[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: [mod-security-users] Re: Using Dshield Data to Block Well-Known Web Attackers
From: "Ryan Barnett" <rcbarnett () gmail ! com>
Date: 2006-04-19 20:08:05
Message-ID: cba0286a0604191308p6b9d2ec5sc0b606af17c96935 () mail ! gmail ! com
[Download RAW message or body]
Oops, I had to update the subject line - it is attackers and not attacks.
-Ryan
On 4/19/06, Ryan Barnett <rcbarnett@gmail.com> wrote:
>
> For those of you who are interested in creating ACLs (with Apache or
> Mod_Security) to block access from well-known web attackers, I thought I
> would present this small section of info from my book - Preventing Web
> Attacks with Apache (
> http://www.amazon.com/gp/product/0321321286/ref=sr_11_1/104-3385017-8973538?%5Fencoding=UTF8
> )
>
> This is a complimentry method to those presented by the GotRoot blacklist
> data. The data below shows how to use the Apache Deny directive, however
> similar Mod_Security rules could be created to block access from these
> hosts.
>
> I hope this is useful.
>
> *Blocking Well-Known Offenders*
>
> Utilization of IP based block lists has been common place for years in
> combating email abusers. There are many community project sites that make
> block lists available to the public so that they can download it and then
> implement access control lists to deny access attempts from these IP
> addresses/network blocks to their SMTP servers. The use of the data in these
> lists effective, however they need to be constantly updated as the SPAMMERS
> leverage new IP addresses.
>
>
>
> The Dshield.org <http://dshield.org/> web site ( www.dshield.org ) tracks
> Internet traffic and calls itself a distributed intrusion detection system.
> Dshield gathers its information by allowing anyone to submit their firewall
> and intrusion detection logs. There are client programs for the various
> security applications that will convert the logs into the correct Dshield
> format and forward them onto the web site. One of the resources available
> from Dshield is their own block list of the top twenty network blocks that
> have exhibited suspicious scanning activity -
> http://feeds.dshield.org/block.txt. While this data does illustrate the
> fact that these network blocks are conduction suspicious network
> connections, it does not provided the type of fidelity required to
> accurately categorize their activities. Are they SPAMMERS or Brute Forcing
> password protected sites? We just don't know.
>
>
>
> It was this issue that prompted me to contact Johannes Ullrich of Dshield
> and the SANS Internet Storm Center. I asked him if it would be possible to
> generate a list of only HTTP/Port 80 attackers. At first, he was a bit
> skeptical of the true value of this information as web attackers are
> constantly changing their IP addresses as they compromise more systems or
> loop through proxies. I agreed that any sort of port 80 block list would
> have to be dynamic and the hosts identified would only be valid for a short
> period of time, however I still believed there was value in this list. I
> expres sed to Johannes that I was looking for a list of web attackers that
> I could import daily into my Apache server and then create deny rules for
> these hosts. The real value of using the Dshield information is that they
> have a much larger view of the Internet than most other individual
> organizations would have. A Dshield block list would be ba sed on
> information gathered from across the globe. Think of it as a cyber-ba sedcommunity watch program.
>
>
>
> It wasn't until I gave this analogy to Johannes that he finally agreed
> with me on this concept. I said to imagine that you were in charge of
> security at a bank. You had the option of posting up the FBI's Top Ten Most
> Wanted Criminal posters or the FBI's Top Ten Most Wanted Bank Robbers. Which
> one would you choose? Most people would choose the later as the bank robbers
> present the greater threat to the bank. With regards to web security, a
> block list of port 80 attackers would be more relevant than a block list of
> generic Internet hooligans. After this exchange, Johannes went ahead and
> created a PHP web page that would extract out the information I desired.
> Here is the URL - www.dshield.org/topportsource.php?port=80&num=20. You
> can change the port number if you are interested in services other the http
> and you can also change the number of records returned. In the link above, I
> am querying for the top twenty port 80 attackers. Here is an example report
> returned by the link.
>
>
>
> # Port 80 top 20 records ordered by number of targets hit.
>
> #
>
> # compiled Fri, 20 May 2005 03:02:51 +0000
>
> #
>
> # columns:
>
> # Source IP <tab> Targets Hit <tab> Total Records
>
> #
>
> # enjoy.
