Re: [gentoo-user] Apache security tips
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 159600160 "Michael Stewart (vericgar)" <[EMAIL PROTECTED]> wrote: > You may want to look into mod_security for apache as well. IIRC it is > designed to protect from such attacks. Thanks for the tip. I will give mod_security a try. Jim -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEEyeEeqJ5Vbm4CxYRAvvtAJ9YQ9cZYUW4VkVc9w55vHg166snhQCfUP1k w7zGfSfyktK0Fj3vl+0JkYk= =PaNp -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Apache security tips
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 159610784 Willie Wong <[EMAIL PROTECTED]> wrote: > On Fri, Mar 10, 2006 at 08:59:09PM -0500, Penguin Lover Jim squawked: >> I was wondering if anyone has some easy to do tips for checking the >> security of Apache. I am running Apache/2.0.55. Is apache good with >> handling bad URL's? I remember with an IIS server I use to have I >> needed to install a url filter to help it out. I noticed that I get >> requests like the following in my apache log: >> >> 70.121.133.60 - - [07/Mar/2006:21:31:05 -0500] "SEARCH >> /\x90\xc9\xc9\xc9\xc9\xc9\ >> >> The above is one line and it is 30,000 characters long in the log file. >> > > Near the end of that line should be the HTTP return code Apache gave > for that request. What is it? > > On my box it always returns 414 (Request-URI too long), so I doubt it > would be a problem, beyond a major annoyance when going through the > logs with 'less'. > > A URI string like that is almost certainly a client trying to exploit > a buffer overflow. I've never seen it being a problem with my > (limited) experience running apache. > > HTH, > > W I have not see it be a problem either, Apache returned the same code for me. I noticed it because I get "errors" from webalizer like: Error: Skipping oversized log record It is not a big deal. I just wanted to make sure I have apache locked down OK. The long entries look like someone trying to hack into IIS with requests for exe files. Thanks for the info, Jim -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEExSdeqJ5Vbm4CxYRAqgdAJ0YYDqFV8cAtf6IXGEOLMjuTLAH4QCcDyE4 /F0PCKAW/x6OB5O6foHYA6A= =ukRJ -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Apache security tips
Willie Wong wrote: > On Fri, Mar 10, 2006 at 08:59:09PM -0500, Penguin Lover Jim squawked: > >>I was wondering if anyone has some easy to do tips for checking the >>security of Apache. I am running Apache/2.0.55. Is apache good with >>handling bad URL's? I remember with an IIS server I use to have I >>needed to install a url filter to help it out. I noticed that I get >>requests like the following in my apache log: >> >>70.121.133.60 - - [07/Mar/2006:21:31:05 -0500] "SEARCH >>/\x90\xc9\xc9\xc9\xc9\xc9\ >> >>The above is one line and it is 30,000 characters long in the log file. >> You may want to look into mod_security for apache as well. IIRC it is designed to protect from such attacks. -- Michael Stewart [EMAIL PROTECTED] Gentoo Developerhttp://dev.gentoo.org/~vericgar GnuPG Key ID 0x08614788 available on http://pgp.mit.edu -- signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Apache security tips
On Fri, Mar 10, 2006 at 08:59:09PM -0500, Penguin Lover Jim squawked: > I was wondering if anyone has some easy to do tips for checking the > security of Apache. I am running Apache/2.0.55. Is apache good with > handling bad URL's? I remember with an IIS server I use to have I > needed to install a url filter to help it out. I noticed that I get > requests like the following in my apache log: > > 70.121.133.60 - - [07/Mar/2006:21:31:05 -0500] "SEARCH > /\x90\xc9\xc9\xc9\xc9\xc9\ > > The above is one line and it is 30,000 characters long in the log file. > Near the end of that line should be the HTTP return code Apache gave for that request. What is it? On my box it always returns 414 (Request-URI too long), so I doubt it would be a problem, beyond a major annoyance when going through the logs with 'less'. A URI string like that is almost certainly a client trying to exploit a buffer overflow. I've never seen it being a problem with my (limited) experience running apache. HTH, W -- You're not paranoid. The world _IS_ fucked. Sortir en Pantoufles: up 118 days, 21:18 -- gentoo-user@gentoo.org mailing list
[gentoo-user] Apache security tips
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey group, I was wondering if anyone has some easy to do tips for checking the security of Apache. I am running Apache/2.0.55. Is apache good with handling bad URL's? I remember with an IIS server I use to have I needed to install a url filter to help it out. I noticed that I get requests like the following in my apache log: 70.121.133.60 - - [07/Mar/2006:21:31:05 -0500] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\ The above is one line and it is 30,000 characters long in the log file. Thanks for any tips, Jim -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEEi7teqJ5Vbm4CxYRAjt0AJ9tVjVWHQ2H9OzBVhxGkqbhL5vizQCfSVPo B/IHirSOHB3Xr4izkO48Rug= =ubVq -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list