Apache Local Host Security

ukgimp,

I get thousands of these per week on my sites. This is a Code Red or Nimda-infected machine trying to access your web server and propagate itself. The 403 response indicates that you have successfully blocked the attempt. Since your server is Apache, it's not susceptible to these worms anyway.

Blocking any request for the file "cmd.exe" catches 95% of these accesses. The rest can also be blocking using mod_rewrite in .htaccess on Apache with something like this:

# Block MS IIS server security exploits
RewriteRule \.ida$ - [F]
RewriteRule /cmd\.exe$ - [F]
RewriteRule /root\.exe$ - [F]
RewriteRule /shell\.exe$ - [F]
RewriteRule \_vti\_ - [F]
RewriteRule ^NULL - [NC,F]

There are a few Apache security problems. A site search here may turn up a thread that (I think) I saw recently here on WebmasterWorld.

These cmd.exe accesses are more of a bother (bandwidth leak) than a worry on Apache.

Jim

If you are using Linux, you can also protect yourself somewhat against as yet unknown vulnerabilities in your network daemons with iptables (or ipchains on an older kernel). For example, nobody outside the house needs to reach the Apache server on my development box, so I closed port 80 to packets originating outside the house. In fact, I set a general policy of all ports being closed and then just opened the ones I use. It's not an excuse to ignore vulnerability alerts, but it does make you just that much safer.

I'm sure the same is possible for Windows machines, but I understand that to be an extra-cost option,

More info is at:
[webmasterworld.com...]
[webmasterworld.com...]
and several other threads.