httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Sersen <>
Subject Re: [users@httpd] Blocking all http requests, unless...
Date Sun, 10 Jun 2012 21:24:55 GMT
On Sun, Jun 10, 2012 at 1:47 PM, Nick Kew <> wrote:

> On 10 Jun 2012, at 17:21, Michael Sersen wrote:
> > Hello fellow Apache friends!
> >
> > This is my first time posting but I do lurk in the background, listening
> in on all of your valuable wisdom! :-)
> Please fix your mailer to send text!

> #Thanks Nick, I've looked into the matter of my mailer... I think it's the
> user, not the machine!
 > I am having troubles with thousands of spam requests (possible hack
> attempts) to my server.
> Evidence?  Are they requesting nonexistent dynamic-looking contents, or
> something?
> You can always try logging referers(sic) to see if someone has incorrect
> links to you.
>      # Evidence toward hacking? I have none, concrete. fwiw, they left
their "blackhat trademark" in the first request. Every subsequent requests
thereafter did not have the signature, but they originated from the same
      #They are mostly requesting a mix of existing and nonexistent system
files. It looks like they have a general list of  nix directories/files,
and they are just scripting through every possibility on their
list, probably hoping for a breech. I grepped through all of their attempts
looking for anything that did not return a 400 code. Fortunately for me,
nothing passed. Being that I am still a noob, I consider myself lucky...
Even though it wouldn't be the end of the world if somebody did break in,
there is nothing sensitive on the server, and I could rebuild it with the
click of a button (on Linode). For now it's just my playground/portfolio
that sits behind a password.

> >  My question is; How can I block all requests, with the only exception
> being that a referrer may request any resource, just-as-long as they first
> request my login page?
> Straight answer: you can't:
> - if you try, you'll lock out anyone using privacy settings and not
> sending a referer.
> - if anyone's really trying to 'hack' you, they can trivially work around
> it.
>    # Thanks for the straight and skinny. I don't particularly want to
waste time attempting something that isn't even feasible to begin with. The
fact that it doesn't make sense is probably why I couldn't find anything
related on Google search.

> >  Basically I would like to block all inbound requests, but allow
> unfettered requests from any IP which 1st accesses my login page.
> Trying to map IPs to users is a fundamental mistake.  The only IP you can
> know
> with any certainty is the nearest proxy to you (which may or may not
> identify itself
> as a proxy).  Of course not all users come through a proxy, but that's not
> up to
> the server.

    # I wasn't thinking to map IPs to users, rather to accept any (random)
IP request, if and only if they first accessed my login page (or some other
single page for that matter). My half baked theory was that if it is only
me and a select few people accessing the server, I could guarantee that the
first request would be for the login page only. Of course, any bots
attempting to access other resources, without first accessing the login
page would be denied. As a side note, I think it's time I enabled Fail2Ban!
 I'd imagine it will at lest help.

> >  Furthermore, is this a good approach towards keeping spam bots away?
>  My logic comes from looking at my access logs, and noticing that the
> "perps" are unwittingly, not attempting to access my login page.
> There's a recipe for thwarting "image theft" (your images appearing in
> other peoples
> pages).  It'll 'work' subject to the above provisos.  I think it's in the
> FAQ.
>   # I've seen these recipes around the websphere, and these methods are on
my to-do list :-)

> If you actually have a login page, then you can just use session
> management,
> such as that provided by mod_session.
>   Thanks again!

Mike Sersen

>  --
> Nick Kew
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:


*Michael Anthony Sersen Jr. Design Services*
962 Main Street | Pennsburg, PA 18073
Phone: 215.804.9321

View raw message