Evading Webapp Vulnerability Scans

Most attackers aren't after your digital property or information stored on your server.  They're mostly after your server for its resources to send spam, host phishing sites or launch attacks against other servers.  So unless you're running a high profile site or have managed to anger a malcontent, your server likely isn't going to be the subject of a targeted attack.  Your server will, however, be scanned by automated scripts looking for known exploits in popular webapps (wordpress, joomla, drupal, etc).

These scans typically run across IP ranges and not valid hostnames.  When an incoming request contains no Host header, Apache will service the request using the default virtual host for that IP.  This would be either the first name-based virtual host defined for that IP in /etc/httpd/conf/httpd.conf or the first virtual host loaded for that IP in virtual hosts defined in /etc/apache2/sites-enabled/ (loaded in alphabetical order I believe).

A simple addition to your Apache configuration can help limit this security exposure by routing these requests to a bogus virtual host.  If /etc/httpd/conf/httpd.conf exists, go ahead and open that and add this to the top of the virtual hosts section:

<VirtualHost *:80>
notvalid.yourdomain.com
DocumentRoot /var/www/blank
</VirtualHost>

If /etc/httpd/conf/httpd.conf does not exist, create a new file with the above contents at /etc/apache2/sites-available/000-afakeentry.conf then run:

ln -s /etc/apache2/sites-available/000-afakeentry.conf /etc/apache2/sites-enabled/

In addition to the changes above, you need to be sure that you have name based virtual hosts enabled.  You need the following directive uncommented in /etc/httpd/conf/httpd.conf or /etc/apache2/ports.conf:

NameVirtualHost *:80
or
NameVirtualHost yourip:80

Restart Apache after you've made those changes:

/etc/init.d/httpd restart
or
/etc/init.d/apache2 restart

You should notice that requests to your IP now no longer display your site.  http://1.2.3.4/  That's no reason to not keep on top of applying security updates to your webapps, but it can help keep you out of harms way for most automated attacks.  :)

This entry was posted in Security and tagged , , , , . Bookmark the permalink.

Comments are closed.