Be careful with URLScan if you are using Cold Fusion application server -- the way the current version replaces the Server header wreaks havoc with CFM pages. In fact, removing the header is the way to go when using URLScan, since if you try replacing the header it moves to the bottom of the header order -- which pretty much gives away that you are running URLScan on IIS.
Best, Chris ::::::::::::::::::::::::::::::::::::::::::::: Chris Neppes Port80 Software, Inc. www.port80software.com 5252 Balboa Ave., Ste. 605 San Diego, CA 92117 858.268.7960 voice 619.606.2860 cell 858.268.7760 fax -----Original Message----- From: Fritts,Jordan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 3:19 PM To: IIS50 Discussions Subject: RE: Filtering DDOS, Scans and Hacks I just setup URLscan 20 minutes after I heard about it. Currently our individual dept. isn't using a firewall, but our greater University is. I do port blocking and such, but I wanted a pre-cursor to the request hitting my logs. From the research I've done today, URLscan is quite the tool. thanks, j -----Original Message----- From: Paul Calvano [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 5:06 PM To: IIS50 Discussions Subject: Re: Filtering DDOS, Scans and Hacks Have you looked into URLScan? URLScan is an ISAPI filter availble from Microsoft that does just what you are asking. It prevents traffic from a criteria that you can set from accessing your website. Additionally, it logs all rejected requests to its own logfile, so you can routinely make sure that you are not blocking legitimate requests. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/tools/tools/urlscan.asp What kind of firewall are you using? Some firewalls are customizable for blocking traffic based on HTTP requests. Hope this helps. Paul 11/18/2002 6:59:15 PM, "Fritts,Jordan" <[EMAIL PROTECTED]> wrote: >I'm finally sick of it - logs full of requests used to, well, hack my system, searching for directories and permissions that I've long locked down and patched. > >**** Example Requests ***** >/cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe, /c+dir+c:\, >/winnt/system32/cmd.exe, /c+dir+c:\, >/d/winnt/system32/cmd.exe, /c+dir+c:\, > /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+dir+c:\, >***** > >Anyway, as I was preparing to run a WebTrends, I was scanning the logs for a new site we put up and all it is are these types of requests. Essentially, we'll always probably have to deal with these things as they are too many machines out there that are infected with administrators that don't know/don't care/don't know what to do about it. > >Anyway (again) I'm looking for ways to stop these requests before they ever hit my logs. I'd like to stop them at the firewall, but that hasn't happened yet. Becuase I need to stop them at the IIS Server, I'm thinking the only way to do this is to install an ISAPI filter that will just ignore these requests. > >Does anyone out there have a filter like this, or another method, that keeps my logs a little cleaner? > >tia, j > > >--- >You are currently subscribed to iis50 as: [EMAIL PROTECTED] >To unsubscribe send a blank email to %%email.unsub%% > >--------- >Administrated by 15 Seconds : http://www.15Seconds.com >List Archives/Search : http://local.15Seconds.com/search >Subscription Information : http://www.15seconds.com/listserv.htm >Advertising Information: http://www.internet.com/mediakit/ > > --- You are currently subscribed to iis50 as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% --------- Administrated by 15 Seconds : http://www.15Seconds.com List Archives/Search : http://local.15Seconds.com/search Subscription Information : http://www.15seconds.com/listserv.htm Advertising Information: http://www.internet.com/mediakit/ --- You are currently subscribed to iis50 as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% --------- Administrated by 15 Seconds : http://www.15Seconds.com List Archives/Search : http://local.15Seconds.com/search Subscription Information : http://www.15seconds.com/listserv.htm Advertising Information: http://www.internet.com/mediakit/ --- You are currently subscribed to iis50 as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] --------- Administrated by 15 Seconds : http://www.15Seconds.com List Archives/Search : http://local.15Seconds.com/search Subscription Information : http://www.15seconds.com/listserv.htm Advertising Information: http://www.internet.com/mediakit/
