[users@httpd] NTLMSSP attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On RH-E-WS-4 using Apache 2.0 running a very small
web site, using a virtual host and a cgi that sees
all inputs, but only allows GET.

I have been receiving NTLMSSP attacks as often as
several per hour.  Sniffing with tethereal, and
examining with ethereal, I see:

   GET / HTTP/1.0\r\n
   Host: <is visible>
   Authorization: Negotiate <apparent crypt followed by repeated nonsense>
      NTLMSSP identifter: <a few codes>
      NTLM Message type: Unknown <followed by some codes>
      Unrecognized NTLMSSP Message
      <a large amount of either apparent crypt or repeated nonsense
       in numerous continuation packets>

I respond as for a normal GET.  I would like to:

1. Not respond.
      So far, the only way my cgi can distinguish these from my
      usual traffic is by the absence of both User-Agent and Accept
      headers. I tried several environment variables, but I
      have not been able to see the Authorization header.

      * Should I use the information I have to reject?
      * Is there a better way?

2. Drop the connection before I get the continuation packets.
      I can do this with Netfilter QUEUE, put this requires
      parsing many packets twice: once in Netfilter, and
      once in Apache.

      * Is there a way to detect the first attack packet and
        close the connection in Apache?

Any other suggestions?

Thanks in advance for your help.

Mike.

--
Michael D. Berger
m.d.berger@xxxxxxxx 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux