On 13 Jun 2008, at 09:47:43, Joshua Slive wrote:
On Fri, Jun 13, 2008 at 12:41 PM, Merton Campbell Crockett
<[EMAIL PROTECTED]> wrote:
Looking at the Apache access log, it's clear that Apache is
processing a lot
of requests from systems probing for vulnerabilities. Rather than
have
Apache process the request, I would like to immediately reject all
requests
with a 503, Service Unavailable, status.
Can I ask: Why? Apache has to process the request one way or the other
in order to send back an error response. What's the difference if the
error response is a 404 or a 503?
I don't really care whether the status returned is 404, 503, or some
other code as long as it does not require me to identify why the
request is being rejected.
Why? Most of the requests are rejected because the file doesn't
exist; however, Apache does perform some action on some requests
beyond determining whether or not the file exists. I do not want
Apache to perform these actions.
Can this be done with a series of RewriteCond statements specifying
each of
the permitted strings followed by a RewriteRule that rejects the
request and
terminates processing? Is there a better way of accomplishing this?
Yes, you could do this with mod_rewrite, but I don't see the point.
Does your company or organization have a Security Operations Center
(SOC) that does nothing but scan for potential vulnerabilities? If
so, do they insist that you make changes to your Apache configuration
even though the "vulnerability" doesn't exist?
Basically, I'm tired of the bullshit. I don't want to spend my life
filling out forms explaining to those that haven't a clue that their
"vulnerability" is a false positive. I want to configure Apache to
reject all requests that cannot possibly be supported by the
collaboration tool.
Merton Campbell Crockett
[EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]