>
> 218.083.155.079 71199 193929
>
> 206.123.216.023 65011 118102
>
> 148.245.122.012 64071 116805
>
> 064.080.123.138 7724 8262
>
> 064.080.123.122 4897 5102
>
> 061.222.211.118 3370 3370
>
> 219.140.162.215 2192 2192
>
> 221.230.192.152 1341 1729
>
> 084.244.002.104 1331 1331
>
> 062.002.157.178 759 5575
>
> 213.202.216.156 757 807
>
> 219.159.102.184 612 627
>
> 207.044.142.115 586 808
>
> 063.151.041.210 546 902
>
> 066.193.175.084 531 1554
>
> 065.078.035.101 508 1014
>
> 193.146.045.103 436 870
>
> 221.201.184.165 421 421
>
> 216.167.232.087 408 1222
>
> 217.160.188.180 314 530
>
>
>
> We are interested in the first column as that lists the specific client IP
> address of the web attacker. I created a quick shell script that will
> automatically download an updated list daily using wget and then converts
> that data into the appropriate Apache deny directive format. Here is an
> example of manually running the script called dshield_blocklist.sh.
>
>
>
> *# cat dshield_blocklist.sh *
>
> #!/bin/sh
>
>
>
> /usr/bin/wget "http://www.dshield.org/topportsource.php?port=80&num=20 "
>
>
>
> for f in `cat topport* | grep -v "#" | awk '{print $1}' | head -20 | sed
> -e 's/^0//g' -e 's/\.0/\./g' –e 's/\.0/\./g'` ; do echo "Deny from $f" >
> /usr/local/apache/conf/blocklist.txt ; done
>
>
>
> exit
>
> *# ./dshield_blocklist.sh*
>
> *# cat /usr/local/apache/conf/blocklist.txt*
>
> Deny from 218.83.155.79
>
> Deny from 206.123.216.23
>
> Deny from 148.245.122.12
>
> Deny from 64.80.123.138
>
> Deny from 64.80.123.122
>
> Deny from 61.222.211.118
>
> Deny from 219.140.162.215
>
> Deny from 221.230.192.152
>
> Deny from 84.244.02.104
>
> Deny from 62.2.157.178
>
> Deny from 213.202.216.156
>
> Deny from 219.159.102.184
>
> Deny from 207.44.142.115
>
> Deny from 63.151.41.210
>
> Deny from 66.193.175.84
>
> Deny from 65.78.35.101
>
> Deny from 193.146.45.103
>
> Deny from 221.201.184.165
>
> Deny from 216.167.232.87
>
> Deny from 217.160.188.180
>
>
>
> The script places the converted data into a file called blocklist.txt in
> the Apache conf directory. I then reference this file with an include
> statement in my DocumentRoot directory directive like this –
>
>
>
> <Directory "/usr/local/apache/htdocs">
>
> Options -Indexes -Includes -FollowSymLinks -Multiviews
>
> AllowOverride None
>
> Order deny,allow
>
> Allow from all
>
> *include conf/blocklist.txt*
>
>
>
> <LimitExcept GET POST>
>
> Order allow,deny
>
> Deny from all
>
> </LimitExcept>
>
> </Directory>
>
>
>
> This blocklist is reactivated every night at midnight when I conduct my
> normal log rotation and restart Apache. This technique proves extremely easy
> to implement and does provide protection from web clients who are up to no
> good.
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
[Attachment #3 (text/html)]
<div>Oops, I had to update the subject line - it is attackers and not attacks.</div>
<div> </div>
<div>-Ryan<br> </div>
<div><span class="gmail_quote">On 4/19/06, <b class="gmail_sendername">Ryan \
Barnett</b> <<a href="mailto:rcbarnett@gmail.com">rcbarnett@gmail.com</a>> \
wrote:</span> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px \
0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div style="DIRECTION: ltr">
<div>For those of you who are interested in creating ACLs (with Apache or \
Mod_Security) to block access from well-known web attackers, I thought I would \
present this small section of info from my book - Preventing Web Attacks with Apache \
( <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://www.amazon.com/gp/product/0321321286/ref=sr_11_1/104-3385017-8973538?%5Fencoding=UTF8" \
target="_blank">http://www.amazon.com/gp/product/0321321286/ref=sr_11_1/104-3385017-8973538?%5Fencoding=UTF8
</a>)</div>
<div> </div>
<div>This is a complimentry method to those presented by the GotRoot blacklist \
data. The data below shows how to use the Apache Deny directive, however \
similar Mod_Security rules could be created to block access from these hosts. </div>
<div> </div>
<div>I hope this is useful.</div>
<div>
<p style="MARGIN: 0.25in 0in 4pt"><span><strong>Blocking Well-Known \
Offenders</strong></span></p> <p style="MARGIN: 0in 0in 3pt"><span><font face="Times \
New Roman">Utilization of IP ba</font></span><span><span style="FONT-SIZE: \
10pt"><font face="Courier New">sed</font></span></span><span><font face="Times New \
Roman"> block lists has been common place for years in combating email abusers. \
There are many community project sites that make block lists available to the public \
so that they can download it and then implement access control lists to deny access \
attempts from these IP addresses/network blocks to their SMTP servers. The use of the \
data in these lists effective, however they need to be constantly updated as the \
SPAMMERS leverage new IP addresses. </font></span></p>
<p style="MARGIN: 0in 0in 3pt"><span><font face="Times New \
Roman"></font></span> </p> <p style="MARGIN: 0in 0in 3pt"><span><font \
face="Times New Roman">The <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://dshield.org/" target="_blank">Dshield.org</a> web site (<a \
onclick="return top.js.OpenExtLink(window,event,this)" href="http://www.dshield.org/" \
target="_blank"> www.dshield.org </a>) tracks Internet traffic and calls itself a \
distributed intrusion detection system. Dshield gathers its information by allowing \
anyone to submit their firewall and intrusion detection logs. There are client \
programs for the various security applications that will convert the logs into the \
correct Dshield format and forward them onto the web site. One of the resources \
available from Dshield is their own block list of the top twenty network blocks that \
have exhibited suspicious scanning activity - <a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://feeds.dshield.org/block.txt" \
target="_blank">http://feeds.dshield.org/block.txt</a>. While this data does \
illustrate the fact that these network blocks are conduction suspicious network \
connections, it does not provided the type of fidelity required to accurately \
categorize their activities. Are they SPAMMERS or Brute Forcing password protected \
sites? We just don't know. </font></span></p>
<p style="MARGIN: 0in 0in 3pt"><span><font face="Times New \
Roman"></font></span> </p> <p style="MARGIN: 0in 0in 3pt"><span><font \
face="Times New Roman">It was this issue that prompted me to contact Johannes Ullrich \
of Dshield and the SANS Internet Storm Center. I asked him if it would be possible to \
generate a list of only HTTP/Port 80 attackers. At first, he was a bit skeptical of \
the true value of this information as web attackers are constantly changing their IP \
addresses as they compromise more systems or loop through proxies. I agreed that any \
sort of port 80 block list would have to be dynamic and the hosts identified would \
only be valid for a short period of time, however I still believed there was value in \
this list. I expres </font></span><span><span style="FONT-SIZE: 10pt"><font \
face="Courier New">sed</font></span></span><span> <font face="Times New Roman">to \
Johannes that I was looking for a list of web attackers that I could import daily \
into my Apache server and then create deny rules for these hosts. The real value of \
using the Dshield information is that they have a much larger view of the Internet \
than most other individual organizations would have. A Dshield block list would be ba \
</font></span><span><span style="FONT-SIZE: 10pt"><font face="Courier \
New">sed</font></span></span><span> <font face="Times New Roman">on information \
gathered from across the globe. Think of it as a cyber-ba</font></span> <span><span \
style="FONT-SIZE: 10pt"><font face="Courier New">sed</font></span></span><span><font \
