keyboardman
asked on
Help in using SetEnvIf in Apache Configuration
I'm getting these rather annoying hits in my access.log file this is something like:
123.456.789.23 - -[23/Mar/2004:07:07:26 -0500] "SEARCH /\x90\x90\x90.........."
Where the \x90 goes on for many lines. I've tried using SetEnvIf to block this, but without success.
Any ideas on how to block this?
123.456.789.23 - -[23/Mar/2004:07:07:26 -0500] "SEARCH /\x90\x90\x90.........."
Where the \x90 goes on for many lines. I've tried using SetEnvIf to block this, but without success.
Any ideas on how to block this?
ASKER
Can you tell me what iptables is? I've never heard of them.
I just did a google search and got some things about Linux and iptables? I'm running XP and can't seem to find anything anything about iptables for Windows.
Thanks,
Keyboardman
I just did a google search and got some things about Linux and iptables? I'm running XP and can't seem to find anything anything about iptables for Windows.
Thanks,
Keyboardman
Ahh, I foolishly assumed you were using Linux...sorry. Iptables are part of the linux kernel, and can filter Network I/O, thus can act as a stateful firewall, and block SEARCH.
As for XP...I think your stuck with the log entries. You could try and block the top level subnet that these requests come from. Most of the entries I got were from my ISP subnet, so try blocking that using the apache allow/deny. I have a feeling that this won't block SEARCH.
If you run a firewall on your XP then you could also block the IP's completely.
Good luck
Da Proff
As for XP...I think your stuck with the log entries. You could try and block the top level subnet that these requests come from. Most of the entries I got were from my ISP subnet, so try blocking that using the apache allow/deny. I have a feeling that this won't block SEARCH.
If you run a firewall on your XP then you could also block the IP's completely.
Good luck
Da Proff
ASKER
Thanks for the help. I have blocked the IP's that I'm getting the attacks from, but they keep changing. I think it's a useless battle. At least I know that their attempts are fruitless.
Just for now, I'm going to leave this question open, but unfortunately I think there is no good solution.
Thanks again,
Keyboardman
Just for now, I'm going to leave this question open, but unfortunately I think there is no good solution.
Thanks again,
Keyboardman
ASKER
Actually, I just thought of something. Is there a way for me to send all GET's and POST's to another file? That would in effect only leaving the stupid stuff in my access.log file.
You could infact do this.
I haven't tried it but you could try the following:
Instead of using SetEnvIf to block, with the:
SetEnvIf Request_URI "/x90" DontLog
CustomLog /var/apache/logs/access_lo
Use it to Only log GET and POST:
SetEnvIf Request_URI "GET" Log
SetEnvIf Request_URI "POST" Log
CustomLog /var/apache/logs/access_lo
That should only log POST and GET.
Give that a rty and see..
Da Proff
I haven't tried it but you could try the following:
Instead of using SetEnvIf to block, with the:
SetEnvIf Request_URI "/x90" DontLog
CustomLog /var/apache/logs/access_lo
Use it to Only log GET and POST:
SetEnvIf Request_URI "GET" Log
SetEnvIf Request_URI "POST" Log
CustomLog /var/apache/logs/access_lo
That should only log POST and GET.
Give that a rty and see..
Da Proff
ASKER
I've got a couple of the following already in the configuration:
SetEnvIf Request_URI "/(cmd\.exe|root\.exe|defa
And one "dontlog" for not logging my own IP address, so then I added the lines you suggested with log instead of dontlog. My last line is like this:
CustomLog logs/access.log combined env=!dontlog
I'll see if this works. I'll let you know. I usually see the WebDev attacks daily, so I'll be able to tell fairly quickly if it worked.
Thanks,
Keyboardman
SetEnvIf Request_URI "/(cmd\.exe|root\.exe|defa
And one "dontlog" for not logging my own IP address, so then I added the lines you suggested with log instead of dontlog. My last line is like this:
CustomLog logs/access.log combined env=!dontlog
I'll see if this works. I'll let you know. I usually see the WebDev attacks daily, so I'll be able to tell fairly quickly if it worked.
Thanks,
Keyboardman
ASKER
After trying to only log GET's and POST's, it still logs the irritating SEARCH requests as well. Unfortunately, I think I'm just stuck with logging the SEARCH requests.
One other question that I had is, I recently changed to using xampp on Windows, which comes with Apache 2.0. It also has a module for WebDav, which seems to be the target of the SEARCH exploit. My question is, does this exploit only affect IIS servers running WebDav, or if I run WebDav under Apache, am I also susceptible?
-Keyboardman
One other question that I had is, I recently changed to using xampp on Windows, which comes with Apache 2.0. It also has a module for WebDav, which seems to be the target of the SEARCH exploit. My question is, does this exploit only affect IIS servers running WebDav, or if I run WebDav under Apache, am I also susceptible?
-Keyboardman
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You are correct about most of my attacks have been from my own ISP's subnets. Come to think of it, I could probably write a perl script to rip out the good stuff from the logs and write that to another log file and totally disregard my current log file. From here I think I will consider this item closed.
Thanks again for all your help!
-Keyboardman
Thanks again for all your help!
-Keyboardman
iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"
Works a treat. Might cause quite a hit on your cpu if your site is high volume. To remove:
iptables -D INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"
Regards
Da Proff