Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: softfail (nike.apache.org: transitioning domain of
 margol@beamartyr.net does not designate 199.203.54.245 as permitted sender)
Message-ID: <49494B26.604@beamartyr.net>
Date: Wed, 17 Dec 2008 20:55:34 +0200
From: Issac Goldstand <margol@beamartyr.net>
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
MIME-Version: 1.0
To: users@httpd.apache.org
Subject: Re: Dummy vhost for intruders - comments please
References: <49483609.3030401@bigpond.com>
 <e9da18930812171035p77a85dadk981916b67cee03e9@mail.gmail.com>
In-Reply-To: <e9da18930812171035p77a85dadk981916b67cee03e9@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Chris Knight wrote:
> On Tue, Dec 16, 2008 at 3:13 PM, Peter Horn <peter.horn@bigpond.com> wrote:
>   
>> I don't think this is quite off-topic, just a bit left of centre. :-\
>> I run a small site with two subdomains of no-ip.org (like dyndns) using
>> NameVirtualHost. Looking at the access log, a few percent of my traffic was
>> from bots like Morfeus F***ing Scanner [my censorship], intrusion attempts
>> (e.g. GET /login_page.php) and just plain old "wrong numbers". Nothing from
>> what I'd think of as "good" bots (Google, etc.) Initially, I added a first
>> (i.e. default) vhost to serve a page saying "If you don't know the URL, I'm
>> not telling you." Then I refined this with the obvious "Deny from all".
>>     
>
> I suppose this is something you can do now.  When I first started
> using name based virtual hosting my first vhost was a simple page that
> informed the reader that they had hit this page because their browser
> did not support HTTP/1.1 requests and had links to the latest
> browsers.  I only got bitten by this once, when a friend using a
> Hughes satellite connection that utilized a HTTP/1.0 proxy to improve
> perceived speed couldn't get to her sites and got really really really
> mad at me.
>
>   
>> While this is definitely effective, do you consider it
>> honourable/ethical/sneaky/clever/dumb/whatever? Are there any likely
>> side-effects?
>>     
>
> My opinion is that it is your server and you can do what you want with
> it.  I have always been bothered with the 'robot exclusion protocol'
> because the concept is that any commercial business can scan and copy
> your content by default, unless you find them and exclude them.
> archive.org is a personal pet peeve of mine, though I am sure I am in
> the minority there.
>
> With the goal of catching the bad bots, here is another idea.  Create
> a subdirectory off your site that has a single index.php (or whatever
> your preferred server-side scripting language is) and have that file
> append the site's .htaccess file with a deny from [REMOTE_ADDR of the
> request].  Then put that directory in your robots.txt file.  Only the
> really evil bots deliberately crawl the excludes in a robots.txt, and
> once they do you'll be blocking their requests.
>
> -Chris
>
>   
Once I had a module that did this with MySQL...  It automatically added 
a honeypot line to robots.txt for you (or served one up if it detected a 
404 response for /robots.txt) and if the honeypot was triggered, added 
the remote IP to a MySQL table.  It also had an access_handler installed 
that scanned the remote IP against those in the DB and denied access if 
the IP was in the "blacklist"

I can't find it these days, though..  If people really want it, maybe 
I'll rewrite it from scratch as a 2.2 module...

Issac

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org