httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ramon Casha" <ramon.ca...@megabyte.net>
Subject Re: [users@httpd] Access control advice needed
Date Wed, 09 Apr 2014 08:26:36 GMT
To be honest I don't want to end up having to maintain the IP blocks that correspond to the
computers that are sending the requests, which is why I tried using the partial domain name.
The apache documentation seems to suggest this would work:

A (partial) domain-name 


	Example: 

	Allow from apache.org
	Allow from .net example.edu 


The server is running Linux so I've got iptables but, again, I want to avoid having to maintain
the list of blocked IP addresses.

The thing is, the methods I described would take care of the problems if I could get them
to work - blocking all HTTP/1.0 requests to a specific location, and/or blocking everyone
from that server.

I am currently working around it by adding a bit of PHP code to the drupal settings.php file
but I'd like it to be tackled earlier than that - in apache's access control or iptables for
instance.


On Erb, 2014-04-09 at 10:44 +0300, Oren wrote:


	Hi Ramon.
	Why use apache for the block and not a firewall? its not apache related but i think its a
better way of doing that.
	You can add those addresses to blocking rules and reduce the load on the apache before they
even reach it.
	I am not sure which os you use but there are simple ways of doing that even if you dont have
dedicated hardware.
	
	Oren
	
	

	On 04/09/2014 10:32 AM, Jan Vávra wrote:
	
	

		Hello,
		 try to use an IP address or subnet instead of .broad.pt.fj.dynamic.163data.com.cn
		
		Jan.
		
		

			I have a website running drupal which is currently under a continuous
			botnet attack, which is causing major performance issues. I'm trying to
			use apache's access control mechanism to block these requests.
			
			Two characteristics of the attack requests are that they all use
			HTTP/1.0, and a large percentage of them are within one domain.
			
			When I look at my access log, most requests are coming in from:
			134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
			129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
			...etc.
			
			i tried blocking access using Apache's Deny From as follows:
			
			<Directory /opt/drupal-7/>
			   Options +FollowSymLinks
			   AllowOverride All
			   Order Allow,Deny
			   Allow from all
			   Deny from .broad.pt.fj.dynamic.163data.com.cn
			</Directory>
			
			However this did not work - all requests are still being allowed in.
			Note that the /opt/drupal-7 directory is a symlink to the actual
			directory which has the full version number.
			
			Also, since all the botnet requests are marked as HTTP/1.0, I tried to
			restrict access to the user-registration pages using the protocol, as
			follows:
			
			SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
			<Location /utenti>
			    Order Allow,Deny
			    Deny from env=BadReq
			</Location>
			
			However this is blocking everything - HTTP/1.0 or 1.1. "/utenti" is the
			prefix to the user registration page, password-reset page etc. I tried
			changing around the Order, adding an "Allow from all" but in each case I
			either end up blocking everyone or letting all requests through.
			
			I'd appreciate any advice on how to implement the above or resolve this
			issue in some other way.
			
			--
			Ramon Casha
			
			Note: I have no control over the disclaimer message that will invariably
			appear below.
			
			
			
			
			DISCLAIMER 
			
			The information transmitted in this message and any attachments is strictly confidential
and intended only for the individual or entity to whom it is addressed.
			Any form of unauthorised review, transmission, disclosure, publication, reproduction, modification
or other use of, or the taking of any action in reliance upon any of the information contained
in this e-mail by individuals or entities other than the intended recipient is strictly prohibited.
			If you are not the named addressee or the person responsible for delivering the message
to the named addressee and have received this communication in error, you must not disclose
the contents of this e-mail to any other person; or make any copies thereof. If you are not
the named recipient please delete/destroy any and all copies that may exist, whether in electronic
or hard copy for and notify us immediately on the phone number indicated above and provide
us with details about the said e-mail received in error.
			Since the Internet is not a secure medium Megabyte cannot guarantee the privacy or confidentiality
of any e-mail communications transmitted. All messages sent to and from Megabyte Ltd may be
monitored and/or recorded to ensure compliance with internal policies and procedures. We disclaim
all responsibility and liability whatsoever in relation to any errors or omissions that may
reveal themselves in this message and in relation to any damage that may result from any such
errors or omissions. We disclaim all responsibility and liability for any damage that may
arise from the unauthorised acts of third parties and/or the corruption of any data contained
in this message.
			Thank you. 
			
			




-- 

________________________________



Ramon Casha | Technical Specialist | Software Services 
megabyte ltd | e ramon.casha@megabyte.net
t + 356 21421600 | f + 356 21421590 | w www.megabyte.net <http://www.megabyte.net/>
 

________________________________



Please consider your environmental responsibility before printing this e-mail 


DISCLAIMER
---------------------- 

The information transmitted in this message and any attachments is strictly confidential and
intended only for the individual or entity to whom it is addressed.
Any form of unauthorised review, transmission, disclosure, publication, reproduction, modification
or other use of, or the taking of any action in reliance upon any of the information contained
in this e-mail by individuals or entities other than the intended recipient is strictly prohibited.
If you are not the named addressee or the person responsible for delivering the message to
the named addressee and have received this communication in error, you must not disclose the
contents of this e-mail to any other person; or make any copies thereof. If you are not the
named recipient please delete/destroy any and all copies that may exist, whether in electronic
or hard copy for and notify us immediately on the phone number indicated above and provide
us with details about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot guarantee the privacy or confidentiality
of any e-mail communications transmitted. All messages sent to and from Megabyte Ltd may be
monitored and/or recorded to ensure compliance with internal policies and procedures. We disclaim
all responsibility and liability whatsoever in relation to any errors or omissions that may
reveal themselves in this message and in relation to any damage that may result from any such
errors or omissions. We disclaim all responsibility and liability for any damage that may
arise from the unauthorised acts of third parties and/or the corruption of any data contained
in this message.
Thank you.

Mime
View raw message