A few weeks ago I was talking to an old friend of mine who finally decided to take advantage of his fast broadband and have a little personal site “hosted” at home, over the broadband link. (Due to the fact that I’m gonna give away some details about his hardware and software setup, I decided not to include a link to his site here, as potential attackers might use this information to batter his server.) So, because it’s not going to be a high-volume site and it’s not going to make him any money, he didn’t want to pay Windows licenses and such so he decided to go for a Linux setup. He’s a big fan of Java so he went for an Apache Tomcat server running on his Linux server and using a PostgreSQL in the back end. Excellent!
Few weeks after he set up his site, he started noticing that there were some “strange” requests made to his server — mostly people trying common exploits for either Apache, or Tomcat or various other components that can be plugged into such a setup. In order to stop them, he thought that the best way is to mislead them. So what he did is he changed the server signature such that it announces itself as an IIS server — he even re-wrote his servlets so the paths to his servlets appear as if they are all ASP pages! (Whereas before a typical request to his site would be www.site.com/myservlet?a=b now it’s all www.site.com/page1.asp?a=b) He even went to the length of customizing the error pages so they look like IIS’ standard error pages!
Luckily for him that worked…for a while! Shortly after he made these changes he noticed the “funky” requests have started to drop up to the point where they didn’t exist anymore. And about 2 weeks afterwards, some other requests came back twice or three times as many, this time from people trying various exploits for Microsoft IIS! It went pretty much from bad to worse, as people were trying now not just to break IIS, they assume that due to the usage of IIS there is some MS SQL Server in the back end — so they tried some SQL injection. They also assumed some .NET is running on that machine, so various ASP.NET hacks were tried too. And the list goes on. And every day he gets about 5 attacks it seems. The only piece of mind he gets is that obviously none of those components can be reached, as obviously the setup his server “advertises” is a fake one. However, these attacks cripples his server when they start.
So for those of you considering the same route to stop attackers, beware that you will not be actually able to stop them — instead, you will eliminate some attackers and “beg” for others to have a go! There is no way to stop attackers — unless you decide to shut down the server so no one can access it 😀 Instead, plan for attacks, secure your setup as much as you can and watch your access logs. If you notice for instance constant attacks from the same IP address, it might be worth blocking access at firewall level for that IP address so no traffic (not just HTTP!) can come into your net from this IP address. There’s loads of other ways to prevent and monitor these attacks, however, changing your server signature and making people believe you are running a different hardware and software setup is not one of them.
DIXIT