Web Trap

[ Gojko Vujovic @ 06.03.2002. 21:40 ] @

Simple IP Worm Webtrap
Fri, Aug 3, 2001; by David Bau.

There are a number of worms and vulnerability scanners that just look for weaknesses by scanning ranges of IP addresses. This includes Code Red.

Here is a simple webtrap for Apache that will keep these IP scanners out of your access logs and out of your cgi directories. The idea is to take advantage of HTTP/1.1 Host headers. If somebody comes to your site and doesn't know what the proper DNS name for your site is, they're probably up to no good.

If you want to allow "real browsers" in from this IP address, you can add a RewriteRule that will tell them to do a client-side redirect to a proper DNS name. Chances are most hostile programs won't be bothered to try to understand redirect.

In the example below, the primary DNS name of the webserver at 192.168.1.43 is cc558546-a.lwmrn1.pa.home.com, but the website is served at notesbydave.com.

Code:
<VirtualHost 192.168.1.43>
    ServerAdmin [email protected]
    ServerName cc558546-a.lwmrn1.pa.home.com
    DocumentRoot /home/webserver/webtrap
    RewriteEngine on
    RewriteRule ^/(.*)$ http://notesbydave.com/$1 [R]
    ErrorLog logs/webtrap-error_log
    CustomLog logs/webtrap-access_log combined
</VirtualHost>
<VirtualHost 192.168.1.43>
    ServerAdmin [email protected]
    ServerName notesbydave.com
    ServerAlias *.notesbydave.com
    DocumentRoot /home/webserver/notesbydave
    ErrorLog logs/notesbydave.com-error_log
    CustomLog logs/notesbydave.com-access_log combined
</VirtualHost>

One nice thing about this simple trap is that it works when you have multiple named virtual hosts on your site (unlike my previous Code Red Litter cleaner).

Of course, this simple Host header trap is no protection against targeted scanners like Whisker that are aware of Host headers. And it doesn't protect you against vulnerabilities in Apache itself. But at least it gets Code Red out of your hair.

Source: http://dabbler.org/stories/storyReader$44