Denying Hackers

Fix it!!

Denying Hackers

Postby Dave Koch » Wed Aug 14, 2002 7:51 pm

Hi:

Viewing my log files, I see a LOT of hacking attempts. Wimpy attempts, to be sure, but like a lot of you, it is a pi**-off.

So I started messing around, and came up with this. Thought I'd bounce it off you guys, and see what you think!

RewriteEngine on
RewriteRule ^/(scripts|MSADC|_vti_bin|_vti_bin|cgi-bin|MSOffice)/(.+)$ - [NC,L]
RewriteRule ^(.*)/system32/(.*)$ - [NC,L]
RewriteRule \.(ida)(.*)$ - [NC,L]

I just looked at a bunch of the different accesses, found comon denominators, and just tried to match those as best as possible.

Please, make changes, let me know!

dave
Dave Koch
 

Denying hackers

Postby Jonas_E_SE » Wed May 28, 2003 4:06 am

Personally I use the stuff below, in a reverse-proxy server. It works well and stops a majority of the expolits I've seen. Takes loads of the actual webs ervers as well as it's in the proxy.

--8<--
RewriteEngine On
RewriteOptions inherit
RewriteLog logs/rewrite_log

RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system32/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system32/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system/(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/cmd\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/scripts/root.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadc/root\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\\\.\.(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/admin\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadcs\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/ext\.dll[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI} (.*)/\.(.*) [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/php\.exe[$|\?(.*)] [NC,OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\<(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\>(.*) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\|(.*) [OR]
RewriteCond %{REQUEST_URI} (.{255,}) [OR]
RewriteCond %{QUERY_STRING} (.{127,}) [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x00-\x1f]+ [OR]
RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x7f|\xff]+
RewriteRule (.*) http://monty.frukt.org/error/filtered.html [NC,F]
--8<--

As you can see it returns a forbidden answer for a whole bunch of stuff.
Jonas_E_SE
 
Posts: 1
Joined: Wed May 28, 2003 4:02 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 2 guests

cron