httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s...@conman.org (Sean Conner)
Subject Re: [users@httpd] Blocking invalid URIs?
Date Fri, 10 Mar 2006 22:25:19 GMT
It was thus said that the Great John Rodenbiker once stated:
> 
> I'm very new to running a web server.
> 
> Is there a way to have httpd drop requests to URIs that don't actually 
> exist in my environment?
> 
> For example, if I have a very simple web site with just the document 
> "index.html" I don't want people trying to access 
> "../../../../../users/john/secretstuff". I would prefer such attempts 
> be dropped, logged, and an alert thrown to my mailbox or a script that 
> calls my cell phone.
>
> If such functionality exists, is there a way for httpd to automatically 
> figure out which URIs are valid and which are not without me changing a 
> database, config file, etc. every time I update my site?

  It's turned on by default in Apache.  In other words, any content
*outside* of the DocumentRoot is not served up, no matter how many "../" are
thrown at the web server.  Don't put anything you don't want seen in the
DocumentRoot.

  And I really wouldn't bother with the alerts (just log and drop is good
enough).  My own personal site (small, only got 32,000 hits last month)
received about 20 requests for non-existant pages per day last month.  For
example:

218.232.96.150 - - [02/Feb/2006:00:45:15 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist
HTTP/1.0" 404 2087 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:16 -0500] "GET /xmlrpc.php HTTP/1.0" 404 2058 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:16 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 2065
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:17 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 2065
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:17 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 2063 "-"
"-"
218.232.96.150 - - [02/Feb/2006:00:45:18 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 2065
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:18 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 2068
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:19 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 2064
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:19 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404
2071 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404
2070 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0"
404 2074 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:21 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 2068
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:21 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404
2071 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:21 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 2068
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:22 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404
2071 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:22 -0500] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 2066
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:23 -0500] "GET /cgi/awstats.pl HTTP/1.0" 404 2062 "-"
"-"
218.232.96.150 - - [02/Feb/2006:00:45:23 -0500] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 2067
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:24 -0500] "GET /awstats/awstats.pl HTTP/1.0" 404 2066
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:24 -0500] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0"
404 2074 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:25 -0500] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0"
404 2075 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:25 -0500] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404
2070 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:26 -0500] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404
2071 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:26 -0500] "GET /scripts/awstats.pl HTTP/1.0" 404 2066
"-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:27 -0500] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404
2072 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:27 -0500] "GET /scgi-bin/stats/awstats.pl HTTP/1.0"
404 2073 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:28 -0500] "GET /stats/awstats.pl HTTP/1.0" 404 2064
"-" "-"

  By the time such an attack is detected, they're already gone.

  -spc (Hmmm ... must be some exploit in AWStats ... )


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message