Thursday, August 25, 2011

Preventing (Mitigating) Apache Vulnerability

Last post, I discussed how to attack a vulnerable Apache server using the latest exploit. Well, some hard working developers have put together a list of mitigation techniques to prevent (reduce) this attack. I do not claim credit for the information below, it is only a walk-through on applying the fixes to your server. I can, however, confirm that, in testing, it did appear to greatly reduce (actually prevent) the attack itself. Please be aware of what these options do before you make the changes. They are quick fixes and may have a negative effect on other aspects of your web server environment.

You can review the entire conversation thread here: As I said, this is NOT my work, I am only providing an explanation for enacting the changes, as well as a demo that it works.

First, log into your Apache server (if it hasn't been killed yet) and open up your "httpd.conf" file in vi or a another text editor. Append the following lines:

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
LimitRequestFieldSize 200
RequestHeader unset Range 

*Note: please determine how these changes will affect your server and applications individually before applying them.

Save your httpd.conf file and restart the Apache service:

sudo service httpd restart 

Here is a screenshot of my test system after applying the changes. As you can see, the attack immediately fails:

No comments:

Post a Comment