Aborting common security 'bot requests in Web Server 6.1

An untidy errors log makes me grumpy. An errors log filled with thousands of 404s from robots trying to find common CGIs (or other apps) that they can hijack really annoys me. So similar to how I block requests for direct-linked images, I also simply abort requests that hit common Bad URIs:

# Aborts requests for common security holes
# This poisons my URI space, but I can easily reclaim a URI if I need it.
# This is the first thing below the opening of the default object in my
# obj.conf.
# These URIs have been gathered scrubbing my errors log for
# suspiciously large blocks of "File Note Found" errors. I also found a certain
# number of commonly hit query strings attempting buffer overflows.
<Client match="any"
        uri="\*(system32|root.exe|default.ida|FormMail|formmail|advanced_search.cgi|cgi/click|sp_login|partner.cgi|javascript.pl|.asp)\*"
        query="\*(wget|perl|system)\*">

# The "set-variable" SAF can be used as part of any request processing stage.
# I'm using it as an AuthTrans for now. When this is executed a 412 gets thrown
# and the request is stopped.
AuthTrans fn="set-variable"
        abort="true"
        error="412"
</Client>

Voila! The server still has to go through the first steps of determining what has been requested, but then immediately terminates the request when we see it's for something we don't like. No stat() to the file system, etc.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

jmccabe

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today