On RH-E-WS-4 using Apache 2.0 running a very small
web site, using a virtual host and a cgi that sees
all inputs, but only allows GET.
I have been receiving NTLMSSP attacks as often as
several per hour. Sniffing with tethereal, and
examining with ethereal, I see:
GET / HTTP/1.0\r\n
Host: <is visible>
Authorization: Negotiate <apparent crypt followed by repeated nonsense>
NTLMSSP identifter: <a few codes>
NTLM Message type: Unknown <followed by some codes>
Unrecognized NTLMSSP Message
<a large amount of either apparent crypt or repeated nonsense
in numerous continuation packets>
I respond as for a normal GET. I would like to:
1. Not respond.
So far, the only way my cgi can distinguish these from my
usual traffic is by the absence of both User-Agent and Accept
headers. I tried several environment variables, but I
have not been able to see the Authorization header.
* Should I use the information I have to reject?
* Is there a better way?
2. Drop the connection before I get the continuation packets.
I can do this with Netfilter QUEUE, put this requires
parsing many packets twice: once in Netfilter, and
once in Apache.
* Is there a way to detect the first attack packet and
close the connection in Apache?
Any other suggestions?
Thanks in advance for your help.
Mike.
--
Michael D. Berger
m.d.berger@xxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|