face="Times New Roman"> community watch program. </font></span></p> <p style="MARGIN: \
0in 0in 3pt"><span><font face="Times New Roman"></font></span> </p> <p \
style="MARGIN: 0in 0in 3pt"><span><font face="Times New Roman">It wasn't until I gave \
this analogy to Johannes that he finally agreed with me on this concept. I said to \
imagine that you were in charge of security at a bank. You had the option of posting \
up the FBI's Top Ten Most Wanted Criminal posters or the FBI's Top Ten Most Wanted \
Bank Robbers. Which one would you choose? Most people would choose the later as the \
bank robbers present the greater threat to the bank. With regards to web security, a \
block list of port 80 attackers would be more relevant than a block list of generic \
Internet hooligans. After this exchange, Johannes went ahead and created a PHP web \
page that would extract out the information I desired. Here is the URL - <a \
onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://www.dshield.org/topportsource.php?port=80&num=20" \
target="_blank">www.dshield.org/topportsource.php?port=80&num=20</a>. You can \
change the port number if you are interested in services other the http and you can \
also change the number of records returned. In the link above, I am querying for the \
top twenty port 80 attackers. Here is an example report returned by the link. \
</font></span></p> <p style="MARGIN: 0in 0in 3pt"><span><font face="Times New \
Roman"></font></span> </p> <div style="BORDER-RIGHT: medium none; PADDING-RIGHT: \
0in; BORDER-TOP: windowtext 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; \
BORDER-LEFT: medium none; PADDING-TOP: 1pt; BORDER-BOTTOM: medium none"> <p \
style="MARGIN: 12pt 0in 0pt"><font face="Courier New" size="2"># Port 80 top 20 \
records ordered by number of targets hit.</font></p></div> <p style="MARGIN: 0in 0in \
0pt"><font face="Courier New" size="2"># </font></p> <p style="MARGIN: 0in 0in \
0pt"><font face="Courier New" size="2"># compiled Fri, 20 May 2005 03:02:51 \
+0000</font></p> <p style="MARGIN: 0in 0in 0pt"><font face="Courier New" \
size="2">#</font></p> <p style="MARGIN: 0in 0in 0pt"><font face="Courier New" \
size="2"># columns:</font></p> <p style="MARGIN: 0in 0in 0pt"><font face="Courier \
New" size="2"># Source IP <tab> Targets Hit <tab> Total Records \
</font></p> <p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"># \
</font></p> <p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"># \
enjoy.</font></p> <p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a \
onclick="return top.js.OpenExtLink(window,event,this)" href="http://218.083.155.079/" \
target="_blank">218.083.155.079</a><span> \
</span>71199<span> </span>193929</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://206.123.216.023/" \
target="_blank">206.123.216.023</a><span> \
</span>65011<span> </span>118102</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://148.245.122.012/" \
target="_blank">148.245.122.012</a><span> \
</span>64071<span> </span>116805</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://064.080.123.138/" \
target="_blank">064.080.123.138</a><span> \
</span>7724<span> </span>8262</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://064.080.123.122/" \
target="_blank">064.080.123.122</a><span> \
</span>4897<span> </span>5102</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://061.222.211.118/" \
target="_blank">061.222.211.118</a><span> \
</span>3370<span> </span>3370</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://219.140.162.215/" \
target="_blank">219.140.162.215</a><span> \
</span>2192<span> </span>2192</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://221.230.192.152/" \
target="_blank">221.230.192.152</a><span> \
</span>1341<span> </span>1729</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://084.244.002.104/" \
target="_blank">084.244.002.104</a><span> \
</span>1331<span> </span>1331</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://062.002.157.178/" \
target="_blank">062.002.157.178</a> \
<span> </span>759<span> \
</span>5575</font></p> <p style="MARGIN: 0in 0in 0pt"><font face="Courier New" \
size="2"><a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://213.202.216.156/" \
target="_blank">213.202.216.156</a><span> \
</span>757<span> </span>807</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://219.159.102.184/" \
target="_blank">219.159.102.184</a><span> \
</span>612<span> </span>627</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://207.044.142.115/" \
target="_blank">207.044.142.115</a><span> \
</span>586<span> </span>808</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://063.151.041.210/" \
target="_blank">063.151.041.210</a><span> \
</span>546<span> </span>902</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://066.193.175.084/" \
target="_blank">066.193.175.084</a><span> \
</span>531<span> </span>1554</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://065.078.035.101/" \
target="_blank">065.078.035.101</a><span> \
</span>508<span> </span>1014</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://193.146.045.103/" \
