200 ; OK 201 ; Created 202 ; Accepted 204 ; No Content 301 ; Moved Permanently 302 ; Moved Temporarily 304 ; Not Modified 400 ; Bad Request 401 ; Unauthorized 403 ; Forbidden 404 ; Not Found 500 ; Internal Server Error 501 ; Not Implemented 502 ; Bad Gateway 503 ; Service Unavailable
101 ; Switching Protocols 200 ; OK 201 ; Created 202 ; Accepted 203 ; Non-Authoritative Information 204 ; No Content 205 ; Reset Content 206 ; Partial Content 300 ; Multiple Choices 301 ; Moved Permanently 302 ; Moved Temporarily 303 ; See Other 304 ; Not Modified 305 ; Use Proxy 400 ; Bad Request 401 ; Unauthorized 401;1 ; Unauthorized - Logon failed 401;2 ; Unauthorized - Logon failed due to server configuration 401;3 ; Unauthorized - Unauthorized due to ACL on resource 401;4 ; Unauthorized - Authorization failed by filter 401;5 ; Unauthorized - Authorization failed by ASAPI/CGI app 402 ; Payment Required 403 ; Forbidden 403;1 ; Forbidden - Execute access forbidden 403;2 ; Forbidden - Read access forbidden 403;3 ; Forbidden - Write access forbidden 403;4 ; Forbidden - SSL required 403;5 ; Forbidden - SSL128 required 403;6 ; Forbidden - IP address rejected 403;7 ; Forbidden - Client certificate required 403;8 ; Forbidden - Site access denied 403;9 ; Forbidden - Too many users 403;10 ; Forbidden - Invalid Configration 403;11 ; Forbidden - Password Change 403;12 ; Forbidden - Mapper Denied Access 403;13 ; Forbidden - Client certificate revoked 403;14 ; Forbidden - Directory Listing Denied 403;15 ; Forbidden - Client Access Licenses Exceeded 403;16 ; Forbidden - Client certificate untrusted or ill-formed 403;17 ; Forbidden - Client certificate has expired or is not yet valid 404 ; Not Found 405 ; Method Not Allowed 406 ; Not Acceptable 407 ; Proxy Authentication Required 408 ; Request Time-out 409 ; Conflict 410 ; Gone 411 ; Length Required 412 ; Precondition Failed 413 ; Request Entity Too Large 414 ; Request-URI Too Large 415 ; Unsupported Media Type 500 ; Internal Server Error 500;12 ; Internal Server Error - Application restarting 500;13 ; Internal Server Error - Server too busy 500;15 ; Internal Server Error - Direct requests for GLOBAL.ASA forbidden 500;100 ; Internal Server Error - ASP error 501 ; Not Implemented 502 ; Bad Gateway 503 ; Service Unavailable 504 ; Gateway Time-out 505 ; HTTP Version not supported
SetEnvIf Request_URI "default\.ida" wormlog SetEnvIf Request_URI "cmd\.exe" wormlog SetEnvIf Request_URI "root\.exe" wormlog SetEnvIf Request_URI "Admin\.dll" wormlog CustomLog logs/worm_log combined env=wormlog CustomLog logs/access_log combined env=!wormlog ErrorLog logs/error_log
GET / HTTP/1.0 HTTP/1.1 404 Object Not Found Date: Tue, 02 Oct 2001 09:58:05 GMT Content-Type: text/html Content-Length: 102 Server: Microsoft-IIS/5.0
<HTTP/1.0で、Host:ヘッダを指定してGETリクエスト>
GET / HTTP/1.0 Host: localhost HTTP/1.1 200 OK Content-Location: http://localhost/index.html Date: Tue, 02 Oct 2001 10:07:13 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 18 Apr 2001 08:03:24 GMT ETag: "e5593adec7c01:3eef" Content-Length: 855 Server: Microsoft-IIS/5.0
<HTTP/1.1で、Host:ヘッダを指定しないでGETリクエスト>
GET / HTTP/1.1 HTTP/1.1 404 Object Not Found Date: Tue, 02 Oct 2001 10:02:42 GMT Content-Type: text/html Content-Length: 102 Server: Microsoft-IIS/5.0<HTTP/1.1で、Host:ヘッダを指定してGETリクエスト>
GET / HTTP/1.1 Host: localhost HTTP/1.1 200 OK Content-Location: http://localhost/index.html Date: Tue, 02 Oct 2001 10:03:51 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 18 Apr 2001 08:03:24 GMT ETag: "e5593adec7c01:3eef" Content-Length: 855 Server: Microsoft-IIS/5.0
| プロトコル | Hostヘッダ | 結果 |
| HTTP/1.0 | なし | × |
| HTTP/1.0 | あり | ○ |
| HTTP/1.1 | なし | × |
| HTTP/1.0 | あり | ○> |
<IE6.0から、HTTP/1.1でProxyサーバを経由しない>
GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* Accept-Language: ja Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: localhost.somewhere.jp Connection: Keep-Alive
<IE6.0から、HTTP/1.0でProxyサーバを経由しない>
GET / HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* Accept-Language: ja User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: localhost.somewhere.jp Connection: Keep-Alive
<IE6.0から、Proxyサーバを経由>
GET / HTTP/1.0 Accept: */* Accept-Language: ja Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: localhost.somewhere.jp Cache-Control: max-stale=0 Connection: close
<前略> RemoveServerHeader=0 ; if 1, remove "Server" header from response EnableLogging=1 ; if 1, log UrlScan activity PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log) AllowLateScanning=0 ; if 1, then UrlScan will load as a low priority filter. ; If RemoveServerHeader is 0, then AlternateServerName can be ; used to specify a replacement for IIS's built in 'Server' header AlternateServerName=Apache/1.3.19 (TurboLinux) on Linux <後略>
<使用前> HEAD / HTTP/1.0 HTTP/1.1 200 OK Content-Location: http://xxx.xxx.xxx.xxx/index.html Date: Thu, 27 Sep 2001 06:01:19 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Fri, 17 Aug 2001 08:06:06 GMT ETag: "02b1777f326c11:9cf" Content-Length: 2217 Server: Microsoft-IIS/5.0 <使用後> HEAD / HTTP/1.0 HTTP/1.1 200 OK Content-Location: http://xxx.xxx.xxx.xxx/index.html Date: Thu, 27 Sep 2001 05:58:14 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Fri, 17 Aug 2001 08:06:06 GMT ETag: "02b1777f326c11:9cf" Content-Length: 2217 Server: Apache/1.3.19 (TurboLinux) on Linuxurlscanが有効になると、%systemroot%SYSTEM32\Inetsrv\Urlscanに、urlscan.logが記録される。有効なメソッド、拒否される拡張子、拒否する記号が表示される。
[木, 9 27 2001 - 15:02:56] ---------- UrlScan.dll Initializing ---------- [木, 9 27 2001 - 15:02:56] URLs will be normalized before analysis. [木, 9 27 2001 - 15:02:56] URL normalization will be verified. [木, 9 27 2001 - 15:02:56] URLs may contain OEM, international and UTF-8 characters. [木, 9 27 2001 - 15:02:56] URLs must not contain any dot except for the file extension. [木, 9 27 2001 - 15:02:56] The 'Server' header will contain 'Apache/1.3.19 (TurboLinux) on Linux' on responses. [木, 9 27 2001 - 15:02:56] Only the following verbs will be allowed (case sensitive): [木, 9 27 2001 - 15:02:56] 'GET' [木, 9 27 2001 - 15:02:56] 'HEAD' [木, 9 27 2001 - 15:02:56] 'POST' [木, 9 27 2001 - 15:02:56] Requests for following extensions will be rejected: [木, 9 27 2001 - 15:02:56] '.exe' [木, 9 27 2001 - 15:02:56] '.bat' [木, 9 27 2001 - 15:02:56] '.cmd' [木, 9 27 2001 - 15:02:56] '.com' [木, 9 27 2001 - 15:02:56] '.htw' [木, 9 27 2001 - 15:02:56] '.ida' [木, 9 27 2001 - 15:02:56] '.idq' [木, 9 27 2001 - 15:02:56] '.htr' [木, 9 27 2001 - 15:02:56] '.idc' [木, 9 27 2001 - 15:02:56] '.shtm' [木, 9 27 2001 - 15:02:56] '.shtml' [木, 9 27 2001 - 15:02:56] '.stm' [木, 9 27 2001 - 15:02:56] '.printer' [木, 9 27 2001 - 15:02:56] '.ini' [木, 9 27 2001 - 15:02:56] '.log' [木, 9 27 2001 - 15:02:56] '.pol' [木, 9 27 2001 - 15:02:56] '.dat' [木, 9 27 2001 - 15:02:56] Requests containing the following headers will be rejected: [木, 9 27 2001 - 15:02:56] 'translate:' [木, 9 27 2001 - 15:02:56] 'if:' [木, 9 27 2001 - 15:02:56] 'lock-token:' [木, 9 27 2001 - 15:02:56] Requests containing the following character sequences will be rejected: [木, 9 27 2001 - 15:02:56] '..' [木, 9 27 2001 - 15:02:56] './' [木, 9 27 2001 - 15:02:56] '\' [木, 9 27 2001 - 15:02:56] ':' [木, 9 27 2001 - 15:02:56] '%' [木, 9 27 2001 - 15:02:56] '&'試しに、cmd.exeとか、default.idaをURLに含めてアクセスすると、以下のようなログが記録される。
[木, 9 27 2001 - 15:07:50] Client at 127.0.0.1: URL contains extension '.exe', which is disallowed. Request will be rejected. Raw URL='/cmd.exe' [木, 9 27 2001 - 15:08:17] Client at 127.0.0.1: URL contains extension '.ida', which is disallowed. Request will be rejected. Raw URL='/default.ida'なお、urlscan.iniの変更を反映するには、World Wide Web Publishing Service自体を再起動する必要がある。(インターネットインフォメーションサービスでWebサイトを再起動しただけではダメ)
Apacheには、似たようなURLフィルタはないようだが、httpd.confを編集することによりログを分けることが可能。
SetEnvIf Request_URI "default\.ida" wormlog SetEnvIf Request_URI "cmd\.exe" wormlog SetEnvIf Request_URI "root\.exe" wormlog SetEnvIf Request_URI "Admin\.dll" wormlog CustomLog logs/worm_log combined env=wormlog CustomLog logs/access_log combined env=!wormlog ErrorLog logs/error_log
- modsecurity-1.8.7をダウンロード
- tarボールの展開
- mod_securityのコンパイルとインストール
- /etc/httpd/conf/httpd.confの確認 ちなみに、インストール前のconfファイルが/etc/httpd/conf/httpd.conf.bakとして保存されている。
- mod_securityの設定
- httpdを再起動する。 モジュールを入れ換えているので、reloadではなく再起動しておく。
- おまけ:SecServerSignatureを試す。
[root@shrike src]# wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz
--16:48:23-- http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz
=> `mod_security-1.8.7.tar.gz'
proxy.example.co.jp をDNSに問いあわせています... 完了しました。
proxy.example.co.jp[10.xx.xxx.xxx]:8080 に接続しています... 接続しました。
Proxy による接続要求を送信しました、応答を待っています... 200 OK
長さ: 313,004 [application/x-tar]
100%[====================================>] 313,004 47.48K/s ETA 00:00
13:53:56 (47.48 KB/s) - `modsecurity-1.8.7.tar.gz' を保存しました [313004/313004]
[root@shrike src]# tar zxof modsecurity-1.8.7.tar.gz [root@shrike src]# cd modsecurity-1.8.7 [root@shrike modsecurity-1.8.7]# ls CHANGES README httpd.conf.example-minimal modsecurity-manual.pdf INSTALL apache1 httpd.conf.regression-v1 tests LICENSE apache2 httpd.conf.regression-v2 util
[root@shrike modsecurity-1.8.7]# cd apache2
[root@shrike apache2]# apxs -cia mod_security.c
/usr/lib/httpd/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -march=i386 -mcpu=i686 -I/usr/kerberos/include -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -pthread -DNO_DBM_REWRITEMAP -I/usr/include/httpd -c -o mod_security.lo mod_security.c && touch mod_security.slo
/usr/lib/httpd/build/libtool --silent --mode=link gcc -o mod_security.la -rpath /usr/lib/httpd/modules -module -avoid-version mod_security.lo
/usr/lib/httpd/build/instdso.sh SH_LIBTOOL='/usr/lib/httpd/build/libtool' mod_security.la /usr/lib/httpd/modules
/usr/lib/httpd/build/libtool --mode=install cp mod_security.la /usr/lib/httpd/modules/
cp .libs/mod_security.so /usr/lib/httpd/modules/mod_security.so
cp .libs/mod_security.lai /usr/lib/httpd/modules/mod_security.la
cp .libs/mod_security.a /usr/lib/httpd/modules/mod_security.a
ranlib /usr/lib/httpd/modules/mod_security.a
chmod 644 /usr/lib/httpd/modules/mod_security.a
PATH="$PATH:/sbin" ldconfig -n /usr/lib/httpd/modules
----------------------------------------------------------------------
Libraries have been installed in:
/usr/lib/httpd/modules
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/lib/httpd/modules/mod_security.so
[activating module `security' in /etc/httpd/conf/httpd.conf]
<IfModule worker.c> LoadModule cgid_module modules/mod_cgid.so </IfModule> LoadModule watch_module /usr/lib/httpd/modules/mod_watch.so LoadModule security_module /usr/lib/httpd/modules/mod_security.so
<IfModule mod_security.c>
# Turn the filtering engine On or Off
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
SecFilterCheckCookieFormat On
# Only allow bytes from this range
#SecFilterForceByteRange 32 254
SecFilterForceByteRange 0 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
#SecAuditEngine On
SecAuditEngine Off
# The name of the audit log file
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
#SecFilterDebugLevel 9
SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,pause:10000,status:500"
# SecFilterDefaultAction "deny,log,status:500"
# Prevent OS specific keywords
SecFilter /etc/passwd
SecFilter "/cgi-bin/perl"
SecFilter "/cgi-bin/bash"
SecFilter "/cgi-bin/csh"
SecFilter "/cgi-bin/sh"
