http://www.perlmonks.org?node_id=354340


in reply to How can I stop webdav exploits from hitting my server?

There is no way for mod_perl or CGI to prevent those requests from reaching the server - by the time they are recognised as being attacks, they have already reached the server.

You could write a simple module that would throw away the requests before Apache logged them. But that would just be hiding, not solving the problem.

You could use iptables or similar built-in firewall to block any requests from the "attacking" IP - but with time that could mean you will have to administer a growing list of IPs that were blocked due to various attacks.

Your best bet is to use the whois information to get the contact info for the system's caretaker (or their provider) and write to them, asking them to take appropriate steps to stop the scanning.

  • Comment on Re: How can I stop webdav exploits from hitting my server?

Replies are listed 'Best First'.
Re: Re: How can I stop webdav exploits from hitting my server?
by hsinclai (Deacon) on May 19, 2004 at 01:53 UTC
    Totally off the topic of Perl but..

    use iptables if on Linux, you need the string filtering module, e.g. 

    $IPT -A INPUT -p tcp --destination-port 80 -m string --string "SEARCH"
+ -j REJECT --reject-with tcp-reset

    [download]
    and the same rule beforehand with a LOG target..

    Matching a length with iptables failed for me - I couldn't figure out the real length. I think the reason is what shows up in your logs is not what's on the wire -- which is hex as I read you can use the hex-string module for iptables, but you have to build this by hand and recompile your kernel..

    What you can do with perl :^P is to parse your log files to see how successful you've been in blocking it.

    Also turn off icmp with iptables. IIRC that exploit begins after a good ping. I've eliminated them totally using the above..

    -harold
[reply]
[d/l]

In Section Seekers of Perl Wisdom