| View previous topic :: View next topic |
| Author |
Message |
Dave
Guest
|
 Posted: Tue Jul 16, 2002 1:37 pm Post subject: Filtering out worm requests |
 |
|
Hi,
I am running 1.0.3 on a windows 98 box. works wonderfully, thanks for all your efforts.
However my site (www.ltlfrari.com) gets several hundered hits by worm scanners every day, typically of the form GET......cmd.exe..... etc.
These get either a 404 or 400 response, however it woud be nice if ther were some way to filter these out on the way in so that they ever even get to the server. For example (I am no expert) I think that apache has a htforward file or some such thing that allows you to detect specific strings in the input request and forward the requst elsewhere (be great to forward them to some spammers site, kill too birds with one stone!)
Is there, or will there be in 1.1, any way to do that. I see that in 1.1 you can redirect based on the response code but I'd really like to prevent them from ever even getting logged. That would clear up my access log a lot as well.
I suspect that under 1.1 you could probably send a 400/404 response to a cgi script that detected the input parms and forwarded them somewhere else in the same way, would such events still be logged?
Really I want to either send worms somewhere else, or if possible simply not even respond to them, let them wait and time out. That would slow them down if nothing else, while also avoiding cluttering up my access log with all their junk.
Thanks or your time
Dave E |
|
| Back to top |
|
 |
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Wed Jul 17, 2002 1:01 am Post subject: Re: Filtering out worm requests |
|
|
We are aware of that problem and we will provide a radical solution to avoid logging worm requests in a future release.
Thank you for the suggestions.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
   |
|
genechan
-
Joined: 28 May 2003
Posts: 25
Location: Burnaby, BC, Canada
|
| Posted: Mon Jun 02, 2003 1:41 pm Post subject: Re: Filtering out worm requests |
|
|
| aprelium wrote: | | We are aware of that problem and we will provide a radical solution to avoid logging worm requests in a future release. |
I've just started running Abyss 1.1.5 (Windows XP, Kerio Personal Firewall), and I've noticed firewall log entries allowing some requests through to Abyss that don't show up in the Abyss access.log. Are those worm probes?
_________________
Gene Chan genechan@vcn.bc.ca
Burnaby, BC, Canada gene_chan@telus.net
Little Mountain Brass Band http://lmbb.vabbs.org/
British Columbia Regiment Association Band http://www.geocities.com/BCRegtBand |
|
| Back to top |
  |
|
os17fan
-
Joined: 21 Mar 2003
Posts: 531
Location: USA
|
| Posted: Mon Jun 02, 2003 11:41 pm Post subject: |
|
|
This is a simple problem , delete the path to your access.log file in your abyss web console and you won't even have to see your log file get full , aprelium is working on that issue now 8)
_________________
This web server is the best ! |
|
| Back to top |
 |
|
genechan
-
Joined: 28 May 2003
Posts: 25
Location: Burnaby, BC, Canada
|
| Posted: Tue Jun 03, 2003 12:43 am Post subject: |
|
|
| os17fan wrote: | | This is a simple problem , delete the path to your access.log file in your abyss web console and you won't even have to see your log file get full |
Sorry... I think you've misunderstood my "problem statement". My access.log is not getting full (it's still only 748 kb). I see all the "normal" access requests being logged, and they "match" the entries in the firewall log. It's just a few occasional entries in the firewall log that show that the firewall has allowed through a request to Abyss, but the request doesn't show up in Abyss' access.log file. Perhaps Abyss is not logging these because they're recognized as worm probes? Or, worst case, Abyss is actually processing some kind of request that it shouldn't, and is not even logging it.
_________________
Gene Chan genechan@vcn.bc.ca
Burnaby, BC, Canada gene_chan@telus.net
Little Mountain Brass Band http://lmbb.vabbs.org/
British Columbia Regiment Association Band http://www.geocities.com/BCRegtBand |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Tue Jun 03, 2003 1:34 am Post subject: |
|
|
Yes, some really malformed requests are rejected without even being served (the server closes the connections as soon as it reads the first line). Abyss Web Server only logs requests that are well written, at least well written to be parsed and processed (even if they can be rejected later with error 400 or 404).
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
|
