Mailing List Archive

Martin,
You're already sending them a big 'ol 404. What do you want to send them?
A forbidden? I don't really think it makes a difference.
As for not getting the error messages in the access log, I suggest doing
that post processing. Something like:

grep -v "root\.exe" access_log | grep -v "cmd\.exe"

-Mike Arrison


-----Original Message-----
From: Martin Lindhe [mailto:martin@humany.com]
Sent: Thursday, February 07, 2002 7:39 AM
To: 'users@httpd.apache.org'
Subject: how to block ip's?


hello! my error.log is daily filled with the iis-exploit crap like:
--
[Thu Feb 07 12:50:53 2002] [error] [client 195.159.135.94] File does not
exist: c:/webroot/scripts/root.exe
[Thu Feb 07 12:50:54 2002] [error] [client 195.159.135.94] File does not
exist: c:/webroot/msadc/root.exe
[Thu Feb 07 12:50:56 2002] [error] [client 195.159.135.94] File does not
exist: c:/webroot/c/winnt/system32/cmd.exe
[Thu Feb 07 12:50:57 2002] [error] [client 195.159.135.94] File does not
exist: c:/webroot/d/winnt/system32/cmd.exe
--
etc.. and i tried to investigate if i could set up some kind of rule with
apache that
permanently denies all requests from client IP if it ever requests a url
containing
either root.exe or cmd.exe (wich all these iis/codered/whatever-it-is-crap
seems to contain)

so quick quesion - is it possible?
and little longer question - may anyone please be willing to help me out
with setting this up, or point me in the right direction?
running apache 1.3.23 on windows xp

/Martin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

> Martin,
> You're already sending them a big 'ol 404. What do you
> want to send them? A forbidden? I don't really think it
> makes a difference.

:) Well, i just want to not send em anything at all, not let them connect
to my webserver if they "broke" my rule :) Sure, no big important thing,
just came up with this idea and was curious on if it was possible to
configure
and wanted to learn more :)

> As for not getting the error messages in the access
> log, I suggest doing that post processing. Something like:
>
> grep -v "root\.exe" access_log | grep -v "cmd\.exe"

Okie thanks for that one too :)

/Martin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

As you say this is for Windows I suggest you get BlackIce
from NetworkIce.com. I use it and it really is a must have
for security reasons, but I'm not so sure it will block all
of these the way you thing. What I do is monitor IPs from
one's that are really out of control and block them from me
either through my firewall, at the router, and/or with
BlackIce. Actually I'm using the network version, which is
far greater as it allows me to setup an entire network of
machine that I can effectively monitor and block. To top it
all off I use Windows IpSec, but I am running Windows 2000
Advanced Server. Windows XP has it built into the network
card connection. Just turn on the Firewall under the NIC
card in Network Connections.

-----Original Message-----
From: Martin Lindhe <martin@humany.com>
To: "'users@httpd.apache.org'" <users@httpd.apache.org>
Date: Thu, 7 Feb 2002 13:38:48 +0100
Subject: how to block ip's?

> hello! my error.log is daily filled with the iis-exploit
crap like:
> --
> [Thu Feb 07 12:50:53 2002] [error] [client
195.159.135.94] File does
> not
> exist: c:/webroot/scripts/root.exe
> [Thu Feb 07 12:50:54 2002] [error] [client
195.159.135.94] File does
> not
> exist: c:/webroot/msadc/root.exe
> [Thu Feb 07 12:50:56 2002] [error] [client
195.159.135.94] File does
> not
> exist: c:/webroot/c/winnt/system32/cmd.exe
> [Thu Feb 07 12:50:57 2002] [error] [client
195.159.135.94] File does
> not
> exist: c:/webroot/d/winnt/system32/cmd.exe
> --
> etc.. and i tried to investigate if i could set up some
kind of rule
> with
> apache that
> permanently denies all requests from client IP if it ever
requests a
> url
> containing
> either root.exe or cmd.exe (wich all these
> iis/codered/whatever-it-is-crap
> seems to contain)
>
> so quick quesion - is it possible?
> and little longer question - may anyone please be willing
to help me
> out
> with setting this up, or point me in the right direction?
> running apache 1.3.23 on windows xp
>
> /Martin
>
> ----------------------------------------------------------
-----------
> The official User-To-User support forum of the Apache
HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more
info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-
help@httpd.apache.org
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

> grep -v "root\.exe" access_log | grep -v "cmd\.exe"

How would i do that with rotating logs? New logs are
created everyday with some number tagged onto the end of it
for the date.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Well,
If you want just the one days log, you should:

grep -v "root\.exe" access_log.date | grep -v "cmd\.exe"

Or if you want to see all the logs at want, issue a wildcard, like this:

grep -v "root\.exe" access_log.* | grep -v "cmd\.exe"

-Mike Arrison
arrison@gnostech.com
Systems Engineer
Gnostech, Inc.
http://www.gnostech.com
(215) 443-8660

-----Original Message-----
From: Vernon A Webb [mailto:VernMan@net-nation.com]
Sent: Thursday, February 07, 2002 8:37 AM
To: users@httpd.apache.org
Subject: RE: how to block ip's?


> grep -v "root\.exe" access_log | grep -v "cmd\.exe"

How would i do that with rotating logs? New logs are
created everyday with some number tagged onto the end of it
for the date.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

> -----Original Message-----
> From: Vernon A Webb [mailto:VernMan@net-nation.com]
> Sent: Thursday, February 07, 2002 2:24 PM
> To: users@httpd.apache.org
> Subject: Re: how to block ip's?
>
>
> As you say this is for Windows I suggest you get BlackIce
> from NetworkIce.com. I use it and it really is a must have
> for security reasons, but I'm not so sure it will block all
> of these the way you thing. What I do is monitor IPs from
> one's that are really out of control and block them from me
> either through my firewall, at the router, and/or with
> BlackIce. Actually I'm using the network version, which is
> far greater as it allows me to setup an entire network of
> machine that I can effectively monitor and block. To top it
> all off I use Windows IpSec, but I am running Windows 2000
> Advanced Server. Windows XP has it built into the network
> card connection. Just turn on the Firewall under the NIC
> card in Network Connections.

Thanks for your suggestions, i'll try out blackice right away!
/Martin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Fri, 8 Feb 2002 10:17:32 +0100
Martin Lindhe Martin Lindhe <martin@humany.com> wrote:

> > -----Original Message-----
> > From: Vernon A Webb [mailto:VernMan@net-nation.com]
> > Sent: Thursday, February 07, 2002 2:24 PM
> > To: users@httpd.apache.org
> > Subject: Re: how to block ip's?
> >
> >
> > As you say this is for Windows I suggest you get BlackIce
> > from NetworkIce.com. I use it and it really is a must have
> > for security reasons, but I'm not so sure it will block all
> > of these the way you thing. What I do is monitor IPs from
> > one's that are really out of control and block them from me
> > either through my firewall, at the router, and/or with
> > BlackIce. Actually I'm using the network version, which is
> > far greater as it allows me to setup an entire network of
> > machine that I can effectively monitor and block. To top it
> > all off I use Windows IpSec, but I am running Windows 2000
> > Advanced Server. Windows XP has it built into the network
> > card connection. Just turn on the Firewall under the NIC
> > card in Network Connections.
>
> Thanks for your suggestions, i'll try out blackice right away!
> /Martin


Be sure that first you address the current security problems with
BlackIce, reported by Internet Security Systems (ISS) and X-Force:
http://www.iss.net/security_center/alerts/advise109.php

--
Raquel
============================================================
How many cares one loses when one decides not to be something, but
to be someone.
--Coco Chanel




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org