[OT] RE: Microsoft-IIS/6.0 - US - Debian mirror?

To: "Forsaken" <forsaken@targaryen.us>, <debian-user@lists.debian.org>
Subject: [OT] RE: Microsoft-IIS/6.0 - US - Debian mirror?
From: "Stackpole, Chris" <CStackpole@barbnet.com>
Date: Thu, 31 Jul 2008 11:11:26 -0500
Message-id: <[🔎] F5C6E6A1A9D19247A9447034256B034D01AA8506@mx-mailstore2.BassCompanies.Com>
In-reply-to: <[🔎] 20080731022540.26dc9632@tywin>

> -----Original Message-----
> From: Forsaken [mailto:forsaken@targaryen.us]
> Sent: Thursday, July 31, 2008 1:26 AM
> To: debian-user@lists.debian.org
> Subject: Re: Microsoft-IIS/6.0 - US - Debian mirror?
> 
> On Mon, 28 Jul 2008 18:10:20 -0700
> "Lubos Rendek" <linuksos@gmail.com> wrote:
> 
> > Hi Guys,
> >
> > I'm just wondering what is the reason that Debian US mirror is
running
> > on Microsoft-IIS/6.0? Or at least this is what my browser shows when
I
> > go to: http://http.us.debian.org/debian/dists/etch/
> > --
> > lubo
> > http://www.linuxconfig.org/
> >
> >
> 
> It probably means someone is using mod_security to tweak the server
> signature to show something else. We do that at work by default on all
> of our servers just to keep the bad guys guessing.
> 
> That has come back to bite us in the ass occasionally. Try installing
> YaBB2 on an apache server showing IIS as the signature sometime.

I understand spoofing the signature to throw off the bad guys, but why
would you spoof IIS on an Apache system?

This comes just from my limited knowledge on this subject, but I have a
Debian Apache server and a 2k3 IIS server, both behind a Smoothwall
firewall. I have my Smoothwall configured to drop all the packets that
it identifies as attacks and to log the attempt. I have SOOOO many more
attacks by worms and so forth trying to get into the IIS system then I
do on the Apache. A quick look shows that I have had at least one attack
every hour for the past couple of days on the IIS but I spot none on the
Apache (there may be some, but if so I have missed them in the log
file). 

Now I know these attacks for IIS won't work against Apache, but I don't
understand why I would broadcast as IIS and put my Apache box into this
line of fire (even if it is nothing more but the bandwidth of the failed
attacks). Isn't there something else to spoof that wouldn't cause an
increase of attacks?

Any comments would be grateful. I am always open to suggestions to
improve my systems/security. If my question/understanding is too
newbish, please be gentle. :-)

Thanks!

As a side note, I see these giant log files of dropped attacks and I
can't help but wonder two things. 1) What's going to happen when one
gets through to the Windows box? I mean, I have backups and plans in
case but still...*dread* 2) How on earth do Windows Admins sleep at
night with these kind of constant attacks out there? Maybe I should, but
I don't worry about any of my Linux systems as a whole as much as I do
on this one Windows box... :-D

Reply to:

Follow-Ups:
- Re: [OT] RE: Microsoft-IIS/6.0 - US - Debian mirror?
  - From: kj <koffiejunkielistlurker@koffiejunkie.za.net>

References:
- Re: Microsoft-IIS/6.0 - US - Debian mirror?
  - From: Forsaken <forsaken@targaryen.us>

Prev by Date: Re: what's the best IDE for C programming in Debian?
Next by Date: Re: what's the best IDE for C programming in Debian?
Previous by thread: Re: Microsoft-IIS/6.0 - US - Debian mirror?
Next by thread: Re: [OT] RE: Microsoft-IIS/6.0 - US - Debian mirror?
Index(es):
- Date
- Thread