Date: Thu, 14 Jun 2001 21:22:41 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Yonatan Bokovza <Yonatan@xpert.com> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: Re: apache security question Message-ID: <20010614212241.G49807@mail.webmonster.de> In-Reply-To: <EB513E68D3F5D41191CA00025558810150D448@mailserv.xpert.com>; from Yonatan@xpert.com on Thu, Jun 14, 2001 at 09:34:09PM %2B0300 References: <EB513E68D3F5D41191CA00025558810150D448@mailserv.xpert.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--/9ZOS6odDaRI+0hI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Yonatan Bokovza(Yonatan@xpert.com)@2001.06.14 21:34:09 +0000:
> and if you'r totaly paranoid and this is
> the only instance you saw "HEAD /" in the logs,
> you might consider filtering this IP in your firewall.
hell no, apache has instrumentation for this:
<directory /where/ever/the/www/root/for/html/docs/is>
<limit HEAD>
order deny,allow
deny from all
</limit>
</directory>
if you have it in a <virtualhost> section you might also used <location>
instead of <directory>
i propose, anyway, you consult the HTTP 1.1 protocol specs _before_
doing this since you will break several things, including in-between
proxy functionality. the specs are available at http://www.w3c.org/
> You do have a firewall, right?
why? for a web-only server? *grin*
the only service that listens is httpd on tcp port 80, for severe
network scanning and synflood handling consult the blackhole(4) man
page.
so, what for do you need a firewall now? ;-) ipopts? short packets?
okay, but you can do that on the box itself, again.
icmp storms and the like cannot be handled efficiently by most
firewalling products, so you want to implement it on the connected next
tier equipment or even the border of your network.
> > I attempted this in telnet and got a 'method not supported'=20
> > message. ... I'm
> > just being extra careful lately because I know that this guy=20
> > is tryin to do
> > things to my box... whatever this was, it didnt work so... thanks
i think you already have some serious misconfiguration on your box, or
you did not ask the right question to you webserver ;-)
---
rohrbach@WM:datasink[~]5% telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Thu, 14 Jun 2001 19:15:58 GMT
Server: Apache/1.3.19 (Unix)
Connection: close
Content-Type: text/html
Connection closed by foreign host.
---
> > > > mydomainname.com otherguyshostname.com - -=20
> > [12/Jun/2001:18:21:35 -0500]
> > > > "HEAD / HTTP/1.0" 200 0 "-"
this is not an intrusion attempt. this might be a survey to find out
your software version and extension modules. do not obscure hostnames in
mails, it will lead to more confusion than really helpful replies.=20
> > > > It appears to me like they somehow executed the 'head'=20
> > command... how
> > would
> > > > one do this, and how could you stop it?
HTTP HEAD gives you the headers of the corresponding GET operation.
different from GET, where you will also get the object data, HEAD
transmits only the headers like with GET but no (file) object data.
/k
--=20
> Microsoft isn't the answer. Microsoft is the question, and the answer is =
no.
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B=
F46
--/9ZOS6odDaRI+0hI
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7KQ8BM0BPTilkv0YRAlGHAJ9BzGB3Ym31t5NheiqWUy2Jk7Ah/ACfS9Zg
VBDNJTvQidEwE2DSAxmwjJY=
=XGL/
-----END PGP SIGNATURE-----
--/9ZOS6odDaRI+0hI--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010614212241.G49807>