homepage Welcome to WebmasterWorld Guest from 54.227.25.58
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
URLScan / ModRewrite
Stopping those log entries...
pageoneresults




msg:1521923
 2:17 am on May 28, 2003 (gmt 0)

Ever since NIMDA hit way back when, rogue server activity has always been a concern. I consistently find those long URL requests where something is looking for security holes on our Windows Servers. They've dropped back quite a bit over the months, but they are still there and represent a small percentage of overall hits.

I was wondering if anyone else is currently experiencing this and what is it that you are doing to prevent it? I've found information for both Windows and Apache which I am forwarding to my hosting administrator for review. Any comments?

Windows
URLScan Security Tool [microsoft.com]
IIS Lockdown Tool [microsoft.com]

Apache
URL Rewriting with the Apache Webserver [engelschall.com]

 

jdMorgan




msg:1521924
 2:48 am on May 28, 2003 (gmt 0)

pageoneresults,

I can speak for mod_rewrite, but not the others. mod_rewrite is a good way to block unwelcome visitors by IP address, user-agent, remote_host, etc., and can be used to support bad-bot traps to automate this process. But the problem is that it can only stop actual intrusions, not intrusion attempts. These rogue 'bots will still send requests to your server and clutter up your logs, in many cases totally oblivious to the fact that each of their requests elicits only a 403-Forbidden server response due to mod_rewrite blocking delivery of the requested resources.

If you are on a virtual-hosting setup, it may be possible for these requests to be deflected at the main server level, so that they don't appear in your logs, but the fact remains that the requests are still putting a load on the server.

In the specific case of NIMDA, most of its requests are ill-formed and are rejected with a 400-Bad Request before user-level .htaccess mod_rewrite is even invoked.

If you find that some particularly-aggressive 'bot is pounding your site into the ground from a fixed IP address, asking your hosting service to "black-hole" that IP address at the firewall is another possibility. That will make them go away completely, but you end up playing "whack-a-mole" trying to keep up with all the IP addresses they can use.

So, the message is mixed; There is no perfect answer. But one thing I've noticed is that if a bad-bot finds a hole in my defenses, then more seem to show up trying that same exploit. And if I plug that hole, then the attempts fall off over time as a result. So, despite the fact that the methods we have available to us at the "rent-a-host" level on shared servers are not perfect, they do have some effect, and are therefore still worth implementing.

Jim

pageoneresults




msg:1521925
 3:35 am on May 28, 2003 (gmt 0)

Thanks jdmorgan, that was all I needed to hear. I was just checking to see if others have a found a way to minimize the requests by utilizing the above tools. I'm more concerned with Windows as that is the platform I have to work on at the moment.

The requests are minimal, but, enough to register on the screen when viewing statistics. I'll have my host check to see if they are coming from a fixed IP.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved