Quick question for you all - fairly frequently in my httpd logs I see things like this:
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET HTTP/1.1 HTTP/1.1" 400 418 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /roundcube//bin/msgimport HTTP/1.1" 404 417 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /rc//bin/msgimport HTTP/1.1" 404 413 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET /mss2//bin/msgimport HTTP/1.1" 404 415 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /mail//bin/msgimport HTTP/1.1" 404 415 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /mail2//bin/msgimport HTTP/1.1" 404 416 "-" "Toata dragostea mea pentru diavola"
66.11.122.194 - - [29/Jan/2010:11:06:45 +0000] "GET /roundcubemail//bin/msgimport HTTP/1.1" 404 420 "-" "Toata dragostea mea pentru diavola"
...
You get the idea, a vulnerability scanning script. As I don't install my web apps to standard or even remotely named installs I nearly always return 404s, but it is still irritating to watch. So my question is, is there a way to detect/mitigate such attacks, perhaps using mod_rewrite and known blocklists etc? Or is this something web server admins simply have to put up with?
Thanks.
you can use mod_security or other web application firewalls (waf). this way the request still hit your webserver, but mod_security will filter out the request which are marked as suspicious.
there are different possibilities to setup a waf:
the best solution depends much on your setup, so there is no general answer. but the docs should help you to decide what solution to take.
one more point to consider:
a waf is adding some more complexity to your system, so be sure whether you want to use it or not.
There's always Fail2Ban; set it to watch Apache's log and ban after ten 404s within a minute or something like that.
Short answer - You can't. From the point of view of a web server that script is just another browser, albeit a misbehaving one. The best you can do is have the firewall detect and block such scans. The details will of course depend on which firewall you use.
As John said, you really can't.
You can try block some bad requests with mod_rewrite, but there is not much else. For example we block all requests that have [sysobject] in the query string (we do not use MSSQL, but there are a lot of them and they can slow the site down). And if you use mod_rewrite, make sure not to block legitimate requests.