|
Home > Archive > Apache Server configuration support > April 2004 > Sniffing my own apache server
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Sniffing my own apache server
|
|
| Vaterlo 2004-04-27, 4:33 pm |
| Hi
I run apache 1.3.27 on win xp. When i turn off firewall, some bastards
ar sniffing my cute apache server  , i see weird requests in log
files
194.19.239.164 - - [27/Apr/2004:22:45:45 +0300] "SEARCH
/ �x90�x02�xb1�x02�xb1�x02�xb1�x02�xb1�x02
�xb1�x02�xb1�x02�..
etc etc
(~32000 symbols)
194.19.239.71 - - [23/Apr/2004:20:34:33 +0300] "OPTIONS
/
HTTP/1.1" 200 -
194.19.239.71 - - [23/Apr/2004:20:34:33 +0300] "PROPFIND
/E%24
HTTP/1.1" 404 274
What do SEARCH, OPTIONS, PROPFIND mean, what are
they trying to do?
Can you suggest some protective configuration? Thanks
----------------------------------------
The post originated from Apache
Freaks:
----------------------------------------
http://www.apachefreaks.com
http://www.apachefreaks.com/forums
| |
|
| "Vaterlo" <red_guy@inbox-dot-lv.no-spam.invalid> schreef in bericht
news:vvOdnZv4SdNQXxPdRVn_vQ@giganews.com...
> I run apache 1.3.27 on win xp. When i turn off firewall, some bastards
> are sniffing my cute apache server , i see weird requests in log files
Rather probing than sniffing ...
> 194.19.239.164 - - [27/Apr/2004:22:45:45 +0300] "SEARCH
> / x90 x02 xb1 x02 xb1 x02 xb1 x02 xb1 x02 xb1 x02 xb1 x02 ..
http://www.google.nl/search?hl=nl&i...x02+xb1+x02&lr=
gave over 5000 hits
> etc etc (~32000 symbols)
.... for some vulnability in MS WebDAV
[snipped]
> What do SEARCH, OPTIONS, PROPFIND mean, what are
> they trying to do?
http://www.google.nl/search?q=SEARC...UTF-8&hl=nl&lr=
returns about 9000 hits ...
> Can you suggest some protective configuration?
You cannot protect against fuzyy request, but by firewalling...
HansH
| |
| Mike Newton 2004-04-30, 12:34 am |
| HansH wrote:
> "Vaterlo" <red_guy@inbox-dot-lv.no-spam.invalid> schreef in bericht
> news:vvOdnZv4SdNQXxPdRVn_vQ@giganews.com...
>
>
> Rather probing than sniffing ...
>
>
>
> http://www.google.nl/search?hl=nl&i...x02+xb1+x02&lr=
> gave over 5000 hits
>
>
>
> ... for some vulnability in MS WebDAV
>
> [snipped]
>
>
> http://www.google.nl/search?q=SEARC...UTF-8&hl=nl&lr=
> returns about 9000 hits ...
>
>
>
> You cannot protect against fuzyy request, but by firewalling...
>
>
> HansH
>
>
In my httpd.conf file I have this line:
SetEnvIf Request_Method HEAD|OPTIONS|DELETE|TRACE|CONNECT|SEARCH
attack
Then I deny access based on the 'attack' variable. Works well for me!
mike.
| |
|
| "Mike Newton" <miken3*10+2@altern.org> schreef in bericht
news:4091d967$1_1@dowco.com...
> HansH wrote:
http://www.google.nl/search?hl=nl&i...x02+xb1+x02&lr=[vbcol=seagreen]
http://www.google.nl/search?q=SEARC...UTF-8&hl=nl&lr=[vbcol=seagreen]
> In my httpd.conf file I have this line:
> SetEnvIf Request_Method HEAD|OPTIONS|DELETE|TRACE|CONNECT|SEARCH
attack
> Then I deny access based on the 'attack' variable. Works well for me!
CRMIIW the 32k request is still logged: that's not protecting against but -a
quite nifty- extra indoor defence line.
Your are throwing a trespasser out just after he entered your premasis. I
interpreted 'protective' as prevent him from even knocking the door.
BTW firewalling does not keep a burst of fuzz from consuming bandwidth and
adding useless traffic to your account ... >80GB per month for ONE 32k
request per second
HansH
|
|
|
|
|