mod_rewrite Rules To Stop Worms & Web Attacks

A reader submits rules to have Apache stop most attacks against web servers.

Thanks to Jonas Eckerman (http://www.truls.org/) for answering my request in a recent column for input rules for the Apache mod_rewrite module to make it work roughly like Microsofts UrlScan. Eckerman isnt familiar with UrlScan, but says these rules "stop a majority of worms and attacks against web servers."

These rules cause Apache to return an HTTP 403 ("forbidden") response for URLs which match (for example "http://www.truls.org/testing/cmd.exe?whatever"). Its not perfect or complete, but it does stop a lot.

RewriteEngine OnRewriteOptions inheritRewriteLog logs/rewrite_logRewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system32/(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/winnt/system/(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system32/(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/windows/system/(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/cmd\.exe[$|\?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/scripts/root.exe[$|\?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadc/root\.exe[$|\?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\\\.\.(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/admin\.dll[$|\?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/msadcs\.dll[$|\?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/ext\.dll[$|\?(.*)] [NC,OR] RewriteCond %{REQUEST_URI} (.*)/\.(.*) [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)/php\.exe[$|\?(.*)] [NC,OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\<(.*) [OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\>(.*) [OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} (.*)\|(.*) [OR] RewriteCond %{REQUEST_URI} (.{255,}) [OR] RewriteCond %{QUERY_STRING} (.{127,}) [OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x00-\x1f]+ [OR] RewriteCond %{REQUEST_URI}?%{QUERY_STRING} [\x7f|\xff]+ RewriteRule (.*) http://monty.frukt.org/error/filtered.html [NC,F]