SecFilter "/cgi-bin/test"
SecFilterSelective QUERY_STRING "/etc/passwd"
# Anti Windows WORM
SecFilter "(\.com|\.cmd|\.exe|\.bat|\.htw|\.ida|\.idc|\.idq|\.htr|\.printer)"
SecFilter "c\:"
SecFilter "d\:"
SecFilter "/_vti_bin/"
SecFilter "/_vti_cnf/"
SecFilter "/_vti_pvt/"
SecFilter "/_mem_bin/"
SecFilter "/ISSSAMPLES/"
SecFilter "/MSOffice/"
SecFilter "/scripts/"
SecFilter "/msdac/"
SecFilter "/help/"
SecFilter "/webpub/"
SecFilter "/c/winnt/"
SecFilter "/d/winnt/"
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script.*>"
SecFilter "<[[:space:]]*style.*>"
SecFilter "<[[:space:]]*link.*>"
SecFilter "<[[:space:]]*body[[:space:]]*>"
# Prevent OS Command injection attacks
SecFilter "(;|&|\|)[[:space:]]*/bin/.+"
SecFilter "(;|&|\|)[[:space:]]*/home/.+"
SecFilter "(;|&|\|)[[:space:]]*/opt/.+"
SecFilter "(;|&|\|)[[:space:]]*/usr/+"
SecFilter "(;|&|\|)[[:space:]]*/etc/+"
SecFilter "(;|&|\|)[[:space:]]*/sbin/+"
SecFilter "(;|&|\|)[[:space:]]*/var/+"
SecFilter "(;|&|\||-exec )[[:space:]]*/bin/.+"
SecFilter "(;|&|\||-exec )[[:space:]]*/home/.+"
SecFilter "(;|&|\||-exec )[[:space:]]*/opt/.+"
SecFilter "(;|&|\||-exec )[[:space:]]*/usr/+"
SecFilter "(;|&|\||-exec )[[:space:]]*/etc/+"
SecFilter "(;|&|\||-exec )[[:space:]]*/sbin/+"
SecFilter "(;|&|\||-exec )[[:space:]]*/var/+"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "javascript:"
SecFilter "vbscript:"
SecFilter "about:"
SecFilter "expression\("
SecFilter "&\{.\*\};"
SecFilter "<.+>"
# Prevent Event Handler atacks
SecFilter "onError"
SecFilter "onUnload"
SecFilter "onBlur"
SecFilter "onFocus"
SecFilter "onClick"
SecFilter "onMouseOver"
SecFilter "onMouseOut"
SecFilter "onSubmit"
SecFilter "onReset"
SecFilter "onChange"
SecFilter "onSelect"
SecFilter "onAbort"
# Prevent Cookie and Basic Authentication Data access
SecFilter "document\.cookie"
SecFilter "Microsoft\.XMLHTTP"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete.+from"
SecFilter "insert.+into"
SecFilter "select.+from"
SecFilter "grant.+to"
SecFilter "create.+table"
SecFilter "drop.+table"
SecFilter "alert.+table"
# Prevent echo redirection
SecFilter "echo.+>"
# Prevent MS SQL specific SQL injection attacks
SecFilter "xp_availablemedia"
SecFilter "xp_cmdshell"
SecFilter "xp_dirtree"
SecFilter "xp_enumdsn"
SecFilter "xp_fileexist"
SecFilter "xp_getnetname"
SecFilter "xp_readerrorlog"
SecFilter "xp_regread"
SecFilter "xp_regdeletekey"
SecFilter "xp_regdeletevalue"
SecFilter "xp_regwrite"
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
SecFilterSelective "HTTP_USER_AGENT" "^Microsoft URL Control"
# Forbid file upload
#SecFilterSelective "HTTP_CONTENT_TYPE" "!^(application/x-www-formurlencoded|multipart/form-data)$"
# Only allow our own test utility to send requests (or Mozilla)
#SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla|links)"
# SecFilterOutputMimeTypes "(null) text/html text/plain"
SecFilterSelective OUTPUT "Fatal error:"
# Allow Verbs
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_CONTENT_TYPE "!(^application/x-www-formurlencoded|^multipart/form-data)$"
# Deny Headers
SecFilterSelective HTTP_HEADER "Translate:"
SecFilterSelective HTTP_HEADER "If:"
SecFilterSelective HTTP_HEADER "Lock-Token:"
SecFilterSelective HTTP_HEADER "DAV:"
SecFilterSelective HTTP_HEADER "Depth:"
SecFilterSelective HTTP_HEADER "Destination:"
SecFilterSelective HTTP_HEADER "Label:"
SecFilterSelective HTTP_HEADER "Overwrite:"
SecFilterSelective HTTP_HEADER "TimeOut:"
SecFilterSelective HTTP_HEADER "TimeType:"
SecFilterSelective HTTP_HEADER "DAVTimeOutVal:"
SecFilterSelective HTTP_HEADER "Other:"
# Protect against phpBB2 Exploits
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
# Exploit phpBB Highlighting Code Execution Attempt
SecFilterSelective THE_REQUEST "&highlight='\.system\("
