|
| PORTAIL | ANNUAIRE | ARTICLES | COMPARATEUR HÉBERGEURS | DEVIS | FORUMS | RÉDUCTEUR D'URL |
|
|
|
|
||||||
| alt.apache.configuration Apache web server configuration issues. |
 |
|
|
LinkBack | Outils de la discussion |
07/05/2007, 16h54
|
#1 |
Messages: n/a
Hébergeur: |
block user_agent at server level
Hi
Everybody knows Morfeus Fucking Scanner I think. I want to block it from my server. I'm with dyndns. Apache 2.0.55 under Linux RewriteCond %{HTTP_USER_AGENT} ^Morfeus.* RewriteRule ^/.+ - [F] Is this rule used at the docroot level enough to kick it out without causing any access problem for the rest of the world ? Or should I insert it into /etc/apache2.conf ? Thanks |
|
|
07/05/2007, 19h56
|
#2 |
|
Messages: n/a
Hébergeur: |
Re: block user_agent at server level
Bill wrote:
> Hi > > Everybody knows Morfeus Fucking Scanner I think. > I want to block it from my server. > > I'm with dyndns. > Apache 2.0.55 under Linux > > RewriteCond %{HTTP_USER_AGENT} ^Morfeus.* > RewriteRule ^/.+ - [F] > > Is this rule used at the docroot level enough to kick it out without > causing any access problem for the rest of the world ? > > Or should I insert it into /etc/apache2.conf ? > > > Thanks > holy moly, i've been also a victim of these scans!!! anybody can with the rule set above to block this booger altogether? -- lark -- hamzee@sbcdeglobalspam.net To reply to me directly, delete "despam". |
|
|
|
07/05/2007, 20h20
|
#3 |
|
Messages: n/a
Hébergeur: |
Re: block user_agent at server level
lark wrote:
> Bill wrote: >> Hi >> >> Everybody knows Morfeus Fucking Scanner I think. >> I want to block it from my server. >> >> I'm with dyndns. >> Apache 2.0.55 under Linux >> >> RewriteCond %{HTTP_USER_AGENT} ^Morfeus.* >> RewriteRule ^/.+ - [F] >> >> Is this rule used at the docroot level enough to kick it out without >> causing any access problem for the rest of the world ? >> >> Or should I insert it into /etc/apache2.conf ? >> >> >> Thanks >> > > holy moly, i've been also a victim of these scans!!! anybody can > with the rule set above to block this booger altogether? > > also, i found this out on the blog.evologiq.com's RewriteCond %{HTTP_USER_AGENT} ^Morfeus RewriteRule ^.*$ - [F] one of these or a combination of them should work out, ey? -- lark -- hamzee@sbcdeglobalspam.net To reply to me directly, delete "despam". |
|
|
|
07/05/2007, 20h38
|
#4 |
|
Messages: n/a
Hébergeur: |
Re: block user_agent at server level
On May 7, 8:20 pm, lark <ham...@sbcdeglobalspam.net> wrote:
> lark wrote: > > Bill wrote: > >> Hi > > >> Everybody knows Morfeus Fucking Scanner I think. > >> I want to block it from my server. > > >> I'm with dyndns. > >> Apache 2.0.55 under Linux > > >> RewriteCond %{HTTP_USER_AGENT} ^Morfeus.* > >> RewriteRule ^/.+ - [F] > > >> Is this rule used at the docroot level enough to kick it out without > >> causing any access problem for the rest of the world ? > > >> Or should I insert it into /etc/apache2.conf ? > > >> Thanks > > > holy moly, i've been also a victim of these scans!!! anybody can > > with the rule set above to block this booger altogether? > > also, i found this out on the blog.evologiq.com's > > RewriteCond %{HTTP_USER_AGENT} ^Morfeus > RewriteRule ^.*$ - [F] > > one of these or a combination of them should work out, ey? > > -- > lark -- ham...@sbcdeglobalspam.net > To reply to me directly, delete "despam". well, they work for those scanner setting the user agent string. One tweak and they're right back at yer, a firewall should really be doing the work as if Apache is having to block these guys the connections are still being made. (and as I say one tweak of the UA and the scanner is doing its work again) On large sites this is par for the course, I wouldn't worry about it, just get your security right, and rely on security the old fashioned way, patching, decent coding, and ACL's, rather than optional UA stuff. |
|
|
|
07/05/2007, 20h49
|
#5 |
|
Messages: n/a
Hébergeur: |
Re: block user_agent at server level
shimmyshack wrote:
