Preventing vulnerability scripts from scanning apache server

apache-2.2 mod-rewrite vulnerabilities

Quick question for you all - fairly frequently in my httpd logs I see things like this:

66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET HTTP/1.1 HTTP/1.1" 400 418 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /roundcube//bin/msgimport HTTP/1.1" 404 417 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /rc//bin/msgimport HTTP/1.1" 404 413 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /mss2//bin/msgimport HTTP/1.1" 404 415 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /mail//bin/msgimport HTTP/1.1" 404 415 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /mail2//bin/msgimport HTTP/1.1" 404 416 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 420 "-" "Toata dragostea mea pentru diavola"
...

You get the idea, a vulnerability scanning script. As I don't install my web apps to standard or even remotely named installs I nearly always return 404s, but it is still irritating to watch. So my question is, is there a way to detect/mitigate such attacks, perhaps using mod_rewrite and known blocklists etc? Or is this something web server admins simply have to put up with?

Thanks.


Solution 1:

you can use mod_security or other web application firewalls (waf). this way the request still hit your webserver, but mod_security will filter out the request which are marked as suspicious.

there are different possibilities to setup a waf:

  • on each webserver
  • on a central reverse proxy

the best solution depends much on your setup, so there is no general answer. but the docs should help you to decide what solution to take.

one more point to consider:
a waf is adding some more complexity to your system, so be sure whether you want to use it or not.

Solution 2:

There's always Fail2Ban; set it to watch Apache's log and ban after ten 404s within a minute or something like that.

Solution 3:

Short answer - You can't. From the point of view of a web server that script is just another browser, albeit a misbehaving one. The best you can do is have the firewall detect and block such scans. The details will of course depend on which firewall you use.

Related

Maximum safe hard drive temperature?
How can you repair a corrupt ntbackup (.bkf) file?
update to samba 3.6.23-30 on RedHat server 6.7 breaks connections from clients on AD forest
Differences between SSH's tunnels and OpenVPN
What is the proper way to set up the Apache document root in terms of privileges?
Is it possible to connect 2 networks with same IP range?
Launching AWS Windows instance from snapshots?
How do I grant "log on as a service" permission to a (local) from the command-line?
CentOS 6.5 not bringing up network interface automatically after reboot [ifup eth0]
I want to inventory the hardware of my Linux systems using only ssh on the client end
OpenSSH use (public key or password) + google authenticator
How can I prevent Virtualmin from storing passwords in cleartext? [closed]