1

I'd like to block malformed requests like these:

79.26.188.208 - - [05/Apr/2011:13:47:38 +0200] "\xae\xe1\x0fi\xca\xeba\xdfm\x9d\xb5\xc0yr-n\x05Z\x9f\xa7\x05\xa1g" 200 4855 "-" "-"
82.51.130.83 - - [05/Apr/2011:18:25:38 +0200] "T\xd0\xc55\xc3A\xcd\xd0" 200 4855 "-" "-"

What is the preferred method?

Joril
  • 1,513
  • 1
  • 19
  • 27

2 Answers2

1

mod_security is useful for blocking many of these requests.

It detects known exploit patterns and blocks them.

Mikel
  • 3,727
  • 2
  • 19
  • 16
  • @Mikel: I'm already using mod_security, but what should I filter for? Requests without GET/POST? – Joril Apr 07 '11 at 13:37
  • This is not necessarily a known exploit pattern. Some googling shows that these requests can come from legitimate sources. To see why Apache is printing these characters in the logfile, see http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#format-notes – Stefan Lasiewski Apr 07 '11 at 16:49
  • @Stefan Lasiewski: I see, but those requests are making my CMS (Silverstripe) throw tons of warnings, so I'd like to block them out :) – Joril Apr 13 '11 at 06:54
  • 1
    @Joril: Actually, we are using Silverstripe as well, and I haven't noticed that sort of request yet (We have a very effective IDS, and we get attacked constantly, so the IDS might be blocking the bad IPs after a few requests). Let me look and see if we are actually getting those requests. – Stefan Lasiewski Apr 13 '11 at 17:16
  • @Joril: It does seem that requests without a method (GET, POST, HEAD, etc.) are certainly malformed, and should probably be blocked. I wonder if those are coming from a bad client. I'm confused why Apache is logging those requests in access_log at all-- aren't those errors? – Stefan Lasiewski Apr 13 '11 at 17:17
  • @Stefan Lasiewski: well if I telnet into the server and issue some meaningless command such as `qwert` I get a 400 error.. Maybe the "exploiting" script does something stranger :/ – Joril Apr 13 '11 at 18:42
  • 1
    Anyway I added this rule: `SecRule REQUEST_METHOD "!^(?:GET|HEAD|OPTIONS|POST|CONNECT)$"` and it looks like it's working :) – Joril Apr 13 '11 at 18:47
1

Following Mikel's lead I added this mod_security rule

SecRule REQUEST_METHOD "!^(?:GET|HEAD|OPTIONS|POST|CONNECT)$"

and now only legitimate requests pass through.

Joril
  • 1,513
  • 1
  • 19
  • 27