> On May 7, 8:20 pm, lark <ham...@sbcdeglobalspam.net> wrote: >> lark wrote: >>> Bill wrote: >>>> Hi >>>> Everybody knows Morfeus Fucking Scanner I think. >>>> I want to block it from my server. >>>> I'm with dyndns. >>>> Apache 2.0.55 under Linux >>>> RewriteCond %{HTTP_USER_AGENT} ^Morfeus.* >>>> RewriteRule ^/.+ - [F] >>>> Is this rule used at the docroot level enough to kick it out without >>>> causing any access problem for the rest of the world ? >>>> Or should I insert it into /etc/apache2.conf ? >>>> Thanks >>> holy moly, i've been also a victim of these scans!!! anybody can >>> with the rule set above to block this booger altogether? >> also, i found this out on the blog.evologiq.com's >> >> RewriteCond %{HTTP_USER_AGENT} ^Morfeus >> RewriteRule ^.*$ - [F] >> >> one of these or a combination of them should work out, ey? >> >> -- >> lark -- ham...@sbcdeglobalspam.net >> To reply to me directly, delete "despam". > > well, they work for those scanner setting the user agent string. > One tweak and they're right back at yer, a firewall should really be > doing the work as if Apache is having to block these guys the > connections are still being made. (and as I say one tweak of the UA > and the scanner is doing its work again) > On large sites this is par for the course, I wouldn't worry about it, > just get your security right, and rely on security the old fashioned > way, patching, decent coding, and ACL's, rather than optional UA stuff. > do you mean to include the ip of the scanner in the firewall list of denied ips? -- lark -- hamzee@sbcdeglobalspam.net To reply to me directly, delete "despam". |
|
|
|
07/05/2007, 21h18
|
#6 |
|
Messages: n/a
Hébergeur: |
Re: block user_agent at server level
On May 7, 8:49 pm, lark <ham...@sbcdeglobalspam.net> wrote:
> shimmyshack wrote: > > On May 7, 8:20 pm, lark <ham...@sbcdeglobalspam.net> wrote: > >> lark wrote: > >>> Bill wrote: > >>>> Hi > >>>> Everybody knows Morfeus Fucking Scanner I think. > >>>> I want to block it from my server. > >>>> I'm with dyndns. > >>>> Apache 2.0.55 under Linux > >>>> RewriteCond %{HTTP_USER_AGENT} ^Morfeus.* > >>>> RewriteRule ^/.+ - [F] > >>>> Is this rule used at the docroot level enough to kick it out without > >>>> causing any access problem for the rest of the world ? > >>>> Or should I insert it into /etc/apache2.conf ? > >>>> Thanks > >>> holy moly, i've been also a victim of these scans!!! anybody can > >>> with the rule set above to block this booger altogether? > >> also, i found this out on the blog.evologiq.com's > > >> RewriteCond %{HTTP_USER_AGENT} ^Morfeus > >> RewriteRule ^.*$ - [F] > > >> one of these or a combination of them should work out, ey? > > >> -- > >> lark -- ham...@sbcdeglobalspam.net > >> To reply to me directly, delete "despam". > > > well, they work for those scanner setting the user agent string. > > One tweak and they're right back at yer, a firewall should really be > > doing the work as if Apache is having to block these guys the > > connections are still being made. (and as I say one tweak of the UA > > and the scanner is doing its work again) > > On large sites this is par for the course, I wouldn't worry about it, > > just get your security right, and rely on security the old fashioned > > way, patching, decent coding, and ACL's, rather than optional UA stuff. > > do you mean to include the ip of the scanner in the firewall list of > denied ips? > > -- > lark -- ham...@sbcdeglobalspam.net > To reply to me directly, delete "despam". using mod_security you could do that sure, once it had made one request you could ban it straight away. but I was thinking more along the lines of an external firewall with rules for this kind of scanner, once it's signature is detected no further requests are honoured, or a second honeypot is used. But as I said, if you are a large site, you are a large target, just make sure you audit your code for secure practise, and code properly, and patch your server and so on... |
|
|
|
| Outils de la discussion | |
|
|
