Cgi attack solution.

newbie14 · 02-04-2014, 10:25 AM

Dear All,
I notice quite a number of these "GET /cgi-bin/php4 HTTP/1.1" 404 210 "-" "-" in my log file. Should I do something about it. Some suggest to comment this part. Will this be effective or any other better solution to this?

Code:

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

Habitual · 02-04-2014, 10:39 AM

I used iptables on one host like so:

Code:

iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "GET /cgi-bin/" --to 1000 -j DROP

It's only 1 method. Others here may have better ones.

Quote:

Originally Posted by newbie14

...Should I do something about it...

Not necessary (it just bugs me no end that they 'try') but 404s are "Not found".
Enough of those could inhibit your server's ability to satisfy valid requests.

newbie14 · 02-05-2014, 07:10 PM

Dear Habitual,
Besides the iptables what can I do in my httpd.conf to totally stop this cgi-bin so that there is not chance of any possible intrusion?

descendant_command · 02-05-2014, 07:16 PM

If you're not using it, then yes, just comment it out.
I also like to add regular "exploit probes" to my fail2ban rules.

newbie14 · 02-05-2014, 07:28 PM

Dear Descdendant,
I saw few section with cgi among them is this. So should I just comment all this. Anything else I should set on httpd.conf. Any sample config which you suggest on fail2ban.

Quote:

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

LoadModule cgi_module modules/mod_cgi.so

Habitual · 02-06-2014, 08:40 AM

Commenting out those entries is fine, but it does NOT stop the "attack".
You can either setup a iptables rule or ignore the "not found" 404s.

Corpus-Khu · 02-08-2014, 08:21 PM

You can configure apache to redirect your error pages to a cdn or another server so as to not service the request more than once for a single request. It is also possible to drop the connection at layer 3 without providing a response. I would look into both options as if a client continues to request the same non-existing article you are wasting your time. You could do this from within script by making comparisons to previous requests from the same location, ip-address exc.. What I would do is perminently drop a user if they don't except at least 1 identifying cookie or redirect with a url encoded authentication code in an http scenerio,

I see many sites that give abusive users a time out. I am unsure if a person would do this with iptables or dynamically change a firewall, you could accomplish this for your website with htaccess or somehow add rules to a dmz on the fly with a dmz that allows that to ensure you are not overworking your server or the intermediate services that allow you to operate effectively.