httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jack L. Stone" <jackst...@sage-one.net>
Subject Re: [users@httpd] blocking one address
Date Fri, 29 Aug 2003 01:41:18 GMT
At 08:10 PM 8.28.2003 -0500, Mike wrote:
>At 07:40 PM 8/28/2003, you wrote:
>>How can I block requests from a certain ip in Apache?  There is some virus 
>>(I think) bombarding me with requests for many different things.
>>Some examples (cut times to avoid wrapping, but this group was all within 
>>about 2 secs):
>>
>>68.52.102.47 "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 400 226
>>68.52.102.47 "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 400 226
>>68.52.102.47 "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>68.52.102.47 "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir 
>>HTTP/1.0" 404 -
>>
>>
>>Luckily I'm not running NT.  I suppose a better idea would be to block 
>>this address from iptables.  Any hints on how to do either of these things?
>>
>>Another question:  I get the /default.ida (Code Red II virus) requests a 
>>lot but from far too many different ips to making blocking the addresses a 
>>solution.  I was returning my 404 page at about 250 bytes each time so I 
>>just made a 0 length default.ida, not 0 bytes get returned.  However I 
>>can't do that in this case, anyway to tell apache to return 0 bytes when 
>>somethings looks for, say, the /scripts dir (which I don't have/need).
>>
>>TIA
>>Michael
>
>Mike.
>
>You're seeing code red and/or nimba (from ages ago) hits from machines that 
>are *still* infected.
>
>To deal with these things, I have the following in my httpd.conf:
>
># Redirect Code Red, NIMDA and other inappropriate access attempts to 
>invalid URL
>Redirect /_mem_bin http://www.request.invalid
>Redirect /_vti_bin http://www.request.invalid
>Redirect /c http://www.request.invalid
>Redirect /d http://www.request.invalid
>Redirect /msadc http://www.request.invalid
>Redirect /MSADC http://www.request.invalid
>Redirect /scripts http://www.request.invalid
>Redirect /sumthin http://www.request.invalid
>RedirectMatch ^.*\.(dll|ida)*$ http://127.0.0.1/$1
>RedirectMatch (.*)\cmd.exe$ http://127.0.0.1/$1
>
>Put those in your httpd.conf file (assuming you have access to your box and 
>assuming the machine isn't a windoze web server) and then restart apache.
>
>HTH.
>-mike 
>

Very interesting tip! Exactly where do you place those redirects in the
httpd.conf, especially if there are vhosts in the httpd.conf...? Or, are
they global...?

I like the looks of this....

Best regards,
Jack L. Stone,
Administrator

SageOne Net
http://www.sage-one.net
jackstone@sage-one.net

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message