httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: [users@httpd] Blocking all http requests, unless...
Date Sun, 10 Jun 2012 17:47:45 GMT

On 10 Jun 2012, at 17:21, Michael Sersen wrote:

> Hello fellow Apache friends!
> 
> This is my first time posting but I do lurk in the background, listening in on all of
your valuable wisdom! :-)

Please fix your mailer to send text!

> I am having troubles with thousands of spam requests (possible hack attempts) to my server.

Evidence?  Are they requesting nonexistent dynamic-looking contents, or something?
You can always try logging referers(sic) to see if someone has incorrect links to you.

>  My question is; How can I block all requests, with the only exception being that a referrer
may request any resource, just-as-long as they first request my login page?

Straight answer: you can't:
- if you try, you'll lock out anyone using privacy settings and not sending a referer.
- if anyone's really trying to 'hack' you, they can trivially work around it.

>  Basically I would like to block all inbound requests, but allow unfettered requests
from any IP which 1st accesses my login page.

Trying to map IPs to users is a fundamental mistake.  The only IP you can know
with any certainty is the nearest proxy to you (which may or may not identify itself
as a proxy).  Of course not all users come through a proxy, but that's not up to
the server.

>  Furthermore, is this a good approach towards keeping spam bots away?  My logic comes
from looking at my access logs, and noticing that the "perps" are unwittingly, not attempting
to access my login page.

There's a recipe for thwarting "image theft" (your images appearing in other peoples
pages).  It'll 'work' subject to the above provisos.  I think it's in the FAQ.

If you actually have a login page, then you can just use session management,
such as that provided by mod_session.

-- 
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message