Httpd – How to block all HEAD requests to urls that contain a substring on Apache

apache-2.4Apache2blockhttpdhttpd.conf

A server I administer is being pounded with a poorly coded AWS-built bot that switches IPs constantly and appears to be stuck in a recursive encoding loop. The only consistent fingerprint I can see is that each request is only a HEAD request and each request appears to re-encode the previous one. So http://someurl.com/?foo=%25bar becomes ..%2525.. becomes ..%252525.. … %2525252525252525...x1000.

Here's an example of the types of requests I see:

HEAD http://example.com/?foo=%25bar
HEAD http://example.com/?foo=%2525bar
HEAD http://example.com/?foo=%252525bar
HEAD http://example.com/?foo=%25252525bar
HEAD http://example.com/?foo=%2525252525bar
HEAD http://example.com/?foo=%2525252525...25bar (x1000)

So far I've been using Cloudflare firewalls to block each IP, but they keep switching IPs.

How can I simply block all HEAD requests containing a substring (say %25252525)?

I'm running Apache/2.4.6 (CentOS).

Best Answer

How about using mod_rewrite in your .htaccess?

<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} HEAD
    RewriteCond %{QUERY_STRING} 25252525
    RewriteRule .* - [F,L]
</IfModule>

That will block all HEAD requests with a query string containing "25252525". Obviously you can tune this more as you see fit!

Related Solutions

Modsecurity: Whitelist requests, Block all else

The approach you want can be done with ModSecurity. However if your application is 100% secure then you've no real need of a WAF like ModSecurity (why bother whitelisting the POST requests you want to allow in ModSecurity when you can just do this in the application?).

Generic ModSecurity rulesets like the OWASP rule set are designed to pick up generic threats rather than block or allow specific access to your URLs. They will not be designed for your application and specific setup. Specific rules can be added on top of them. Saying that there is still a lot of value in generic rulesets in that they have a lot of cumulative knowledge in them. You say your requests are "properly escaped" but that's not as easy a task as that simple statement makes out. There are various ways of getting around escaping (URL encoding, back slashing, double back slashing...etc), and each is different depending on all the pieces in your environment. The SQL injection checks in the OWASP rulesets for the example, have been built up over years and refined by the community around it. Also just because you have good escape checks on SOME area of the app doesn't mean that developers have remembered to do that for EVERY parameter/field. Or that the web or app server doesn't have some vulnerability before it even reaches your app.

Generally ModSecurity is an extra layer of protection for the fact that web servers kind of have to be open by their very nature. You cannot whitelist only good requests while blacklisting bad ones easily because of the open and differing nature of the web and how two similar requests (whether good or bad) can look completely different depending on who is sending them. You pretty much have to allow HTTP/HTTPS connections, you have to allow arguments like parameters and cookies, you have to allow GET requests though could restrict POST requests to specific URLs as you say.

ModSecurity allows you to have generic checks, allows you to have specific checks (though my personal preference would be to put those in the web app as much as possible unless a lot easier to implement in ModSecurity), and also has the added advantage in allowing you to quickly implement new tests and checks as the situation changes (e.g. zero day vulnerabilities, specific attacks and errors your spot with logging) giving you time to do the proper patch/fix later.

Think if it refining the attack surface. The main firewall restricts to port 80/443, your webserver and ModSecurity further strip out "bad requests", the application then does it's checks and finally you get to do what the app was intended for.

Yes it ideally we'd only whitelist allowed requests but the reality is that that is easier said than done...

Httpd – Apache rewrite all URLs to lowercase if contains at least one uppercase

There are multiple ways you can do this:

In httpd.conf (not in a .htaccess file):

RewriteEngine on
RewriteBase /
RewriteMap lowercase int:tolower
RewriteCond $1 [A-Z]
RewriteRule ^/?(.*)$ /${lowercase:$1} [R=301,L]

Or in .htaccess (YMMV with performance) - note that the S=28 means to skip the following 28 rules (as per the Apache documentation):

RewriteEngine On
RewriteBase /

# If there are caps, set HASCAPS to true and skip next rule
RewriteRule [A-Z] - [E=HASCAPS:TRUE,S=1]

# Skip this entire section if no uppercase letters in requested URL
RewriteRule ![A-Z] - [S=28]

# Replace single occurance of CAP with cap, then process next Rule.
RewriteRule ^([^A]*)A(.*)$ $1a$2
RewriteRule ^([^B]*)B(.*)$ $1b$2
RewriteRule ^([^C]*)C(.*)$ $1c$2
RewriteRule ^([^D]*)D(.*)$ $1d$2
RewriteRule ^([^E]*)E(.*)$ $1e$2
RewriteRule ^([^F]*)F(.*)$ $1f$2
RewriteRule ^([^G]*)G(.*)$ $1g$2
RewriteRule ^([^H]*)H(.*)$ $1h$2
RewriteRule ^([^I]*)I(.*)$ $1i$2
RewriteRule ^([^J]*)J(.*)$ $1j$2
RewriteRule ^([^K]*)K(.*)$ $1k$2
RewriteRule ^([^L]*)L(.*)$ $1l$2
RewriteRule ^([^M]*)M(.*)$ $1m$2
RewriteRule ^([^N]*)N(.*)$ $1n$2
RewriteRule ^([^O]*)O(.*)$ $1o$2
RewriteRule ^([^P]*)P(.*)$ $1p$2
RewriteRule ^([^Q]*)Q(.*)$ $1q$2
RewriteRule ^([^R]*)R(.*)$ $1r$2
RewriteRule ^([^S]*)S(.*)$ $1s$2
RewriteRule ^([^T]*)T(.*)$ $1t$2
RewriteRule ^([^U]*)U(.*)$ $1u$2
RewriteRule ^([^V]*)V(.*)$ $1v$2
RewriteRule ^([^W]*)W(.*)$ $1w$2
RewriteRule ^([^X]*)X(.*)$ $1x$2
RewriteRule ^([^Y]*)Y(.*)$ $1y$2
RewriteRule ^([^Z]*)Z(.*)$ $1z$2

# If there are any uppercase letters, restart at very first RewriteRule in file.
RewriteRule [A-Z] - [N]

RewriteCond %{ENV:HASCAPS} TRUE
RewriteRule ^/?(.*) /$1 [R=301,L]

Or using mod_spelling (your configuration suggests you're using Windows so YMMV here also):

<IfModule mod_speling.c>
  CheckCaseOnly On
  CheckSpelling On
</IfModule>

Source: http://www.askapache.com/htaccess/rewrite-uppercase-lowercase.html

Best Answer

Related Solutions

Modsecurity: Whitelist requests, Block all else

Httpd – Apache rewrite all URLs to lowercase if contains at least one uppercase

Related Topic