my web server(jetty) is attacked with exploits aimed to IIS. I know that i should not be concerned about those attacks becuase i use jetty but the problem is that some attacks last for 15-30 min. with request time period = 1 sec.

How do you protect your servers from this?

thanks

The snippet from my log files.

203.219.164.10 - - [16/Jul/2004:10:28:57 +0000] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b %u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1137 "-" "-"


221.140.251.131 - - [16/Jul/2004:14:28:18 +0000] "OPTIONS / HTTP/1.1" 405 1118 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
221.140.251.131 - - [16/Jul/2004:14:28:40 +0000] "OPTIONS / HTTP/1.1" 405 1118 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
221.140.251.131 - - [16/Jul/2004:14:28:41 +0000] "OPTIONS / HTTP/1.1" 405 1118 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
221.140.251.131 - - [16/Jul/2004:14:28:42 +0000] "OPTIONS / HTTP/1.1" 405 1118 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
221.140.251.131 - - [16/Jul/2004:14:28:44 +0000] "OPTIONS / HTTP/1.1" 405 1118 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
221.140.251.131 - - [16/Jul/2004:14:28:45 +0000] "OPTIONS / HTTP/1.1" 405 1118 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
221.140.251.131 - - [16/Jul/2004:14:28:46 +0000] "OPTIONS / HTTP/1.1" 405 1118 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
221.140.251.131 - - [16/Jul/2004:14:28:47 +0000] "OPTIONS / HTTP/1.1" 405 1118 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

You can use iptables to block access to your server from certain IPs.

But your VPS is not vulnerable to these hacking attempts (since you're not running IIS, and not running Windows either). And moreover you can't predict who will try those URLs on your server next time.

So its of concern that there are people out there are trying to do this. But those URL requests you displayed aren't going to cause any harm.

Thanks for the reply, but i also wonder what is a common practice to solve this problem. Is it to block bad ips with iptable or maybe there is a better way?
What if a user wants to access my site from an infected system? He couldn't do this as its ip is blocked. I suppose sites which have intensive traffic, like some edvertisement ones, workaround this problem some other way not to waste their vesitors.

I gues the best way around it if you dont want to impede anyone coming to your site would be to use an IDS that looks a the URL being presented and accepts or discards it according to signature matches.

But to be honest all I've been doing lately is dropping traffic with IP Tables. I'd rather not have them come to my site. If they have tried one exploit or if they are infected, whats to stop a different vulnerability being attempted? One which may affect my server.

You can use a mod_rewrite solution to drop these requests at apache before invoking any dynamic systems like java servers. The mod_rewrite docs have examples of this... here's an example where I just don't log these requests (but still process them):

SetEnvIf Request_URI ^.*(cmd|root)\.exe.*$ donotlog
SetEnvIf Request_URI ^.*default\.ida.*$ donotlog
SetEnvIf Request_URI ^-$ donotlog

Then use the environment variable "donotlog" in your CustomLog directive ala:

env=!donotlog

(at the end of the directive).