I've cobbled together some stuff for apache that helps a good bit:
Using mod_rewrite, you can at least prevent stuff from getting to CF.
It still hits the webserver, but hey, better there than all the way to
your appserver!
Here's a modded version of some rewrites I found for IIS (MS people
can find it on google, I didn't save the link, sorry!):
RewriteRule .*NVARCHAR.* /security-violation.htm [NC]
RewriteRule .*DECLARE.* /security-violation.htm [NC]
#RewriteRule .*INSERT.* /security-violation.htm [NC]
RewriteRule .*xp_.* /security-violation.htm [NC]
RewriteRule [EMAIL PROTECTED] /security-violation.htm [NC]
#RewriteRule .*';* /security-violation.htm [NC]
RewriteRule .*EXEC\(@.* /security-violation.htm [NC]
RewriteRule .*sp_password.* /security-violation.htm [NC]
#RewriteRule /security-violation.htm /security-violation.cfm [L]
#RewriteCond %{QUERY_STRING} .*http:\/\/.* [NC]
RewriteRule .* /security-violation.htm
RewriteCond %{QUERY_STRING} .*sp_password.* [NC]
RewriteRule .* /security-violation.htm
RewriteCond %{QUERY_STRING} .*CAST\(.* [NC]
RewriteRule .* /security-violation.htm
RewriteCond %{QUERY_STRING} .*EXEC\(@.* [NC]
RewriteRule .* /security-violation.htm
RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
RewriteRule .* /security-violation.htm
RewriteRule /security-violation.htm /security-violation.cfm [P,L]
It basically re-directs all them to a CF file called
/security-violation.cfm, for tracking/auditing whatnots, if you so
choose.
You can also change the last line to this:
RewriteRule /security-violation.htm /security-violation.cfm [F]
or something similar (that was off the cuff) to have it respond with
"forbidden" instead.
You can slap that all in one file (security.rewrites.conf or
something) and then Include it in you virtual hosts, or wherever.
The strings are just perl-flavored regular expressions, it's easy to
add/remove stuff if it's too hard or too loose.
Dunno if it will help others, but it's sure helped us out, so here it is.
HIH!
--
By all means, marry. If you get a good wife, you'll become happy; if
you get a bad one, you'll become a philosopher.
Socrates
On Thu, Aug 7, 2008 at 7:56 AM, Kris Jones wrote:
> I'd like to know how I can stop the requests from ever hitting the web-server.
>
> Can anyone point me at a resource for a firewall solution? I've seen
> some isapi filter solutions, but they all seem to just clean the
> querystring and then forward the request on -- so it's still hitting
> CF. I'd really like to stop it before we get to the web-server at all
> (let alone the CF application server).
>
> Cheers,
> Kris
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310462
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
