HTTP Vulnerability Scan Protection

• HTTP Protection Overview
• How to enable HTTP protection

Protection Overview

RdpGuard protects your HTTP server from vulnerability scan attempts. It monitors web server logs to find requests that may indicate vulnerability scan attempts and temporarily blocks source IP addresses if the number of requests reaches a set limit.

To enable and configure HTTP protection

1. Start RdpGuard Dashboard and click the link next to HTTP

HTTP Protection Link in RdpGuard Dashboard

The HTTP Protection Settings dialog will open:

HTTP Detection Engine Settings

IIS log directores

You may specify one or multiple IIS log directories for monitoring. IIS logs are usually located in C:\inetpub\logs\LogFiles

Select IIS log directories for monitoring

Detection Rules

Detection rules are set of key-value pairs with wildcards support. Each rule must start from the new line.

For example:

key[equality-operator]value,key[equality-operator]value
key[equality-operator]value,key[equality-operator]value
			

Supported equality operators are: = (equals) and != (not equals)

For example:

key1=value1, key2!=value2
key3=value3, key2=value4
key4=*value5
			

If log line details match any of the rules, the log line considered as scan attempt and source IP address is reported to RdpGuard Core, i.e. the Logical OR applies to the rules

Rule may contain any number of conditions separated by comma, the line matches the rule if all conditions are match, i.e. the Logical AND applies to rule conditions.

So, the example above will be interpreted as - treat log line as scan attempt if (key1 equals value1 and key2 not equals value2) OR (key3 equals value3 and key2 equals value4) OR (key4 ends with value5)

Supported keys are:

• Method
• Uri
• Query
• UserName
• UserAgent
• Referer
• Status

Threshold

You may also apply the Threshold condition to the rule. This optional condition can be useful if you do not want to treat each rule match as scan attempt.

For example rule based on the HTTP Status code - this rule can be used to detect most of the scan attempts, because all they usually result to log entries with HTTP 404 status code.

But it might be not wise to threat each 404 hit as scan attempt (regular visitors may just misprint the page address or follow the obsolete link, if they do this 3 times they will be blocked, this is probably not what you want.

But repeating 404 requests may indicate vulnerability scan, so we may configure the engine to threat each ten 404 requests as one scan attempt and this is what the Threshold variable for.

For this reason we may omit the Threshold condition for Uri based rules, for example if someone is trying to open the /wp-login.php page (and we know that our website is not Wordpress based, so there is no such a page) this is most likely the scan attempt, so HTTP engine should report it immediately to RdpGuard Core.

Sample Rules

You may use the following example as a reference:

Status=404,Threshold=15

Uri=*/.aws*
Uri=*/.env*
Uri=*/.git*
Uri=*/.hg/*
Uri=*/.svn*
Uri=*/.vscode*

Uri=/*.bz2
Uri=/*.tar.gz
Uri=/*.tgz
Uri=/*.7z
Uri=/*.zip, Uri!=/download/*
Uri=/*.rar

Uri=*/wp-content/*
Uri=*/wp-admin/*
Uri=*/wp-includes/*
Uri=*/wp-json/*
Uri=*/wp-config*
Uri=*/wp-login.php*

Uri=*/admin*
Uri=*/cgi-bin*
Uri=*/phpmyadmin*
Uri=*/webadmin*
Uri=*/wordpress*
Uri=*/plus/*
Uri=*/passwd*
Uri=*/uploads/*
Uri=*/phpunit/*

Uri=*webshell*

Uri=*login.php*
Uri=/info.php
Uri=/user.php
Uri=/type.php
Uri=*guestbook.php*
Uri=*xmlrpc.php*
Uri=*ofc_upload_image.php*

Uri=*ajax.js*
Uri=*login.action*

RdpGuard protects:

• Remote Desktop
• MS-SQL Server
• FTP Protocol
• HTTP Protocol
• IMAP Protocol
• POP3 Protocol
• SMTP Protocol
• IIS Web Login
• MySQL Server
• ASP.NET Forms
• RD Web Access
• VoIP (SIP Protocol)
• SSH Protocol
• MS VPN (RRAS)

RdpGuard

 

People like RdpGuard!