You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John Rodenbiker <jr...@rodenbiker.net> on 2006/03/10 22:58:41 UTC
[users@httpd] Blocking invalid URIs?
I'm very new to running a web server.
Is there a way to have httpd drop requests to URIs that don't actually
exist in my environment?
For example, if I have a very simple web site with just the document
"index.html" I don't want people trying to access
"../../../../../users/john/secretstuff". I would prefer such attempts
be dropped, logged, and an alert thrown to my mailbox or a script that
calls my cell phone.
If such functionality exists, is there a way for httpd to automatically
figure out which URIs are valid and which are not without me changing a
database, config file, etc. every time I update my site?
It seems like this is an obvious way to prevent a host of attacks on my
web server like buffer-overflow attempts, attempts to exploit a
mis-configuration of the server, cross-site scripting attacks, etc. I
just can't figure out where to look to turn this on and configure it.
Thanks.
--
Freedom, Truth, Love, Beauty.
John Rodenbiker
jrodenbiker@rodenbiker.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Blocking invalid URIs?
Posted by Kishore Jalleda <kj...@gmail.com>.
check out Snort (http://snort.org) , it has the ability to detect many
web-based attacks ...
Kishore Jalleda
On 3/10/06, John Rodenbiker <jr...@rodenbiker.net> wrote:
>
> I'm very new to running a web server.
>
> Is there a way to have httpd drop requests to URIs that don't actually
> exist in my environment?
>
> For example, if I have a very simple web site with just the document
> "index.html" I don't want people trying to access
> "../../../../../users/john/secretstuff". I would prefer such attempts
> be dropped, logged, and an alert thrown to my mailbox or a script that
> calls my cell phone.
>
> If such functionality exists, is there a way for httpd to automatically
> figure out which URIs are valid and which are not without me changing a
> database, config file, etc. every time I update my site?
>
> It seems like this is an obvious way to prevent a host of attacks on my
> web server like buffer-overflow attempts, attempts to exploit a
> mis-configuration of the server, cross-site scripting attacks, etc. I
> just can't figure out where to look to turn this on and configure it.
>
> Thanks.
> --
> Freedom, Truth, Love, Beauty.
> John Rodenbiker
> jrodenbiker@rodenbiker.net
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>