From owner-freebsd-security Thu Jun 14 12:22:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 590ED37B403 for ; Thu, 14 Jun 2001 12:22:20 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 52487 invoked by uid 1000); 14 Jun 2001 19:22:41 -0000 Date: Thu, 14 Jun 2001 21:22:41 +0200 From: "Karsten W. Rohrbach" To: Yonatan Bokovza Cc: "'freebsd-security@freebsd.org'" Subject: Re: apache security question Message-ID: <20010614212241.G49807@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Yonatan Bokovza , "'freebsd-security@freebsd.org'" References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="/9ZOS6odDaRI+0hI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Yonatan@xpert.com on Thu, Jun 14, 2001 at 09:34:09PM +0300 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --/9ZOS6odDaRI+0hI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Yonatan Bokovza(Yonatan@xpert.com)@2001.06.14 21:34:09 +0000: > and if you'r totaly paranoid and this is > the only instance you saw "HEAD /" in the logs, > you might consider filtering this IP in your firewall. hell no, apache has instrumentation for this: order deny,allow deny from all if you have it in a section you might also used instead of i propose, anyway, you consult the HTTP 1.1 protocol specs _before_ doing this since you will break several things, including in-between proxy functionality. the specs are available at http://www.w3c.org/ > You do have a firewall, right? why? for a web-only server? *grin* the only service that listens is httpd on tcp port 80, for severe network scanning and synflood handling consult the blackhole(4) man page. so, what for do you need a firewall now? ;-) ipopts? short packets? okay, but you can do that on the box itself, again. icmp storms and the like cannot be handled efficiently by most firewalling products, so you want to implement it on the connected next tier equipment or even the border of your network. > > I attempted this in telnet and got a 'method not supported'=20 > > message. ... I'm > > just being extra careful lately because I know that this guy=20 > > is tryin to do > > things to my box... whatever this was, it didnt work so... thanks i think you already have some serious misconfiguration on your box, or you did not ask the right question to you webserver ;-) --- rohrbach@WM:datasink[~]5% telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Thu, 14 Jun 2001 19:15:58 GMT Server: Apache/1.3.19 (Unix) Connection: close Content-Type: text/html Connection closed by foreign host. --- > > > > mydomainname.com otherguyshostname.com - -=20 > > [12/Jun/2001:18:21:35 -0500] > > > > "HEAD / HTTP/1.0" 200 0 "-" this is not an intrusion attempt. this might be a survey to find out your software version and extension modules. do not obscure hostnames in mails, it will lead to more confusion than really helpful replies.=20 > > > > It appears to me like they somehow executed the 'head'=20 > > command... how > > would > > > > one do this, and how could you stop it? HTTP HEAD gives you the headers of the corresponding GET operation. different from GET, where you will also get the object data, HEAD transmits only the headers like with GET but no (file) object data. /k --=20 > Microsoft isn't the answer. Microsoft is the question, and the answer is = no. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --/9ZOS6odDaRI+0hI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7KQ8BM0BPTilkv0YRAlGHAJ9BzGB3Ym31t5NheiqWUy2Jk7Ah/ACfS9Zg VBDNJTvQidEwE2DSAxmwjJY= =XGL/ -----END PGP SIGNATURE----- --/9ZOS6odDaRI+0hI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message