Web Servers on Unix and Linux - Virtual Hosts - was Re: Attack? [WebDAV 414 vs. IIS]

Author

Virtual Hosts - was Re: Attack? [WebDAV 414 vs. IIS]

D. Stussy

2004-05-24, 7:35 am

On Sat, 24 Apr 2004, David Efflandt wrote:
>
> Since I am using wildcard virtual hosts anyway (dyn IP with dyn DNS), my
> worm solution is a nameless default vhost that logs separately and goes
> nowhere (1 html, no links). I had to set a bogus ServerName (and
> UseCanonicalName off) for the nameless default vhost to work. Any real
> user coming to my limited use site should be using on of my set vhost
> names.

I too use named virtual hosts with some wildcards. I want to make certain that
I don't have another way of doing this:

First NVH is my "normal" one, with the machine's hostname as the servername and
a ServerAlias of "*.hostname" (to catch a leading www, plus I allow users to
PREFIX their usernames to avoid the "/~user" construct [and use the rewrite
engine to catch that]).

Second NVH has the ServerName of "localhost" (literally) and the ServerAlias of
"*". It seems to catch all of the requests that have other hostnames in the
HTTP request Host: header (i.e proxy spoofing attempts).

The question is what is a better solution (i.e. order of NVH declaration) to
catch these virus attempts? It's my understanding that if a request has no
"Host:" header, then it should default to the first VH for a given IP. Does
this virus have a "Host:" header at all? With the second (last) NVH having the
ultimate wildcard alias, it should catch everything not declared elsewhere, let
leave requests without the "Host:" header to the first NVH, which allows older
client software that doesn't understand virtual hosting to still function as
expected (if any of them still exist).

For some reason, having defined a virtual host without a name was picking up
the name of my server by doing a reverse IP lookup and using that to set the
servername for that VH even without a server name declaration. (Or do I have
to specify the default VH as "<VirtualHost *:80>" to avoid that?)

[Isolating these (and other) virus attempts into their own VH which has a
separate log than the "real" VH's is the first step in quashing their
annoyances.]

David Efflandt

2004-05-24, 4:38 pm

On Mon, 24 May 2004 07:10:55 GMT, D. Stussy <kd6lvw@bde-arc.ampr.org> wrote:
> On Sat, 24 Apr 2004, David Efflandt wrote:
>
> I too use named virtual hosts with some wildcards. I want to make certain that
> I don't have another way of doing this:
>
> First NVH is my "normal" one, with the machine's hostname as the servername and
> a ServerAlias of "*.hostname" (to catch a leading www, plus I allow users to
> PREFIX their usernames to avoid the "/~user" construct [and use the rewrite
> engine to catch that]).
>
> Second NVH has the ServerName of "localhost" (literally) and the ServerAlias of
> "*". It seems to catch all of the requests that have other hostnames in the
> HTTP request Host: header (i.e proxy spoofing attempts).

I set a bogus main ServerName, UseCanonicalName off and NO ServerName for
first vhost logged separately (which seems to catch all the worms):

ServerName mainpc.bogus
UseCanonicalName off
NameVirtualHost *

<VirtualHost *>
DocumentRoot /srv/www/htdocs/nohost
ServerSignature Off
ErrorLog /var/log/httpd/nohost_error_log
LogFormat "%V %h %l %u %t \"%r\" %>s %b" nohost
CustomLog /var/log/httpd/nohost_access_log nohost
</VirtualHost>

Besides my other NVH's I have IP based localhost, so I can still use that
locally (plus a restricted NVH for my LAN IP name):

<VirtualHost 127.0.0.1>
DocumentRoot /srv/www/htdocs
ServerName localhost.local
Serveralias localhost
Options +ExecCGI +SymlinksIfOwnerMatch
Alias /cdrom /media/cdrom
</VirtualHost>

A slew of Directory and Location sections before that specify what is
allowed and restrict outside access to certain things (so spiders to not
search my apache manual, etc.).

--
David Efflandt - All spam ignored http://www.de-srv.com/