Thursday, August 01, 2013

Blocking Rogue Scanners in Apache

Backgound

Exploring the use of mod_rewrite in Apache to block vulnerability scanners, scripties, exploit scanners and other black hats. Was wondering if the following is enough, hope that someone whose got experience in this can give some comments. :)

The Codes



#
# Hardened Apache Mod_Rewrite Security Rule
#
RewriteEngine on

#
# Known Web vulnerabilty Scanners
#
RewriteCond %{HTTP_USER_AGENT} ^.*(syhunt|sqlmap|WhatWeb|Netsparker|w3af|Nstalker|acunetix|qualys|nikto|wikto|pikto|pykto).* [NC]
RewriteRule .* - [F]


#
# Random Underground Web Exploit Scanners
#
RewriteCond %{HTTP_USER_AGENT} ^.*(04\/XP|2search|3653Client|ActMon|adfsgecoiwnf|adlib|AdTools|Agentcc|AHTTPConnection|al|Aldi|Alerter|API\sGuide\stest\sprogram|Arrow\sSearch|asd|AskInstallChecker|Async\sHTTP\sAgent|Atomic\_Email\_Hunter|AutoHotkey|AutoIt|Avzhan\sDDoS\sBot|BGroom|Binget\sPHP\sLibrary|BlackSun\BOT\/0\.1|Brontok|Browser\sPal|Brutus\sAET|BysooTB|Casino|changhuatong|CholTBAgent|cibabam|ClickAdsByIE|CodeguruBrowser|core\-project|CPUSH\_HOMEPAGE|CPUSH\_UPDATER|ctwopop|darkness|DataCha0s|Delphi|DigExt|DMFR|Downloader1|DriveCleaner\sUpdater|Duckling|dwplayer|eAnthMngr|ed2k\sedonkey2000\sruntime\sdetection|EI|EmailSiphon|ErrCode|ErrorFix|ewBrandTest|EzReward|Feat2\sUpdater|Flag|Flame|Flipopia|FPRecover|FPUpdater|FSD|FSW|GabPath|gbot|Godzilla|Google\sbot|GPInstaller|GPRecover|GPUpdater|Hardcore\sSoftware|http\sprotocol|HTTP\sWininet|HTTPCSDCENTER|iamx|iebar|IEP|IEToolbar|iexp\-get|iMeshBar|INet\s\-\sWin32\.Virus\.Jusabli\.A|InfoBot|Install\sStub|Installer|IST|istsvc|javasw\s\-\sTrojan\.Banload|Known\sSkunkx\sDDOS\sBot|Lizard|Lotto|MacProtector|Macrovision\_DM\_2\.4\.15|malware|MBVDFRESCT|mdms|me0hoi|meterpreter|MGS\-Internal\-Web\-Manager|Mirar\_KeywordContentHijacker|Morfeus|Morfeus\sScanner|Moxilla|Mozilla\/\/4\.0|Mozzila|MSDN\sSurfBear|msndown|Museon|My\sAgent|MyApp|MyBrowser|MyLove|MYURL|MyWay|MyWebSearchSearchAssistance|Navhelper|Need2Find|NOKIAN95\/WEB|NSIS\_DOWNLOAD|NSIS\_Inetc|NSIS\_INETLOAD|NSISDL|OCInstaller|OCRecover|Oncues|Opera\/8\.89\s\-\sP2P\-Worm\.Win32\.Palevo\.ddm|Opera\/9\.80\sPesto\/2\.2\.15|OSSProxy|Our\_Agent|Pass|Pcast\sLive|PcPcUpdater|pcsafe|PinballCorp\-BSAI\/VER\_STR\_COMMA|PoisonIvy\sRAT|poller|Popup\sStopper|PrivacyInfoUpdate|ProxyDown|psi|PyCurl|qixi|QvodDown|RAbcLib|random|RAV1|RCleanT|REKOM|Remote\s\-\sWin32\/Babmote\.A|Revolution\sWin32|RookIE|SAcc|SAH\sAgent|ScrapeBox|Se2011|Search\sToolbar|SelectRebates|Setup\sFactory|sgrunt|Shareaza|shprrprt\-cs\-|SimpleClient|smrtshpr\-cs|snprtzdialno|spam\_bot|SpamBlockerUtility|Spedia|SpeedRunner|SpyDawn|Spy\-Locked|SpywareStrike|SQTR\_VERIFY|STORMDDOS\s\-\sBackdoor\.Win32\.Inject\.ctt|String\s\(AskPartnerCobranding\)|Strip\-Player|Stubby|StubInstaller|SysCleaner|TCYWinHTTPDownload|Tear\sApplication|TeomaBar|test\_hInternet|Tiny|TM\_SEARCH3|Travel\sUpdate|Trololo|URLBlaze|UtilMind\sHTTPGet|vaccinepc|VB\sWININET|VCTestClient|VERTEXNET|Viper|VMozilla|vyre32|W32\/Fujacks\.htm|WakeSpace|wget\s3\.0|WHCC\/|Win32|Win32\sAmti|Win32\/Ferabsa\.A|WinFix\sMaster|WMUpdate|WSEnrichment|YZF|Zango|Installer|ZC\-Bridge|zeroup|ZmEu|ZOMBIES\_HTTP\_GET).* [NC]
RewriteRule .* - [F]

#
# Denial-of-Service Tool
#
RewriteCond %{HTTP_USER_AGENT} ^.*(ApacheBench).* [NC]
RewriteCond %{HTTP_USER_AGENT} ^.*(WWW\-Mechanize|revolt|Crawl|Mail\.Ru|Walker|sbide|findlinks|spide|Ace\sExplorer|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).*  [NC]
RewriteRule .* - [F]

RewriteLogLevel 2
RewriteLog logs/rewrite.log

More Questions


What if the scanners change their user-agent strings? Should i change the way to block these scanners instead? e.g. access string?


I get 403 in the access log files but inside rewrite.log, it just say which rule is invoked but didn't record the user-agent string detected. Is there a way to increase verbosity without going too high in the RewriteLogLevel?

No comments: