Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: arne on March 21, 2005, 05:53:46 PM
-
I have two sme servers on different locations an network. Both of them receives regularly attacks that that is actually a buffer overflow attach against a Windows server. The Apache access log looks something like this:
www.linbase.dyndns.dk 202.73.167.126 - - [16/Mar/2005:03:41:03 +0100] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\ ...
I just copied a small fraction of it because it is so long.
I guess that the Apache server of the sme can handle this, but still I would like to block it if it is possible.
I tried to write a new firewall script using a sentence that will drop packages over a certain lenght.
http://www.iptables.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.7
It sems like that this kernel module is not contained in the sme server (??)
Does anyone of you have any ideas how to stop such buffer overflow atacks before it reaches the Apache web server ?
-
I guess that the Apache server of the sme can handle this, but still I would like to block it if it is possible.
Why bother? Don't you have anything else to worry about?
I tried to write a new firewall script using a sentence that will drop packages over a certain lenght.
If you succeed in doing that, you'll cause all sorts of problems. You'll hardly be able to download anything.
http://www.iptables.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.html#ss3.7
It sems like that this kernel module is not contained in the sme server (??)
Correct, they're not standard modules.
Does anyone of you have any ideas how to stop such buffer overflow atacks before it reaches the Apache web server ?
First you need to identify them. Once you've done that, you'll either know that they won't hurt your apache, or you'll know that your apache is vulnerable, in which case you should spend your time fixing apache, not fiddling with your firewall. :-)
-
Hello !
"Why bother? Don't you have anything else to worry about?"
Well one of the mail reasons for working with Linux is to learn about it. Being able to prevent buffer overflow in general will be, I think a good idea.
"If you succeed in doing that, you'll cause all sorts of problems. You'll hardly be able to download anything."
On linux 2.4.x/2.6.x you can have a quite good control of which datastreams and witch trafic directions you are filtering. Its also quite easy to have different configuration scripts for different situations. The idea was/is to filter on the lenght of the data packets in trafic direction in from wan to the local prosesses on the server (input chain.)
I don't know what could be the right maximum lenght of a data pack. Of cource this would have to be tried out. If to short, the only thing that will happen is that the datastream to the webserver will stop up. (If combining port 80 and maximum lenght criteria.)
By the way, I tried with "modprobe ipt_length" (believing this was the right kernel module.) Looks like it loads OK, and also "modprobe -l" shows it is there.
When trying to use it this msg apear:
iptables v1.2.5: Couldn't load match length':/lib/iptables/libipt_length.so: cannot open shared object file: No such file or directory
Just curious about what this mean .. The module is there, but then it's not there (Just try to understand, it might be the incorrect module.)
By the way I'm using "server only" so it's only a question of limiting the length of the packets inn to the web server to be able to prevent all kind of buffer overflows, as a general principle, and to make some experiments on that.
Best reg Arne.
-
Also other discussion fora on the web says the same:
If you limit the packet size or lenght you will also block the normal traffick.
My "easy thinking" is that a a web server should normally deliver more data out to a client than it receives back from the client, during "ordinary surfing".
Of cource this should be checked properly with a packet sniffer or something, but I would expect to find that the trafic from klient to server is buildt up on relatively smaller packets and the trafick from server to klient by a bit bigger packets.
So if packet size for trafick direction from client to server is reduced with lets say to 25 or 50 % of its mksimum size limited by protocoll, will this then make the normal trafick to the server to stop up.
I don't know, but I would not expect it. Would like to try even though the sme server might not support it. This will eventually mean just another Linux box in front of it.