target="_blank">193.146.045.103</a><span> \
</span>436<span> </span>870</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://221.201.184.165/" \
target="_blank">221.201.184.165</a><span> \
</span>421<span> </span>421</font></p>
<p style="MARGIN: 0in 0in 0pt"><font face="Courier New" size="2"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://216.167.232.087/" \
target="_blank">216.167.232.087</a><span> \
</span>408<span> </span>1222</font></p>
<div style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; \
PADDING-LEFT: 0in; PADDING-BOTTOM: 1pt; BORDER-LEFT: medium none; PADDING-TOP: 0in; \
BORDER-BOTTOM: windowtext 1pt solid"> <p style="MARGIN: 0in 0in 12pt"><font \
size="2"><font face="Courier New"><a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://217.160.188.180/" \
target="_blank">217.160.188.180</a><span> </span>314<span> \
</span>530<span></span></font></font></p></div> <p \
style="MARGIN: 0in 0in 3pt"><span><font face="Times New \
Roman"></font></span> </p> <p style="MARGIN: 0in 0in 3pt"><span><font \
face="Times New Roman">We are interested in the first column as that lists the \
specific client IP address of the web attacker. I created a quick shell script that \
will automatically download an updated list daily using </font></span><span><span \
style="FONT-SIZE: 10pt"><font face="Courier New">wget \
</font></span></span><span><font face="Times New Roman">and then converts that data \
into the appropriate Apache deny directive format. Here is an example of manually \
running the script called </font></span><span><span style="FONT-SIZE: 10pt"><font \
face="Courier New">dshield_blocklist.sh</font></span></span><span><font face="Times \
New Roman">.</font></span></p> <p style="MARGIN: 0in 0in 3pt"><span><font face="Times \
New Roman"></font></span> </p> <div style="BORDER-RIGHT: medium none; \
PADDING-RIGHT: 0in; BORDER-TOP: windowtext 1pt solid; PADDING-LEFT: 0in; \
PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 1pt; BORDER-BOTTOM: \
medium none"> <p style="MARGIN: 12pt 0in 0pt"><span><span><strong><font \
size="2"><font face="Courier New"># cat dshield_blocklist.sh \
</font></font></strong></span></span></p></div> <p style="MARGIN: 0in 0in \
0pt"><span><font size="2"><font face="Courier New">#!/bin/sh</font></font></span></p> \
<p style="MARGIN: 0in 0in 0pt"><span><font face="Courier New" \
size="2"> </font></span></p> <p style="MARGIN: 0in 0in 0pt"><span><font \
size="2"><font face="Courier New">/usr/bin/wget "<a onclick="return \
top.js.OpenExtLink(window,event,this)" \
href="http://www.dshield.org/topportsource.php?port=80&num=20" target="_blank"> \
http://www.dshield.org/topportsource.php?port=80&num=20 \
</a>"</font></font></span></p> <p style="MARGIN: 0in 0in 0pt"><span><font \
face="Courier New" size="2"> </font></span></p> <p style="MARGIN: 0in 0in \
0pt"><span><font size="2"><font face="Courier New">for f in `cat topport* | grep -v \
"#" | awk '{print $1}' | head -20 | sed -e 's/^0//g' -e 's/\.0/\./g' –e \
's/\.0/\./g'` ; do echo "Deny from $f" > \
/usr/local/apache/conf/blocklist.txt ; done </font></font></span></p>
<p style="MARGIN: 0in 0in 0pt"><span><font face="Courier New" \
size="2"> </font></span></p> <p style="MARGIN: 0in 0in 0pt"><span><font \
size="2"><font face="Courier New">exit</font></font></span></p> <p style="MARGIN: 0in \
0in 0pt"><b><span><font size="2"><font face="Courier New"># \
./dshield_blocklist.sh</font></font></span></b></p> <p style="MARGIN: 0in 0in \
0pt"><b><span><font size="2"><font face="Courier New"># cat \
/usr/local/apache/conf/blocklist.txt</font></font></span></b></p> <p style="MARGIN: \
0in 0in 0pt"><span><font size="2"><font face="Courier New">Deny from <a \
onclick="return top.js.OpenExtLink(window,event,this)" href="http://218.83.155.79/" \
target="_blank">218.83.155.79</a></font></font> </span></p>
<p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier New">Deny \
from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://206.123.216.23/" target="_blank">206.123.216.23</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://148.245.122.12/" target="_blank">148.245.122.12</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://64.80.123.138/" target="_blank">64.80.123.138</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://64.80.123.122/" target="_blank">64.80.123.122</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://61.222.211.118/" target="_blank">61.222.211.118</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://219.140.162.215/" target="_blank">219.140.162.215</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://221.230.192.152/" target="_blank">221.230.192.152</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://84.244.02.104/" target="_blank">84.244.02.104</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://62.2.157.178/" target="_blank">62.2.157.178</a></font></font></span> \
