Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

Re: How can I stop webdav exploits from hitting my server?

by matija (Priest)
on May 18, 2004 at 16:36 UTC ( #354340=note: print w/replies, xml ) Need Help??

in reply to How can I stop webdav exploits from hitting my server?

There is no way for mod_perl or CGI to prevent those requests from reaching the server - by the time they are recognised as being attacks, they have already reached the server.

You could write a simple module that would throw away the requests before Apache logged them. But that would just be hiding, not solving the problem.

You could use iptables or similar built-in firewall to block any requests from the "attacking" IP - but with time that could mean you will have to administer a growing list of IPs that were blocked due to various attacks.

Your best bet is to use the whois information to get the contact info for the system's caretaker (or their provider) and write to them, asking them to take appropriate steps to stop the scanning.

  • Comment on Re: How can I stop webdav exploits from hitting my server?

Replies are listed 'Best First'.
Re: Re: How can I stop webdav exploits from hitting my server?
by hsinclai (Deacon) on May 19, 2004 at 01:53 UTC
    Totally off the topic of Perl but..

    use iptables if on Linux, you need the string filtering module, e.g.

    $IPT -A INPUT -p tcp --destination-port 80 -m string --string "SEARCH" + -j REJECT --reject-with tcp-reset
    and the same rule beforehand with a LOG target..

    Matching a length with iptables failed for me - I couldn't figure out the real length. I think the reason is what shows up in your logs is not what's on the wire -- which is hex as I read you can use the hex-string module for iptables, but you have to build this by hand and recompile your kernel..

    What you can do with perl :^P is to parse your log files to see how successful you've been in blocking it.

    Also turn off icmp with iptables. IIRC that exploit begins after a good ping. I've eliminated them totally using the above..


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://354340]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (5)
As of 2018-06-19 20:31 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (114 votes). Check out past polls.