Re: [users@httpd] Blocking invalid URIs?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

It was thus said that the Great John Rodenbiker once stated:
> 
> I'm very new to running a web server.
> 
> Is there a way to have httpd drop requests to URIs that don't actually 
> exist in my environment?
> 
> For example, if I have a very simple web site with just the document 
> "index.html" I don't want people trying to access 
> "../../../../../users/john/secretstuff". I would prefer such attempts 
> be dropped, logged, and an alert thrown to my mailbox or a script that 
> calls my cell phone.
>
> If such functionality exists, is there a way for httpd to automatically 
> figure out which URIs are valid and which are not without me changing a 
> database, config file, etc. every time I update my site?

  It's turned on by default in Apache.  In other words, any content
*outside* of the DocumentRoot is not served up, no matter how many "../" are
thrown at the web server.  Don't put anything you don't want seen in the
DocumentRoot.

  And I really wouldn't bother with the alerts (just log and drop is good
enough).  My own personal site (small, only got 32,000 hits last month)
received about 20 requests for non-existant pages per day last month.  For
example:

218.232.96.150 - - [02/Feb/2006:00:45:15 -0500] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 2087 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:16 -0500] "GET /xmlrpc.php HTTP/1.0" 404 2058 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:16 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 2065 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:17 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 2065 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:17 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 2063 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:18 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 2065 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:18 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 2068 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:19 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 2064 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:19 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 2071 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:20 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 2070 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:20 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 2074 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:21 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 2068 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:21 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 2071 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:21 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 2068 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:22 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 2071 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:22 -0500] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 2066 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:23 -0500] "GET /cgi/awstats.pl HTTP/1.0" 404 2062 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:23 -0500] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 2067 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:24 -0500] "GET /awstats/awstats.pl HTTP/1.0" 404 2066 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:24 -0500] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 2074 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:25 -0500] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 2075 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:25 -0500] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 2070 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:26 -0500] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 2071 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:26 -0500] "GET /scripts/awstats.pl HTTP/1.0" 404 2066 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:27 -0500] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404 2072 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:27 -0500] "GET /scgi-bin/stats/awstats.pl HTTP/1.0" 404 2073 "-" "-"
218.232.96.150 - - [02/Feb/2006:00:45:28 -0500] "GET /stats/awstats.pl HTTP/1.0" 404 2064 "-" "-"

  By the time such an attack is detected, they're already gone.

  -spc (Hmmm ... must be some exploit in AWStats ... )


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux