0

My server is getting hit hard by bots, etc., looking for various files in /cgi-bin/, like search.cgi, YaBB.pl, gitweb.perl, perl, gitweb.pl, htsearch, and on and on.

I want to deny all access (send a 403 Forbidden header) for all possible file names and extensions in /cgi-bin/ . (This is a shared server, so I only have access to .htaccess, not vhosts or httpd).

In an .htaccess in cgi-bin I've tried 

deny from all

as well as

<FilesMatch "\.cgi?$">
        Order Allow,Deny
        Allow from All
</FilesMatch>

for just .cgi extensions, with no luck for either.

How can I deny access for everything in /cgi-bin/?

Do I need to list all file names and extensions in a <FilesMatch directive?

markratledge
  • 519
  • 5
  • 13
  • 26
  • Why? If the file doesn't exist they will get a 404 and it will be totally harmless. I don't see any benefit from using a different error code. – kasperd Jun 17 '15 at 17:42
  • I'm trying to keep my 404 log a bit cleaner so I can spot valid 404's better. – markratledge Jun 17 '15 at 18:01
  • Then it sounds like a much better idea to simply modify the script you use to find the 404s in the log such that it will ignore URL prefixes you know not to be interesting. – kasperd Jun 17 '15 at 19:53
  • Good idea, but I'm stuck with AWSTATs, which is a web interface. – markratledge Jun 18 '15 at 03:28

2 Answers2

0

Do you know the ip or user-agent which is cause of high traffic?

<Directory /cgi-bin>
  order deny,allow
  deny from all
</Directory>

Alt, 

RewriteRule   "cgi(.*)"   "go_away"
AD7six
  • 2,920
  • 2
  • 21
  • 23
chetangb
  • 145
  • 6
  • Thanks, but they are all different IPs and agents, so that's a non-go. And the ` – markratledge Jun 17 '15 at 17:00
  • Not sure if you have multiple vhosts, try adding `AllowOverride All` `Option -ExeCGI` above `order deny,allow` – chetangb Jun 17 '15 at 17:25
  • Still no luck; this is a shared server, so I only have access to .htaccess, not vhosts or httpd, and it seems to be limited access at that, too. – markratledge Jun 17 '15 at 18:02
0

There is lot of way to achieve this :

  1. Using Directory (Apache 2.2 version):

    <Directory /var/www/cgi-bin/>
order deny,allow
deny from all
</Directory>

  2. Using rewrite condition:

    RewriteCond %{REQUEST_URI} ^/cgi-bin
RewriteRule .* - [END,R=406]

you can change 406 by any code you want as 403 for forbiden, you can find here the list of status code : https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

And you can even extend the rewrite condition to cover more bot:

RewriteCond %{HTTP_USER_AGENT} ^-? [OR]
RewriteCond %{REQUEST_URI} ^/cgi [OR,NC]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$ [OR]
RewriteCond %{REQUEST_URI} !^/
RewriteRule .* - [END,R=406]

thoose rules prevent from empty useragent, request starting by /cgi, limit method to GET/HEAD/POST, request not starting by /

  1. Using the more logical way:

Just move or remove cgi-bin from your web folder if you don't use them.

Froggiz
  • 3,043
  • 1
  • 19
  • 30