[gentoo-user] Apache security tips

[gentoo-user] Apache security tips

[Jim]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey group,

I was wondering if anyone has some easy to do tips for checking the
security of Apache.  I am running Apache/2.0.55.  Is apache good with
handling bad URL's?  I remember with an IIS server I use to have I
needed to install a url filter to help it out.  I noticed that I get
requests like the following in my apache log:

70.121.133.60 - - [07/Mar/2006:21:31:05 -0500] "SEARCH
/\x90\xc9\xc9\xc9\xc9\xc9\

The above is one line and it is 30,000 characters long in the log file.

Thanks for any tips,

Jim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEEi7teqJ5Vbm4CxYRAjt0AJ9tVjVWHQ2H9OzBVhxGkqbhL5vizQCfSVPo
B/IHirSOHB3Xr4izkO48Rug=
=ubVq
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Apache security tips

[Willie Wong]

On Fri, Mar 10, 2006 at 08:59:09PM -0500, Penguin Lover Jim squawked:
> I was wondering if anyone has some easy to do tips for checking the
> security of Apache.  I am running Apache/2.0.55.  Is apache good with
> handling bad URL's?  I remember with an IIS server I use to have I
> needed to install a url filter to help it out.  I noticed that I get
> requests like the following in my apache log:
> 
> 70.121.133.60 - - [07/Mar/2006:21:31:05 -0500] "SEARCH
> /\x90\xc9\xc9\xc9\xc9\xc9\
> 
> The above is one line and it is 30,000 characters long in the log file.
> 

Near the end of that line should be the HTTP return code Apache gave
for that request. What is it? 

On my box it always returns 414 (Request-URI too long), so I doubt it
would be a problem, beyond a major annoyance when going through the
logs with 'less'. 

A URI string like that is almost certainly a client trying to exploit
a buffer overflow. I've never seen it being a problem with my
(limited) experience running apache. 

HTH,

W
-- 
You're not paranoid.
The world _IS_ fucked.
Sortir en Pantoufles: up 118 days, 21:18
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Apache security tips

[Michael Stewart (vericgar)]

[-- Attachment #1: Type: text/plain, Size: 913 bytes --]

Willie Wong wrote:
> On Fri, Mar 10, 2006 at 08:59:09PM -0500, Penguin Lover Jim squawked:
> 
>>I was wondering if anyone has some easy to do tips for checking the
>>security of Apache.  I am running Apache/2.0.55.  Is apache good with
>>handling bad URL's?  I remember with an IIS server I use to have I
>>needed to install a url filter to help it out.  I noticed that I get
>>requests like the following in my apache log:
>>
>>70.121.133.60 - - [07/Mar/2006:21:31:05 -0500] "SEARCH
>>/\x90\xc9\xc9\xc9\xc9\xc9\
>>
>>The above is one line and it is 30,000 characters long in the log file.
>>

You may want to look into mod_security for apache as well. IIRC it is
designed to protect from such attacks.


-- 
Michael Stewart                                     vericgar@gentoo.org
Gentoo Developer                        http://dev.gentoo.org/~vericgar

GnuPG Key ID 0x08614788 available on http://pgp.mit.edu
--

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: [gentoo-user] Apache security tips

[Jim]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 159610784 Willie Wong <wwong@Princeton.EDU> wrote:
> On Fri, Mar 10, 2006 at 08:59:09PM -0500, Penguin Lover Jim squawked:
>> I was wondering if anyone has some easy to do tips for checking the
>> security of Apache.  I am running Apache/2.0.55.  Is apache good with
>> handling bad URL's?  I remember with an IIS server I use to have I
>> needed to install a url filter to help it out.  I noticed that I get
>> requests like the following in my apache log:
>>
>> 70.121.133.60 - - [07/Mar/2006:21:31:05 -0500] "SEARCH
>> /\x90\xc9\xc9\xc9\xc9\xc9\
>>
>> The above is one line and it is 30,000 characters long in the log file.
>>
> 
> Near the end of that line should be the HTTP return code Apache gave
> for that request. What is it? 
> 
> On my box it always returns 414 (Request-URI too long), so I doubt it
> would be a problem, beyond a major annoyance when going through the
> logs with 'less'. 
> 
> A URI string like that is almost certainly a client trying to exploit
> a buffer overflow. I've never seen it being a problem with my
> (limited) experience running apache. 
> 
> HTH,
> 
> W

I have not see it be a problem either, Apache returned the same code for
me.  I noticed it because I get "errors" from webalizer like:

Error: Skipping oversized log record

It is not a big deal.  I just wanted to make sure I have apache locked
down OK.

The long entries look like someone trying to hack into IIS with requests
for exe files.

Thanks for the info,

Jim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEExSdeqJ5Vbm4CxYRAqgdAJ0YYDqFV8cAtf6IXGEOLMjuTLAH4QCcDyE4
/F0PCKAW/x6OB5O6foHYA6A=
=ukRJ
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Apache security tips

[Jim]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 159600160 "Michael Stewart (vericgar)" <vericgar@gentoo.org> wrote:
> You may want to look into mod_security for apache as well. IIRC it is
> designed to protect from such attacks.

Thanks for the tip.  I will give mod_security a try.

Jim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEEyeEeqJ5Vbm4CxYRAvvtAJ9YQ9cZYUW4VkVc9w55vHg166snhQCfUP1k
w7zGfSfyktK0Fj3vl+0JkYk=
=PaNp
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list