Solved

Help in using SetEnvIf in Apache Configuration

Posted on 2004-04-03
10
737 Views
Last Modified: 2008-03-17
I'm getting these rather annoying hits in my access.log file this is something like:

123.456.789.23 - -[23/Mar/2004:07:07:26 -0500] "SEARCH /\x90\x90\x90.........."

Where the \x90 goes on for many lines. I've tried using SetEnvIf to block this, but without success.

Any ideas on how to block this?


0
Comment
Question by:keyboardman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:prof666
ID: 10789714
I had the same Issue. You cant remove SEARCH from log ??? Instead I used iptables to block SEARCH requests to Port 80:

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"

Works a treat. Might cause quite a hit on your cpu if your site is high volume. To remove:

iptables -D INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"

Regards

Da Proff

0
 

Author Comment

by:keyboardman
ID: 10791185
Can you tell me what iptables is?  I've never heard of them.  

I just did a google search and got some things about Linux and iptables?  I'm running XP and can't seem to find anything anything about iptables for Windows.

Thanks,
Keyboardman
0
 
LVL 6

Expert Comment

by:prof666
ID: 10791346
Ahh, I foolishly assumed you were using Linux...sorry. Iptables are part of the linux kernel, and can filter Network I/O, thus can act as a stateful firewall, and block SEARCH.
As for XP...I think your stuck with the log entries. You could try and block the top level subnet that these requests come from. Most of the entries I got were from my ISP subnet, so try blocking that using the apache allow/deny. I have a feeling that this won't block SEARCH.
If you run a firewall on your XP then you could also block the IP's completely.

Good luck

Da Proff
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:keyboardman
ID: 10791417
Thanks for the help.  I have blocked the IP's that I'm getting the attacks from, but they keep changing.  I think it's a useless battle.  At least I know that their attempts are fruitless.

Just for now, I'm going to leave this question open, but unfortunately I think there is no good solution.

Thanks again,
Keyboardman
0
 

Author Comment

by:keyboardman
ID: 10791448
Actually, I just thought of something.  Is there a way for me to send all GET's and POST's to another file?  That would in effect only leaving the stupid stuff in my access.log file.
0
 
LVL 6

Expert Comment

by:prof666
ID: 10821538
You could infact do this.
I haven't tried it but you could try the following:

Instead of using SetEnvIf to block, with the:
SetEnvIf        Request_URI "/x90" DontLog
CustomLog               /var/apache/logs/access_log common env=!DontLog

Use it to Only log GET and POST:
SetEnvIf        Request_URI "GET" Log
SetEnvIf        Request_URI "POST" Log
CustomLog               /var/apache/logs/access_log common env=Log

That should only log POST and GET.
Give that a rty and see..

Da Proff
0
 

Author Comment

by:keyboardman
ID: 10829719
I've got a couple of the following already in the configuration:

SetEnvIf Request_URI "/(cmd\.exe|root\.exe|default\.ida)$" dontlog

And one "dontlog" for not logging my own IP address, so then I added the lines you suggested with log instead of dontlog.  My last line is like this:

CustomLog logs/access.log combined env=!dontlog

I'll see if this works.  I'll let you know.  I usually see the WebDev attacks daily, so I'll be able to tell fairly quickly if it worked.

Thanks,
Keyboardman
0
 

Author Comment

by:keyboardman
ID: 10861819
After trying to only log GET's and POST's, it still logs the irritating SEARCH requests as well.  Unfortunately, I think I'm just stuck with logging the SEARCH requests.

One other question that I had is, I recently changed to using xampp on Windows, which comes with Apache 2.0.  It also has a module for WebDav, which seems to be the target of the SEARCH exploit.  My question is, does this exploit only affect IIS servers running WebDav, or if I run WebDav under Apache, am I also susceptible?

-Keyboardman
0
 
LVL 6

Accepted Solution

by:
prof666 earned 500 total points
ID: 10866507
If you are not intending to use Webdav then turn it off (I think apache has it disabled by default). I know the welchii worm (that annoying x90 thing) is only a buffer overflow vuln for IIS. So don't worry about it too much. Another method of cutting down on the scans it to write a perl script to rip out from the logs the IP's of the servers attacking, and block the whole subnets. This will also block ligitimate callers, but may offer you some restpite. The majority of attacks on my server come from my ISP's subnets, and much will be the same in your case. Block these off and you may loose up to 90% of the scans.
Best of Luck

Da Proff
0
 

Author Comment

by:keyboardman
ID: 10869309
You are correct about most of my attacks have been from my own ISP's subnets.  Come to think of it, I could probably write a perl script to rip out the good stuff from the logs and write that to another log file and totally disregard my current log file.  From here I think I will consider this item closed.

Thanks again for all your help!

-Keyboardman
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question