# Exploit phpBB Highlighting SQL Injection
SecFilterSelective THE_REQUEST "&highlight='\.mysql_query\("
# Exploit phpBB Highlighting Code Execution - Santy.A Worm
SecFilterSelective THE_REQUEST "&highlight='\.fwrite\(fopen\("
# Exploit phpBB Highlight Exploit Attempt
SecFilter "&highlight=\x2527\x252Esystem\("
# Pretend Server Signature
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>
上記設定ファイルは、mod_securityに付属するhttpd.conf.example-fullをベースに、Anti Windows WORMの部分とSQLインジェクションの部分、WebDAVの部分を追加してある私のオリジナルである。が、Apache〜Server構築〜というページで、その部分がパクられてる・・・。まぁ、こちらもurlscan.iniからパクっているから人のことは言えないが。
reloadの場合、以前のモジュールが想定していない定義ファイルを読み込むことになりトラブルの元になる。
[root@shrike conf]# service httpd restart httpdを停止中: [ OK ] httpdを起動中: [ OK ]
ServerTokens Full ServerSignature Off SecServerSignature "Microsoft-IIS/6.0"とすると、
[root@shrike httpd]# telnet webcam.example.co.jp 80 Trying 10.xx.xxx.xxx... Connected to shrike. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 Found Date: Tue, 20 Jan 2004 08:50:06 GMT Server: Microsoft-IIS/6.0 Location: http://webcam.example.co.jp/ Connection: close Content-Type: text/html; charset=iso-8859-1 Connection closed by foreign host.ついに、URLScanを越えた!(w
Active Server Pages:Requests Queued, Requests Executing, Script Engines Cached. Processor: % Processor Time Memory:Available Bytes処理が集中した場合に、Requests Executing、Requests Queuedがより速く収束するように、チューニングすればよいわけだ。
adsutils.vbs のパスは、次のとおり。
IIS 4.0 : C:\WINNT\system32\inetsrv\adminsamples\ IIS 5.0 : C:\inetpub\AdminScripts\簡単な使い方:
一覧の取得: C:\> cscript adsutil.vbs enum w3svc 個別の値の確認 C:\> cscript adsutil.vbs get w3svc/AspScriptEngineCacheMax AspScriptEngineCacheMax : (INTEGER) 30 個別の値のセット C:\> cscript adsutil.vbs set w3svc/AspScriptEngineCacheMax "100" AspScriptEngineCacheMax : (INTEGER) 100
変更するには、レジストリを修正。
[\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\ASP\Parameters] "ProcessorThreadMax"=dword:00000001
C:\> cd \winnt\system32\inetsrv\adminsamples C:\> cscript adsutil.vbs set w3svc/AspScriptEngineCacheMax 100
参考リンク
- パフォーマンスおよび信頼性のモニタ
- Internet Information Services 5.0 における Webサーバーチューニングの要領と技術
- 大容量サイトにおける Internet Information Server 4.0 のチューニ ング パラメータ
- [IIS]IIS 4.0 のパフォーマンス向上について
- Microsoft の Web サイト上でのサーバー パフォーマンスの最適化
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* Referer: http://referer.some.where.jp/ Accept-Language: ja Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461) Host: some.where.jp Proxy-Connection: Keep-Aliveである。これが、それぞれ
| Webブラウザが送信する変数 | Webサーバ側の環境変数 |
|---|---|
| Accept: | HTTP_ACCEPT: |
| Referer: | HTTP_REFERER: |
| Accept-Language: | HTTP_ACCEPT_LANGUAGE: |
| Accept-Encoding: | HTTP_ACCEPT_ENCODING: |
| User-Agent: | HTTP_USER_AGENT: |
| Host: | HTTP_HOST: |
| Proxy-Connection: | HTTP_CONNECTION: |
| 環境変数 | 値の意味 |
|---|---|
| HTTP_ACCEPT: | Webブラウザが受け付けることができるMIMEタイプの一覧 |
| HTTP_REFERER: | 参照元のURL |
| HTTP_ACCEPT_LANGUAGE: | Webブラウザのデフォルト言語タイプ |
| HTTP_ACCEPT_ENCODING: | Webブラウザが受け付けることができるエンコードタイプの一覧 |
| HTTP_USER_AGENT: | クライアントのOSやWebブラウザのバージョン |
| HTTP_HOST: | Webブラウザが指定したHost:ヘッダ |
| HTTP_CONNECTION: | 接続状態を示す。通常は、Keep-Aliveが入る |
| 環境変数 | 値の意味 |
|---|---|
| HTTP_VIA: | HTTPプロトコルのバージョン、ProxyサーバのFQDN名:ポート番号、Proxyサーバのバージョン |
| HTTP_FORWARDED: | Proxyサーバの情報 |
| HTTP_X_FORWARDED_FOR: | 経由してきたProxyサーバのIPアドレス一覧。一番左側がクライアントのIPアドレス。 |
| HTTP_CACHE_CONTROL: | Proxyサーバ側でのキャッシュを保持する最大秒数 |
| HTTP_CACHE_INFO: | Proxyサーバ側でのキャッシュ |
文字 10進数 16進数
! ! %21
" " %22
# # %23
$ $ %24
% % %25
& & %26
' ' %27
( ( %28
) ) %29
* * %2A
+ + %2B
, , %2C
- - %2D
. . %2E
/ / %2F
0 0 %30
1 1 %31
2 2 %32
3 3 %33
4 4 %34
5 5 %35
6 6 %36
7 7 %37
8 8 %38
9 9 %39
: : %3A
; ; %3B
< < %3C
= = %3D
> > %3E
? ? %3F
@ @ %40
A A %41
B B %42
C C %43
D D %44
E E %45
F F %46
G G %47
H H %48
I I %49
J J %4A
K K %4B
L L %4C
M M %4D
N N %4E
O O %4F
P P %50
Q Q %51
R R %52
S S %53
T T %54
U U %55
V V %56
W W %57
X X %58
Y Y %59
Z Z %5A
[ [ %5B
\ \ %5C
] ] %5D
^ ^ %5E
_ _ %5F
` ` %60
a a %61
b b %62
c c %63
d d %64
e e %65
f f %66
g g %67
h h %68
i i %69
j j %6A
k k %6B
l l %6C
m m %6D
n n %6E
o o %6F
p p %70
q q %71
r r %72
s s %73
t t %74
u u %75
v v %76
w w %77
x x %78
y y %79
z z %7A
{ { %7B
| | %7C
} } %7D
~ ~ %7E
リンク:Basic Latin- TWWWscan(URL:http://http://search.iland.co.kr/twwwscan/)
コマンドラインベースだが、特に難しいこともない。
うおぉ、なにげにUNYUN氏のクレジットが・・・。D:\Cracks\TWWWscan>twwwscan
Don't tell your web server free from attack twwwscan 1.2 2001/02/19 made by pilot http://search.iland.co.krusage : twwwscan <server> <port> <display> <type> <pmode> <a_idsmode> <display> : -v(~0.6) scan type(display status) or -n(no display) <type> : -t1(use GET),-t2(scan virtual host),-t3(virtual and GET) or -n <pmode> : passive mode scan -pw(windows) -pu(unix) -pa(ALL) or -n(no apply) <a_idsmode> : -ids(Anti-IDS mode URL Encoding) example 1 : twwwscan drill.hackerslab.org 80 example 2 : twwwscan 127.0.0.1 80 -v example 3 : twwwscan target.com 80 -n -n -pw example 4 : twwwscan virtual.yourhost.com 8080 -v -t3 -pu example 5 : twwwscan idstest.yourhost.com 80 -v -t1 -pa -ids contact : search@iland.co.kr (http://search.iland.co.kr) Tested On : Windows 95OSR2,98,98SE,NT4,2k,Me thanks r0ar,korea security guys,kuol(he designed the twwwscan logo) Dug Song(monkey.org),UNYUN(Shadow Penguin Security),Roelof(a author of pudding)
試しにローカルで動かしている、W2KSP2+IIS5.0をスキャン。
特に問題なければ、
となる。メッセージを見るとわかるが、カレントディレクトリに、HTMLファイルのレポートを吐いてくれる。D:\Cracks\TWWWscan>twwwscan 127.0.0.1 80 -v
Don't tell your web server free from attack twwwscan 1.2 2001/02/19 made by pilot http://search.iland.co.krConnecting HTTP Port - Result: 127.0.0.1 Connected
- web server type detect - Server: Microsoft-IIS/5.0
- Probing NT/2000 WWW Vulnerabilities - wait please !!! twwwscan make a 127.0.0.1.html
レポートはこんな感じ↓。
no advertisinge
Don't tell your web server free against black hats- twwwscan v1.2 report made by pilot http://search.iland.co.kr host: 127.0.0.1
port: 80
Server: Microsoft-IIS/5.0
if the webserver is apache,remove unnecessary information
protect your NT/2000 webserver
NT Bugtraq - Read FAQ
IIS 4.0 Buffer Overrun Hot Fix
IIS 4.0 Hotfixes
IIS 5.0 Hotfixes
Microsoft TechNet Security(Windows NT/2000 Patch MainSite)
Microsoft Security Tools and IIS 4/5 Security CheckList Read
Windows IT Security(formerly NTSecurity.net)
こんどは、ほとんど保守されていない、NT4 SP5+IIS 3.0をスキャン。
レポートのほうは、D:\Cracks\TWWWscan>twwwscan 10.xx.xxx.xxx 80 -v
Don't tell your web server free from attack twwwscan 1.2 2001/02/19 made by pilot http://search.iland.co.krConnecting HTTP Port - Result: 10.xx.xxx.xxx Connected
- web server type detect - Server: Microsoft-IIS/3.0
- Probing NT/2000 WWW Vulnerabilities - Checking: Remote File create,IIS DoS(newdsn.exe) !!! FOUND !!! Checking: IIS (showcode.asp) Hole !!! FOUND !!! Checking: RDS Securty Hole(msadcs.dll) !!! FOUND !!! Checking: Caucho Resin file read(readme.txt) NOT
と、ISSのInternet Scannerとは言わないまでも、脆弱点と解決策も示してくれる。no advertisinge
Don't tell your web server free against black hats- twwwscan v1.2 report made by pilot http://search.iland.co.kr host: 10.xx.xxx.xxx
port: 80
Server: Microsoft-IIS/3.0
if the webserver is apache,remove unnecessary informationRemote File create,IIS DoS(newdsn.exe)
/scripts/tools/newdsn.exe
CVE-1999-0191
solution:delete this fileIIS (showcode.asp) Hole
/msadc/Samples/SELECTOR/showcode.asp
solution:delete this file or ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/RDS Securty Hole(msadcs.dll)
/msadc/msadcs.dll
important patch
CVE-1999-1011
solution:MS99-025.asp
protect your NT/2000 webserver
NT Bugtraq - Read FAQ
IIS 4.0 Buffer Overrun Hot Fix
IIS 4.0 Hotfixes
IIS 5.0 Hotfixes
Microsoft TechNet Security(Windows NT/2000 Patch MainSite)
Microsoft Security Tools and IIS 4/5 Security CheckList Read
Windows IT Security(formerly NTSecurity.net)
- N-Stealth(URL:N-Stealth HTTP Security Scanner)
こっちは、かなり本格的。フリーバージョンもあるが、攻撃データベースを更新する場合は有料となる。
フリーの状態でも、24186点のチェックを行う。膨大な量のログがWWWサーバ側に残る。攻撃していることと同じなので、場合によってはWWWサーバ側が落ちてしまうかもしれない。
- Comon Exploit Test-Module
- Unicode Test-Module
- CGI Decode Test-Module
- WinCGI Test-Module
- File Parsing Test-Module
- Domino Test-Module
- Common CGI Test-Module
- Common CGI Test-Module 2
- Cold Fusion Test-Module
- Cisco Test-Module
- IIS Test-Module
- FrontPage Test-Module
- Common File/Directory Exploit Test-Module
- Common HTTP Test-Module
- PHP Test-Module
- ASP Test-Module
- Password File Exploit-Module
- Password File Exploit-Module R1
- Password File Exploit-Module R2
- Password File Exploit-Module WR
- Password File Exploit-Module NC
- Stealth User-Module
ServerTokens Prod ServerSignature Off
- インターネット サービス マネージャを起動する。
- 最大接続数の数値を調整する。
- このままだと最大接続数を超えた場合、下記のエラーが返されてしまう。→カッコが悪い!!
- 標準のエラーから、カスタマイズしたメッセージに入れ替える。
403;9のエントリを選択し、プロパティの編集ボタンをクリックする。
参照ボタンをクリックし、用意したHTMLファイルやASPファイルを指定する。
- mod_limitipconnのコンパイルとインストール
[root@server mod_limitipconn-0.04]# ls ChangeLog Makefile README apachesrc.diff mod_limitipconn.c [root@server mod_limitipconn-0.04]# make all apxs -c mod_limitipconn.c gcc -DLINUX=22 -DEAPI -DEAPI_MM -O2 -march=i386 -mcpu=i686 -fPIC -DEAPI_MM_CORE_PATH=/var/run/ht tpd.mm -fpic -DSHARED_MODULE -I/usr/include/apache -c mod_limitipconn.c gcc -shared -o mod_limitipconn.so mod_limitipconn.o [root@server mod_limitipconn-0.04]# make install [activating module `limitipconn' in /etc/httpd/conf/httpd.conf] cp mod_limitipconn.so /usr/lib/apache/mod_limitipconn.so chmod 755 /usr/lib/apache/mod_limitipconn.so cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak cp /etc/httpd/conf/httpd.conf.new /etc/httpd/conf/httpd.conf rm /etc/httpd/conf/httpd.conf.new
- /etc/httpd/conf/httpd.confの書き換え
OnlyIPLimit、NoIPLimitの引数にはmimeタイプを記述する必要があるので、/etc/mime-typesなどを参考にすると良い。
LoadModule status_module modules/mod_status.so LoadModule limitipconn_module /usr/lib/apache/mod_limitipconn.so AddModule mod_status.c AddModule mod_limitipconn.c # # ExtendedStatus controls whether Apache will generate "full" status # information (ExtendedStatus On) or just basic information (ExtendedStatus # Off) when the "server-status" handler is called. The default is Off. # ExtendedStatus On # Only needed if the module is compiled as a DSO <IfModule mod_limitipconn.c> <Location /> MaxConnPerIP 1 OnlyIPLimit text/* </Location> <Location /Diary> MaxConnPerIP 1 OnlyIPLimit image/bmp </Location> <Location /tips> MaxConnPerIP 1 OnlyIPLimit image/png </Location> </IfModule> - 書き換え前に動作確認。
/tips/tips-www.htmにアクセスしてみる。10.xx.xxx.xxx - - [13/May/2003:18:34:29 +0900] "GET /tips/new.gif HTTP/1.1" 200 333 "http://server.some.where.jp/tips/tips.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:35:32 +0900] "GET /tips/tips-www.htm HTTP/1.1" 200 36736 "http://server.some.where.jp/tips/tips.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; WindowsNT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:35:32 +0900] "GET /tips/Custom-Error.png HTTP/1.1" 200 9423 "http://server.some.where.jp/tips/tips-www.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:35:32 +0900] "GET /tips/Error-Map.png HTTP/1.1" 200 4646 "http://server.some.where.jp/tips/tips-www.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:35:32 +0900] "GET /tips/403-9-Error.png HTTP/1.1" 200 14273 "http://server.some.where.jp/tips/tips-www.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:35:32 +0900] "GET /tips/IIS-Connection-Limit.png HTTP/1.1" 200 9088 "http://server.some.where.jp/tips/tips-www.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]"
- httpd.confの再読込
[root@server conf]# service httpd reload httpdを再読み込み中: [ OK ]
- 設定を反映して、動作確認。
/tips/tips-www.htmにアクセスしてみる。10.xx.xxx.xxx - - [13/May/2003:18:36:11 +0900] "GET /tips/tips-www.htm HTTP/1.1" 200 36736 "http://server.some.where.jp/tips/tips.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; WindowsNT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:36:11 +0900] "GET /tips/tips.gif HTTP/1.1" 304 - "http://server.some.where.jp/tips/tips-www.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:36:12 +0900] "GET /tips/IIS-Connection-Limit.png HTTP/1.1" 503 328 "http://server.some.where.jp/tips/tips-www.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:36:12 +0900] "GET /tips/403-9-Error.png HTTP/1.1" 503 328 "http://server.some.where.jp/tips/tips-www.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:36:12 +0900] "GET /tips/Custom-Error.png HTTP/1.1" 503 328 "http://server.some.where.jp/tips/tips-www.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]" 10.xx.xxx.xxx - - [13/May/2003:18:36:12 +0900] "GET /tips/Error-Map.png HTTP/1.1" 503 328 "http://server.some.where.jp/tips/tips-www.htm" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]"
エラーコード 503(Service Unavailable)を返していることがわかる。
試しに大きなbmpファイルを用意して同時にアクセスしてみると、
とブラウザに503エラーが返る。Service Temporarily Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
/var/log/httpd/access_logには、
10.xx.xxx.xxx - - [13/May/2003:20:09:53 +0900] "GET /Diary/opera.bmp? HTTP/1.1" 503 328 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.03 [ja]"
/var/log/httpd/error_logには、
[Tue May 13 20:09:53 2003] [error] access to /Diary/test.bmp failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit.
カスタムエラーを定義して、503のときのエラーメッセージを表示するとよいだろう。
ErrorDocument 503 /error/503.shtml
- まとめ
接続時間が長くなる重たいコンテンツ(images/*、audio/*、video/*)に対する同一IPアドレスからのアクセス制限には有効。
cgiやhtmlなどのtextコンテンツに大量のアクセスがある場合はコネクションを張っている時間が短いが、 text/* への制限をしてやるとよい。この意味で、DoS攻撃にも有効であると言える。(503エラーのレスポンスを返すだけなので転送量が少ない→負荷が少ない)
ただし、IPアドレスあたり少数のコネクションが、多数のIPアドレスからあった場合(DDoS攻撃など)は、mod_limitipconnのポリシーをすり抜けてしまうことになる。
上記httpd.confの設定で、負荷ツールで負荷かけた状態にしてテキストコンテンツを参照しようとしたら、503エラーが発生した。
10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862" 10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862" 10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862" 10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862" 10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862" 10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862" 10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862" 10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862" 10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862" 10.xx.xxx.xxx - - [13/May/2003:21:02:20 +0900] "GET /Diary/Diary.html HTTP/1.1" 503 328 "-" "Microsoft URL Control - 6.00.8862"
[Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit. [Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit. [Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit. [Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit. [Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit. [Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit. [Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit. [Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit. [Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit. [Tue May 13 21:02:20 2003] [error] access to /Diary/Diary.html failed for 10.xx.xxx.xxx, reason: Client exceeded connection limit.
Locationが、/の場合、すべてのコンテンツにマッチしてしまうので、/cgi-binだけ制限したい場合は、Location /cgi-binにする必要がある。
注意点としては、接続元のIPアドレスからの接続数でカウントするようになっているため、Proxyサーバ経由の場合、デフォルトではProxyサーバ単位の制限になる。 コンパイル時に -DRECORD_FORWARDするとX-FORWARDED-FORを見てクライアントのローカルIPを見るようになる。
クライアント側がローカルアドレスの可能性があり、重複する可能性がある(wため、 *.cgi、*.pl、*.phpなどサーバ処理を制限するのは望ましくないと思われる。この場合は、デフォルトのままProxyサーバ単位での制限がよいだろう。