Denying the Worms
I run Apache on my home box. As a result, I get the regular set of script kiddies coming in to see if they can break in. Checking for awstats.pl, phpBB, and the like.
But along with those, I've been getting regular requests for '/' from people on my subnet. It looks like a milder version of the logs we used to get when Code Red was at its peak. The distinguishing characteristic in the logs is that the user agent (browser) is blank.
Well, my root doc is 60k+, and having it hit up to a couple dozen times a day by worms is just a nuisance. So I started poking around in Apache to figure out how to refuse them. It wound up being a tiny bit trickier than I expected; here's what I did:
Getting to that point held a pitfall, though. In the logs, the user agent was displayed as "-". So my first shot at a BrowserMatch string was "-", but that matched anything with a dash, i.e. everything. I then tried "^-$" and "^-", but then nothing matched. On Freenode's #apache channel, bare-foot suggested that since the dash is displayed in place of an empty string, that perhaps "^$" would work, and it did.
Prior to getting on irc, I was trying to figure out how to display environment variables, and did manage to change my LogFormat to include "%{agent-deny}e", which indicated that my variable wasn't being set. I then changed the string to match my browser, and saw that it was being set, narrowing my problem down to the regex.
Anyway, now all the bots get is a 295-byte 403 response, and my world is a little bit nicer.
But along with those, I've been getting regular requests for '/' from people on my subnet. It looks like a milder version of the logs we used to get when Code Red was at its peak. The distinguishing characteristic in the logs is that the user agent (browser) is blank.
Well, my root doc is 60k+, and having it hit up to a couple dozen times a day by worms is just a nuisance. So I started poking around in Apache to figure out how to refuse them. It wound up being a tiny bit trickier than I expected; here's what I did:
<IfModule mod_setenvif.c>
...
BrowserMatch "^$" agent-deny
...
</IfModule>
...
<Directory /whatever>
<IfModule mod_access.c>
Order Allow,Deny
Allow from all
Deny from env=agent-deny
</IfModule>
</Directory>
Getting to that point held a pitfall, though. In the logs, the user agent was displayed as "-". So my first shot at a BrowserMatch string was "-", but that matched anything with a dash, i.e. everything. I then tried "^-$" and "^-", but then nothing matched. On Freenode's #apache channel, bare-foot suggested that since the dash is displayed in place of an empty string, that perhaps "^$" would work, and it did.
Prior to getting on irc, I was trying to figure out how to display environment variables, and did manage to change my LogFormat to include "%{agent-deny}e", which indicated that my variable wasn't being set. I then changed the string to match my browser, and saw that it was being set, narrowing my problem down to the regex.
Anyway, now all the bots get is a 295-byte 403 response, and my world is a little bit nicer.
posted by Dave at Wednesday, August 24, 2005
0 Comments:
Post a Comment
<< Home