Re: Sniffing my own apache server
This is a discussion on Re: Sniffing my own apache server within the Apache Web Server forums, part of the Web Server and Related Forums category; HansH wrote: > "Vaterlo" <red_guy@inbox-dot-lv.no-spam.invalid> schreef in bericht > news:...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-30-2004
|
|||
|
|||
Re: Sniffing my own apache server
HansH wrote:
> "Vaterlo" <red_guy@inbox-dot-lv.no-spam.invalid> schreef in bericht > news:vvOdnZv4SdNQXxPdRVn_vQ@giganews.com... > >>I run apache 1.3.27 on win xp. When i turn off firewall, some bastards >>are sniffing my cute apache server :), i see weird requests in log files > > Rather probing than sniffing ... > > >>194.19.239.164 - - [27/Apr/2004:22:45:45 +0300] "SEARCH >>/ x90 x02 xb1 x02 xb1 x02 xb1 x02 xb1 x02 xb1 x02 xb1 x02 .. > > http://www.google.nl/search?hl=nl&ie...02+xb1+x02&lr= > gave over 5000 hits > > >>etc etc (~32000 symbols) > > ... for some vulnability in MS WebDAV > > [snipped] > >>What do SEARCH, OPTIONS, PROPFIND mean, what are >>they trying to do? > > http://www.google.nl/search?q=SEARCH...TF-8&hl=nl&lr= > returns about 9000 hits ... > > >>Can you suggest some protective configuration? > > You cannot protect against fuzyy request, but by firewalling... > > > HansH > > In my httpd.conf file I have this line: SetEnvIf Request_Method HEAD|OPTIONS|DELETE|TRACE|CONNECT|SEARCH attack Then I deny access based on the 'attack' variable. Works well for me! mike. |
|
04-30-2004
|
|||
|
|||
|
Re: Sniffing my own apache server
"Mike Newton" <miken3*10+2@altern.org> schreef in bericht
news:4091d967$1_1@dowco.com... > HansH wrote: > > "Vaterlo" <red_guy@inbox-dot-lv.no-spam.invalid> schreef in bericht > > news:vvOdnZv4SdNQXxPdRVn_vQ@giganews.com... > >>I run apache 1.3.27 on win xp. When i turn off firewall, some bastards > >>are sniffing my cute apache server :), i see weird requests in log files > > Rather probing than sniffing ... > >>194.19.239.164 - - [27/Apr/2004:22:45:45 +0300] "SEARCH > >>/ x90 x02 xb1 x02 xb1 x02 xb1 x02 xb1 x02 xb1 x02 xb1 x02 .. > > http://www.google.nl/search?hl=nl&ie...02+xb1+x02&lr= > > gave over 5000 hits > >>etc etc (~32000 symbols) > > ... for some vulnability in MS WebDAV > > [snipped] > >>What do SEARCH, OPTIONS, PROPFIND mean, what are > >>they trying to do? > > http://www.google.nl/search?q=SEARCH...TF-8&hl=nl&lr= > > returns about 9000 hits ... > >>Can you suggest some protective configuration? > > You cannot protect against fuzyy request, but by firewalling... > In my httpd.conf file I have this line: > SetEnvIf Request_Method HEAD|OPTIONS|DELETE|TRACE|CONNECT|SEARCH attack > Then I deny access based on the 'attack' variable. Works well for me! CRMIIW the 32k request is still logged: that's not protecting against but -a quite nifty- extra indoor defence line. Your are throwing a trespasser out just after he entered your premasis. I interpreted 'protective' as prevent him from even knocking the door. BTW firewalling does not keep a burst of fuzz from consuming bandwidth and adding useless traffic to your account ... >80GB per month for ONE 32k request per second HansH |
Linear Mode
