Snare for Apache - a simple trap to catch script kiddies in the act

SNARE: the simple security trip wire for Apache web server

ABOUT

One day, after installing Apache on a server that was "unlisted", I noticed a series of entries in the access_log that had suspicious looking URLs like /~root and /piranha/secure/passwd.php3

I immediately recognized that these URLs were probably common targets for the various HTTP vulnerability scanners that live on the net. Script kiddie or not, I'd just as soon take preventative action against these jokers. So that's where this idea of a snare came about. By making some relatively simple changes to your server configuration (httpd.conf) you can catch these people in the act and cut them off or report them. (Many address block administrators have abuse reporting addresses you can use).

FILES

Download the tarball version 1.2.1 released on March 5, 2003.

snare.cgi: this is the cgi script called in place of the (otherwise) exploitable URL. It e-mails you the environment variables of the request so that you can see what's going on. I suggest you put it in <SERVERROOT>/cgi-bin/snare.cgi and adjust the ScriptAlias paths in snare.conf to match that location (see next paragraph).

snare.conf

Place this file into your <SERVERROOT>/conf directory and add this to your httpd.conf

	Include conf/snare.conf

You will want to adjust the paths in snare.conf to match where you placed snare.cgi.

Now you can try it out. Use your web browser of choice to request http://localhost/piranha/secure/passwd.php3
You should receive an email shortly. If you don't, I suggest you check the mail log on your web server to see what happened to the message. Also check for the existence of /usr/sbin/sendmail which is hard-coded into the snare.cgi script.

EXAMPLE

Here is an example of the email generated by snare.cgi. You should change the $TO variable in that file if you want the message to go to someone other than the ServerAdmin defined in the Apache configuration file.

From: snare@localhost
To: undisclosed-recipients
Date: Sat, 10 Nov 2001 20:55:04 -0800 (PST)
Delivered-To: webmaster@foster.cc

Cracker infilitration attempt detected! Environment details follow.
  
DOCUMENT_ROOT="/usr/local/apache/htdocs"
GATEWAY_INTERFACE="CGI/1.1"
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
QUERY_STRING=""
REMOTE_ADDR="217.80.180.163"
REMOTE_PORT="64475"
REQUEST_METHOD="HEAD"
REQUEST_URI="/piranha/secure/passwd.php3"
SCRIPT_FILENAME="/www/construct/snare.cgi"
SCRIPT_NAME="/piranha/secure/passwd.php3"
SERVER_ADDR="111.222.111.222"
SERVER_ADMIN="webmaster@foster.cc"
SERVER_NAME="changed to protect the innocent"
SERVER_PORT="80"
SERVER_PROTOCOL="HTTP/1.0"
SERVER_SIGNATURE=""
SERVER_SOFTWARE="Apache/1.3.20 (Unix)"

From this you can choose whether to clamp REMOTE_ADDR="217.80.180.163" from your network, notify the network administrator of that address, or whatever else you consider appropriate.

CHANGES

Version 1.2.1 dies if the sendmail command pipe is unworkable.

Version 1.2 fixes some wonky paths that were setup in the snare.conf by setting them to reasonable defaults (/usr/local/apache).

Version 1.1 automatically determines the email recipient based on the Apache server's setting (ServerAdmin). It also prints out URL links to ARIN, RIPE and APNIC to ease further investigation. It also closes STDOUT before doing the email bit for reasons that should be obvious.

$Id: index.html,v 1.2 2003/03/07 20:10:57 mdf Exp $