1]# /etc/init.d/httpd restart Parando httpd: [ OK ] Iniciando httpd: [ OK ]






###Mas info en:
Enum_Detector
Filtrar_ataques_log_http
Vulnerabilidad thinkphp (remote code execution)
Detectar ataques enumeracion http




###Referencias: https://ipinfo.io/
https://www.badips.com/
https://www.cyberciti.biz/faq/unix-linux-shell-removing-duplicate-lines/
https://www.tecmint.com/use-linux-awk-command-to-filter-text-string-in-files/
https://www.tecmint.com/awk-filter-text-or-string-using-patterns/
https://dzone.com/articles/35-examples-of-regex-patterns-using-sed-and-awk-in