You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Merton Campbell Crockett <m....@roadrunner.com> on 2008/06/13 18:41:25 UTC

[users@httpd] Rejecting Invalid URL With a 503 Status

It's been a few years since I've done any extensive work with Apache  
and could use some help with a server that I've inherited.

The Apache server is configured with a <VirtualHost> that is used to  
support a single, web-based collaboration tool.  The URL used to  
access the collaboration tool are in the following format.

	https://host.domain.com/anonymous/...
	https://host.domain.com/registered/...
	https://host.domain.com/resources/...

The strings--anonymous, registered, and resources--have an associated  
Alias that defines which <Location> container to be used to access a  
collaboration workspace.  The anonymous string is only used for  
registering a new user as a member of a collaboration workspace.

Looking at the Apache access log, it's clear that Apache is processing  
a lot of requests from systems probing for vulnerabilities.  Rather  
than have Apache process the request, I would like to immediately  
reject all requests with a 503, Service Unavailable, status.

Can this be done with a series of RewriteCond statements specifying  
each of the permitted strings followed by a RewriteRule that rejects  
the request and terminates processing?  Is there a better way of  
accomplishing this?

Merton Campbell Crockett
m.c.crockett@roadrunner.com




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Rejecting Invalid URL With a 503 Status

Posted by André Warnier <aw...@ice-sa.com>.

Merton Campbell Crockett wrote:
> 
> On 13 Jun 2008, at 09:47:43, Joshua Slive wrote:
> 
>> On Fri, Jun 13, 2008 at 12:41 PM, Merton Campbell Crockett
>> <m....@roadrunner.com> wrote:
>>

If I may add my grain of salt : often the issue is that such error 
messages end up cluttering the logfile, consuming megabytes and making 
it more time-consuming to find real errors that one should track down.
One case in point is the "GET /_vti_bin/.." stuff generated by some IE 
clients.  One knows what they are, one knows that they'll end up being 
rejected, and one is tired of finding them all over.  So one would 
appreciate some nice and efficient way to reject them early on, and not 
even having them logged.
And one knows that this might cause one some time in the future to 
overlook some things one should'nt.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Rejecting Invalid URL With a 503 Status

Posted by Nick Kew <ni...@webthing.com>.
On Fri, 13 Jun 2008 16:06:45 -0400
"Joshua Slive" <jo...@slive.ca> wrote:

> Otherwise, mod_rewrite could certainly be used. If you want the
> uber-powerful approach, mod_security can also do stuff like this.

Indeed, normal Allow/Deny is the correct and best way to do this.
mod_security is an alternative if you need things to happen early,
but if Allow/Deny is too late for you that probably points to a
problem in your application.  mod_rewrite will work, but is the
least likely to be the best tool for the job.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Rejecting Invalid URL With a 503 Status

Posted by Joshua Slive <jo...@slive.ca>.
On Fri, Jun 13, 2008 at 3:40 PM, Merton Campbell Crockett
<m....@roadrunner.com> wrote:

> Basically, I'm tired of the bullshit.  I don't want to spend my life filling
> out forms explaining to those that haven't a clue that their "vulnerability"
> is a false positive.  I want to configure Apache to reject all requests that
> cannot possibly be supported by the collaboration tool.

Ok. Sounds like a tough life ;-)

Something as simple as this might work (although I haven't tested it):

<Location />
Order Deny,Allow
Deny from all
</Location>

<Location /letmein>
Order Deny,Allow
Allow from all
</Location>

This will get you 403 rather than 503.

Otherwise, mod_rewrite could certainly be used. If you want the
uber-powerful approach, mod_security can also do stuff like this.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Rejecting Invalid URL With a 503 Status

Posted by Merton Campbell Crockett <m....@roadrunner.com>.
On 13 Jun 2008, at 09:47:43, Joshua Slive wrote:

> On Fri, Jun 13, 2008 at 12:41 PM, Merton Campbell Crockett
> <m....@roadrunner.com> wrote:
>
>> Looking at the Apache access log, it's clear that Apache is  
>> processing a lot
>> of requests from systems probing for vulnerabilities.  Rather than  
>> have
>> Apache process the request, I would like to immediately reject all  
>> requests
>> with a 503, Service Unavailable, status.
>
> Can I ask: Why? Apache has to process the request one way or the other
> in order to send back an error response. What's the difference if the
> error response is a 404 or a 503?

I don't really care whether the status returned is 404, 503, or some  
other code as long as it does not require me to identify why the  
request is being rejected.

Why?  Most of the requests are rejected because the file doesn't  
exist; however, Apache does perform some action on some requests  
beyond determining whether or not the file exists.  I do not want  
Apache to perform these actions.

>> Can this be done with a series of RewriteCond statements specifying  
>> each of
>> the permitted strings followed by a RewriteRule that rejects the  
>> request and
>> terminates processing?  Is there a better way of accomplishing this?
>
> Yes, you could do this with mod_rewrite, but I don't see the point.

Does your company or organization have a Security Operations Center  
(SOC) that does nothing but scan for potential vulnerabilities?  If  
so, do they insist that you make changes to your Apache configuration  
even though the "vulnerability" doesn't exist?

Basically, I'm tired of the bullshit.  I don't want to spend my life  
filling out forms explaining to those that haven't a clue that their  
"vulnerability" is a false positive.  I want to configure Apache to  
reject all requests that cannot possibly be supported by the  
collaboration tool.



Merton Campbell Crockett
m.c.crockett@roadrunner.com




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Rejecting Invalid URL With a 503 Status

Posted by Joshua Slive <jo...@slive.ca>.
On Fri, Jun 13, 2008 at 12:41 PM, Merton Campbell Crockett
<m....@roadrunner.com> wrote:

> Looking at the Apache access log, it's clear that Apache is processing a lot
> of requests from systems probing for vulnerabilities.  Rather than have
> Apache process the request, I would like to immediately reject all requests
> with a 503, Service Unavailable, status.

Can I ask: Why? Apache has to process the request one way or the other
in order to send back an error response. What's the difference if the
error response is a 404 or a 503?

>
> Can this be done with a series of RewriteCond statements specifying each of
> the permitted strings followed by a RewriteRule that rejects the request and
> terminates processing?  Is there a better way of accomplishing this?

Yes, you could do this with mod_rewrite, but I don't see the point.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org