Helpful Apache Tip
Brian Russo
brusso at phys.hawaii.edu
Sat Sep 29 02:51:12 PDT 2001
This will (perhaps only slightly) create more work for apache, as
it's now matching on these. Besides, not everything in /scripts is
necessarily going to be NIMDA/code-red/whatever,
same for /_vti_bin which IIRC is used by frontpage
(If your webhost is going to be 'frontpage-compatible', or whatever.
Anyway, the difference likely won't be significant for most people
on here, but deserves mention.
NANOG had lots of discussion about strategies for dealing with this,
there's no ideal solution though. Either you block them at the gate,
or ignore them at your httpd, just depends where you want the
work being done.
- bri
On Thu, Sep 27, 2001 at 06:47:12PM -1000, Warren Togami wrote:
> Slashdot Poster http://slashdot.org/~rayvd/
>
> If you run Apache and hate looking at the hundreds of annoying attacks by
> the Code Red and Nimda worms, try adding these to your httpd.conf:
>
> SetEnvIf Request_URI "^/default.ida" attacks # For Code Red
> SetEnvIf Request_URI "^/scripts" attacks # For nimda
> SetEnvIf Request_URI "^/c/winnt" attacks # ... ditto all the way down
> SetEnvIf Request_URI "^/_mem_bin" attacks
> SetEnvIf Request_URI "^/_vti_bin" attacks
> SetEnvIf Request_URI "^/MSADC" attacks
> SetEnvIf Request_URI "^/msadc" attacks
> SetEnvIf Request_URI "^/d/winnt" attacks
>
> CustomLog /var/log/access_log combined env=!attacks
> CustomLog /var/log/attack_log combined env=attacks
>
> This will dump all the "attacks" into a file called attack_log and leave
> your normal logfile clutter free.
--
Unix Staff, High Energy Physics Group <brusso at phys.hawaii.edu>
Debian/GNU Linux! http://www.debian.org <wolfie at debian.org>
More information about the LUAU
mailing list