• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

How secure is Apache

I currently run Apache and keep a certain amount of files in my htdocs folder so I can access them from anywhere just by typing in my ip in any browser.  I have a c: that houses my OS and my d: is where loaded apache server.  Is this safe.  As I look through the logs, sometimes I see the following: - - [19/Apr/2006:01:50:28 -0400] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9

I just figure it's some automatic program coming in looking for holes?  Should I worry. Is there anything I can do to improve the security.  I heard since it was on my non OS drive I should be ok.  I run sygate personal firewall and keep most everything automatically updated.
1 Solution
Apache CAN be very secure.  It can also be very insecure.  It depends on whether or not it is properly installed and configured on a properly configured and secured host system.

The above is almost certainly an automated script looking for vulnerable servers.  This particular attack is not even Apache related.  It's the Microsoft IIS "WebDAV" (or a variant of it) attack which today SHOULD NOT even be effective on a Windows server.  The key item to identify this is the "SEARCH" command which is a part of IIS/WebDAV and is not standard HTTP.

Details here:


The exploits you need to worry about are the ones that DO NOT return a 4XX error code to the remote.  Those are the ones that succeed.  Yes, there are vulnerabilities in Apache so be sure you have Apache and your host OS (Linux of some flavor I presume) up-to-date with patches.
BTW, another useful technoque that I use is to add the IP of such hosts (which are likely compromised desktop PCs) to an IP filter to block them rom your network or server entirely.

In this case the (cpe-065-190-086-005.triad.res.rr.com) is a Road Runner residential cable connection.  You can complain to rr.com but usually such complaints go unheeded.  I'd say just block that IP and any others you find probing your web server.
Surprising to know that this ancient dinosaur, Code Red, is still
residing on some machines scanning for IIS vulnerabilities.

Not much to add to what jhance has said, if it bothers you here's
'solution' from LinuxQuestions -to  just prevent this scan from being logged (well, not the brightest idea because it'd disable logging all 414 errors, but..)
most likely the applications hosted by the web server are much more vulnerable than the server itself
If you have any applications (CGI scripts or whatever) you first have to make these ones secure. Apache itself is just the second line of defence.
Rich RumbleSecurity SamuraiCommented:
Agreed with the above. Apache by default is more secure out of the box than IIS to be certain, but since Apache is also the most used webserver it is targeted just as much as IIS is. Keeping up2date with Apache patches and updates is a start, there are also best practices that can help mitigate further threats.
http://www.securityfocus.com/infocus/1694 http://www.securityfocus.com/infocus/1786

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now