Preventing vulnerability scripts from scanning apache server
Quick question for you all - fairly frequently in my httpd logs I see things like this:
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET HTTP/1.1 HTTP/1.1" 400 418 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /roundcube//bin/msgimport HTTP/1.1" 404 417 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /rc//bin/msgimport HTTP/1.1" 404 413 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /mss2//bin/msgimport HTTP/1.1" 404 415 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /mail//bin/msgimport HTTP/1.1" 404 415 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /mail2//bin/msgimport HTTP/1.1" 404 416 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 420 "-" "Toata dragostea mea pentru diavola"
...
You get the idea, a vulnerability scanning script. As I don't install my web apps to standard or even remotely named installs I nearly always return 404s, but it is still irritating to watch. So my question is, is there a way to detect/mitigate such attacks, perhaps using mod_rewrite and known blocklists etc? Or is this something web server admins simply have to put up with?
Thanks.
Solution 1:
you can use mod_security or other web application firewalls (waf). this way the request still hit your webserver, but mod_security will filter out the request which are marked as suspicious.
there are different possibilities to setup a waf:
- on each webserver
- on a central reverse proxy
the best solution depends much on your setup, so there is no general answer. but the docs should help you to decide what solution to take.
one more point to consider:
a waf is adding some more complexity to your system, so be sure whether you want to use it or not.
Solution 2:
There's always Fail2Ban; set it to watch Apache's log and ban after ten 404s within a minute or something like that.
Solution 3:
Short answer - You can't. From the point of view of a web server that script is just another browser, albeit a misbehaving one. The best you can do is have the firewall detect and block such scans. The details will of course depend on which firewall you use.