HTTPBAN.SYS

Name

HTTPBAN.SYS -- Blocks Malicious HTTP Requests (Optional).

Description

XRPi's HTTP server doesn't suffer from the usual Windows vulnerabilites, so malicious HTTP requests designed to exploit them are just a bandwidth-wasting nuisance rather than a real threat. You can frustrate the hackers by deploying this optional file.

The HTTPBAN.SYS file contains "signatures" or "templates" of typical malicious request URL's. For example a request for "default.ida" is part of a Code Red Worm attack, whilst requests for "cmd.exe" are an attempt to locate vulnerable Windows servers.

Each template is specified on a seperate line, can be up to 127 characters long, and must start in the leftmost column. The templates are compared in a sliding match with each requested URL.

If any part of the first 256 bytes of the URL matches a template, the sender's IP address is entered into a ban list and all further IP datagrams from that host are ignored until XRPi is restarted. Up to 200 hosts can be banned simultaneously.

Options

The file may contain comments, which must begin with '#' or ';' in the left-most column.

If a template is preceded by the word ANYCASE, a case independent match is performed, otherwise the match is case-sensitive. There must be one or more spaces between the word ANYCASE and the template.

Examples

default.ida
ANYCASE cmd.exe
/contac.php

Files

If required, HTTPBAN.SYS must be located in the same directory as XRPi.EXE.

Notes

Auto-banning malicious hosts might arouse more interest in your system! The attackers could change IP address and try again.

But experience so far has been that the robots simply move on to find an easier target. They are scanning to find popular software with known vulnerabilities.

If you DON'T block them, your IP tends to get shared amongst the robots, multiplying the number of attacks.

See also

HTTP.ACL(8) -- Egress Control for HTTP Proxy / Tunnel
HTTP.SYS(8) -- HTTP Rewrite / Proxy rules