I have a client who runs an IIS webserver on Windows 2000 and their webserver has been compromised (before I was called). They were compromised because they were not patched.

I can't guarantee they will stay up to date with their patches and I can't speak for Microsoft getting their patches out 0 day.

I am thinking of using an apache webserver on a linux box in proxy mode that will listen to requests and retrieve pages from the IIS server behind the firewall.

Does this sound like a good solution? The Apache server will re-write requests without the exploited requests correct?

Thanks
WT

hmmm 24 hours and no one has comments?

Want your money back?

I've never actually tried that so this is speculation, but I would guess it depends on the type of attack and also how you plan on rewriting the requests. For example a simple overflow like GET htttp://somefiles.AAAAAAAAAAAAAAAAAAAAAAAAAAA would probably make it through as Apache couldn't tell the difference between it and legitimate requests, unicode stuff would probably go through too. To be effective though, Apache would need to truly re-write the requests rather than just forward them. Probably would work best using a module like mod_security that is designed to filter out weird URLs like malformed and escaped requests upstream of the Apache core. Personally, I think a true proxy like squid or ZORP would probably work the best (that's part of what they're designed to do.

Hey thank you for the reply, I will cancel my refund request!

Good info, appreciated. I run squid as a cache to fetch requests for the internal networks so I am somewhat familiar with it. Since squid has lots of 3rd party plugins I would think this would be a great solution. I will research it as a rewrite proxy and post with my findings.

Would apache's mod_rewrite do the trick also?