</p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://213.202.216.156/" target="_blank">213.202.216.156</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://219.159.102.184/" target="_blank">219.159.102.184</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://207.44.142.115/" target="_blank">207.44.142.115</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://63.151.41.210/" target="_blank">63.151.41.210</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://66.193.175.84/" target="_blank">66.193.175.84</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://65.78.35.101/" target="_blank">65.78.35.101</a></font></font></span> \
</p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://193.146.45.103/" target="_blank">193.146.45.103</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://221.201.184.165/" target="_blank">221.201.184.165</a></font></font> \
</span></p> <p style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New">Deny from <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="http://216.167.232.87/" target="_blank">216.167.232.87</a></font></font> \
</span></p> <div style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: \
medium none; PADDING-LEFT: 0in; PADDING-BOTTOM: 1pt; BORDER-LEFT: medium none; \
PADDING-TOP: 0in; BORDER-BOTTOM: windowtext 1pt solid"> <p style="MARGIN: 0in 0in \
12pt"><span><font size="2"><font face="Courier New">Deny from <a onclick="return \
top.js.OpenExtLink(window,event,this)" href="http://217.160.188.180/" \
target="_blank">217.160.188.180</a></font></font> </span></p></div>
<p style="MARGIN: 0in 0in 3pt"><span><font face="Times New \
Roman"></font></span> </p> <p style="MARGIN: 0in 0in 3pt"><span><font \
face="Times New Roman">The script places the converted data into a file called \
</font></span><span><span style="FONT-SIZE: 10pt"><font face="Courier \
New">blocklist.txt</font></span> </span><span><font face="Times New Roman">in the \
Apache conf directory. I then reference this file with an include statement in my \
</font></span><span><span style="FONT-SIZE: 10pt"><font face="Courier \
New">DocumentRoot </font> </span></span><span><font face="Times New Roman">directory \
directive like this –</font></span></p> <p style="MARGIN: 0in 0in 3pt"><span><font \
face="Times New Roman"></font></span> </p> <div style="BORDER-RIGHT: medium \
none; PADDING-RIGHT: 0in; BORDER-TOP: windowtext 1pt solid; PADDING-LEFT: 0in; \
PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 1pt; BORDER-BOTTOM: \
medium none"> <p style="MARGIN: 12pt 0in 0pt"><span><font size="2"><font \
face="Courier New"><Directory \
"/usr/local/apache/htdocs"></font></font></span></p></div> <p \
style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New"><span> </span>Options -Indexes -Includes -FollowSymLinks \
-Multiviews </font></font></span></p> <p style="MARGIN: 0in 0in 0pt"><span><font \
size="2"><font face="Courier New"><span> </span>AllowOverride \
None</font></font></span></p> <p style="MARGIN: 0in 0in 0pt"><span><font \
size="2"><font face="Courier New"><span> </span>Order \
deny,allow</font></font></span></p> <p style="MARGIN: 0in 0in 0pt"><span><font \
size="2"><font face="Courier New"><span> </span>Allow from \
all</font></font></span></p> <p style="MARGIN: 0in 0in 0pt"><span><font \
size="2"><font face="Courier New"><span> </span><b>include \
conf/blocklist.txt</b></font></font></span> </p> <p style="MARGIN: 0in 0in \
0pt"><span><font face="Courier New" size="2"> </font></span></p> <p \
style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New"><LimitExcept GET POST></font></font></span></p> <p style="MARGIN: 0in 0in \
0pt"><span><font size="2"><font face="Courier New">Order \
allow,deny</font></font></span></p> <p style="MARGIN: 0in 0in 0pt"><span><font \
size="2"><font face="Courier New">Deny from all</font></font></span></p> <p \
style="MARGIN: 0in 0in 0pt"><span><font size="2"><font face="Courier \
New"></LimitExcept></font></font></span></p> <div style="BORDER-RIGHT: medium \
none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 0in; PADDING-BOTTOM: \
1pt; BORDER-LEFT: medium none; PADDING-TOP: 0in; BORDER-BOTTOM: windowtext 1pt \
solid"> <p style="MARGIN: 0in 0in 12pt"><span><font size="2"><font face="Courier \
New"></Directory></font></font></span></p></div> <p style="MARGIN: 0in 0in \
3pt"><span><font face="Times New Roman"></font></span> </p> <p style="MARGIN: \
0in 0in 3pt"><span><font face="Times New Roman">This blocklist is reactivated every \
night at midnight when I conduct my normal log rotation and restart Apache. This \
technique proves extremely easy to implement and does provide protection from web \
clients who are up to no good. </font></span></p><br>-- <br>Ryan C. Barnett<br>Web \
Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project \
Lead<br>SANS Instructor: Securing Apache<br>GCIA, GCFA, GCIH, GSNA, GCUX, GSEC \
<br>Author: Preventing Web Attacks with Apache \
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Ryan C. Barnett<br>Web \
Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project \
Lead<br>SANS Instructor: Securing Apache<br>GCIA, GCFA, GCIH, GSNA, GCUX, GSEC \
<br>Author: Preventing Web Attacks with Apache
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic