Website and Server Administration Forum

**Envision_frodo** · 01-08-2009, 03:18 PM

In an effort to limit the damage done by exploit scanning, how effective would something like this be? Comments? Suggestions?

The Idea:

Dynamically blacklist the IP of any bot/spammer/etc upon the first bad call/request thereby reducing the effect of subsequent requests. Obviously this is not a solution more of an attempt to plug an artery with a band-aid.

The Attempt:

Use .htaccess to redirect intentionally bad requests to a PHP script that appends the .htaccess with Deny from IP lines.

The Implementation:

Given the awesome feedback from some of my other posts

. I used .htaccess files located in specific subfolders to do the redirecting (hopefully reducing the overall effect to legit traffic.) Then used the PHP file to append the root .htaccess file thereby blocking all traffic from the originating/spoofed IP.

The .htaccess file:

Code:

# --------------------------------------------------------- Enable RewriteEngine
RewriteEngine on

# --------------------------------------------------------- Query String Exploit Blocking
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ oops.php [L]

# --------------------------------------------------------- Common PHP Exploit Blocking
RewriteCond %{REQUEST_URI} ^.*abc\.php [OR]
RewriteCond %{REQUEST_URI} ^.*adxmlrpc\.php [OR]
RewriteCond %{REQUEST_URI} ^.*anp\.php [OR]
RewriteCond %{REQUEST_URI} ^.*awstats\.pl [OR]
RewriteCond %{REQUEST_URI} ^.*azenv\.php [OR]
RewriteCond %{REQUEST_URI} ^.*footer\.tpl [OR]
RewriteCond %{REQUEST_URI} ^.*graph_image\.php [OR]
RewriteCond %{REQUEST_URI} ^.*home\.php [OR]
RewriteCond %{REQUEST_URI} ^.*html2text\.php [OR]
RewriteCond %{REQUEST_URI} ^.*localconf\.php [OR]
RewriteCond %{REQUEST_URI} ^.*login_page\.php [OR]
RewriteCond %{REQUEST_URI} ^.*main\.php [OR]
RewriteCond %{REQUEST_URI} ^.*messagesL\.php3 [OR]
RewriteCond %{REQUEST_URI} ^.*msgimport.* [OR]
RewriteCond %{REQUEST_URI} ^.*nonexistentfile\.php [OR]
RewriteCond %{REQUEST_URI} ^.*nonexisten****.* [OR]
RewriteCond %{REQUEST_URI} ^.*prx1\.php [OR]
RewriteCond %{REQUEST_URI} ^.*README.* [OR]
RewriteCond %{REQUEST_URI} ^.*soapCaller\.bs [OR]
RewriteCond %{REQUEST_URI} ^.*textenv\.pl [OR]
RewriteCond %{REQUEST_URI} ^.*twiki.* [OR]
RewriteCond %{REQUEST_URI} ^.*typo3conf.* [OR]
RewriteCond %{REQUEST_URI} ^.*xmlrpc\.php
#... and the list goes on
RewriteRule ^(.*)$ oops.php [L]

# --------------------------------------------------------- IP Blocking
Order Allow,Deny
Allow from all
Deny from 192.168.0.1

The PHP:

Code:

<?php

  $inmate = 0;
  $filename = "./.htaccess";
  $fp = fopen($filename, "r");
  while ($line = fgets($fp,255)) {$u = explode(" ",$line); if (ereg($u[0],$_SERVER['REMOTE_ADDR'])) {$inmate++;}}
  fclose($fp);
  if ($inmate == 0)
    { 
     $denyip = "Deny from ".$_SERVER['REMOTE_ADDR'];
     $fp = fopen($filename,'a+');
     fwrite($fp, $denyip);
     fclose($fp);
    }

?>

Thanks again.