httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vávra Jan <va...@602.cz>
Subject Re: [users@httpd] Access control advice needed
Date Wed, 09 Apr 2014 18:28:17 GMT
There could be a problem with reverse dns records. Eg. a hostname
www.example.com is translated to ip address x.x.x.x But if the Apache
Server asks what is the name of x.x.x.x adress, it could get nothing or  a
response www.somethingelse.com. So this could be your problem.

Jan.


2014-04-09 10:26 GMT+02:00 Ramon Casha <ramon.casha@megabyte.net>:

>  To be honest I don't want to end up having to maintain the IP blocks
> that correspond to the computers that are sending the requests, which is
> why I tried using the partial domain name. The apache documentation seems
> to suggest this would work:
>
> A (partial) domain-name  *Example:* Allow from apache.org
> Allow from .net example.edu
> The server is running Linux so I've got iptables but, again, I want to
> avoid having to maintain the list of blocked IP addresses.
>
> The thing is, the methods I described would take care of the problems if I
> could get them to work - blocking all HTTP/1.0 requests to a specific
> location, and/or blocking everyone from that server.
>
> I am currently working around it by adding a bit of PHP code to the drupal
> settings.php file but I'd like it to be tackled earlier than that - in
> apache's access control or iptables for instance.
>
>
> On Erb, 2014-04-09 at 10:44 +0300, Oren wrote:
>
> Hi Ramon.
> Why use apache for the block and not a firewall? its not apache related
> but i think its a better way of doing that.
> You can add those addresses to blocking rules and reduce the load on the
> apache before they even reach it.
> I am not sure which os you use but there are simple ways of doing that
> even if you dont have dedicated hardware.
>
> Oren
>
>  On 04/09/2014 10:32 AM, Jan Vávra wrote:
>
>   Hello,
>  try to use an IP address or subnet instead of .
> broad.pt.fj.dynamic.163data.com.cn
>
> Jan.
>
>    I have a website running drupal which is currently under a continuous
> botnet attack, which is causing major performance issues. I'm trying to
> use apache's access control mechanism to block these requests.
>
> Two characteristics of the attack requests are that they all use
> HTTP/1.0, and a large percentage of them are within one domain.
>
> When I look at my access log, most requests are coming in from:
> 134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
> 129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
> ...etc.
>
> i tried blocking access using Apache's Deny From as follows:
>
> <Directory /opt/drupal-7/>
>    Options +FollowSymLinks
>    AllowOverride All
>    Order Allow,Deny
>    Allow from all
>    Deny from .broad.pt.fj.dynamic.163data.com.cn
> </Directory>
>
> However this did not work - all requests are still being allowed in.
> Note that the /opt/drupal-7 directory is a symlink to the actual
> directory which has the full version number.
>
> Also, since all the botnet requests are marked as HTTP/1.0, I tried to
> restrict access to the user-registration pages using the protocol, as
> follows:
>
> SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
> <Location /utenti>
>     Order Allow,Deny
>     Deny from env=BadReq
> </Location>
>
> However this is blocking everything - HTTP/1.0 or 1.1. "/utenti" is the
> prefix to the user registration page, password-reset page etc. I tried
> changing around the Order, adding an "Allow from all" but in each case I
> either end up blocking everyone or letting all requests through.
>
> I'd appreciate any advice on how to implement the above or resolve this
> issue in some other way.
>
> --
> Ramon Casha
>
> Note: I have no control over the disclaimer message that will invariably
> appear below.
>
>
>
>
> *DISCLAIMER*
>
> *The information transmitted in this message and any attachments is
> strictly confidential and intended only for the individual or entity to
> whom it is addressed.*
> *Any form of unauthorised review, transmission, disclosure, publication,
> reproduction, modification or other use of, or the taking of any action in
> reliance upon any of the information contained in this e-mail by
> individuals or entities other than the intended recipient is strictly
> prohibited.*
> *If you are not the named addressee or the person responsible for
> delivering the message to the named addressee and have received this
> communication in error, you must not disclose the contents of this e-mail
> to any other person; or make any copies thereof. If you are not the named
> recipient please delete/destroy any and all copies that may exist, whether
> in electronic or hard copy for and notify us immediately on the phone
> number indicated above and provide us with details about the said e-mail
> received in error.*
> *Since the Internet is not a secure medium Megabyte cannot guarantee the
> privacy or confidentiality of any e-mail communications transmitted. All
> messages sent to and from Megabyte Ltd may be monitored and/or recorded to
> ensure compliance with internal policies and procedures. We disclaim all
> responsibility and liability whatsoever in relation to any errors or
> omissions that may reveal themselves in this message and in relation to any
> damage that may result from any such errors or omissions. We disclaim all
> responsibility and liability for any damage that may arise from the
> unauthorised acts of third parties and/or the corruption of any data
> contained in this message.*
> *Thank you.*
>
>
>
>
>   --
> ------------------------------
>
>
> *Ramon Casha* | Technical Specialist | Software Services
> *megabyte ltd* | *e* ramon.casha@megabyte.net
> *t* + 356 21421600 | *f* + 356 21421590 | *w* www.megabyte.net
> ------------------------------
>
>
> Please consider your environmental responsibility before printing this
> e-mail
>
>  *DISCLAIMER*
>
>
>
>
>
> *The information transmitted in this message and any attachments is
> strictly confidential and intended only for the individual or entity to
> whom it is addressed.Any form of unauthorised review, transmission,
> disclosure, publication, reproduction, modification or other use of, or the
> taking of any action in reliance upon any of the information contained in
> this e-mail by individuals or entities other than the intended recipient is
> strictly prohibited.If you are not the named addressee or the person
> responsible for delivering the message to the named addressee and have
> received this communication in error, you must not disclose the contents of
> this e-mail to any other person; or make any copies thereof. If you are not
> the named recipient please delete/destroy any and all copies that may
> exist, whether in electronic or hard copy for and notify us immediately on
> the phone number indicated above and provide us with details about the said
> e-mail received in error.Since the Internet is not a secure medium Megabyte
> cannot guarantee the privacy or confidentiality of any e-mail
> communications transmitted. All messages sent to and from Megabyte Ltd may
> be monitored and/or recorded to ensure compliance with internal policies
> and procedures. We disclaim all responsibility and liability whatsoever in
> relation to any errors or omissions that may reveal themselves in this
> message and in relation to any damage that may result from any such errors
> or omissions. We disclaim all responsibility and liability for any damage
> that may arise from the unauthorised acts of third parties and/or the
> corruption of any data contained in this message.Thank you.*
>
>  <#145459912488242d_>
>
>

Mime
View raw message