httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frederik Nosi <frederik.n...@postecom.it>
Subject Re: [users@httpd] Denying access for a complicated bugger address
Date Tue, 30 Sep 2014 19:18:47 GMT
On 09/30/2014 08:55 PM, Hans-Georg Scherneck wrote:
> Frederik Nosi wrote:
>> Hi Hans-Georg,
>>
>> On 09/30/2014 08:26 PM, Hans-Georg Scherneck wrote:
>>> Rainer M. Canavan wrote:
>>>> On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <hgs@chalmers.se>

>>>> wrote:
>>>>
>>>>> My site is bombarded by POST requests from a site identifying 
>>>>> itself like
>>>>> 123.123.123.123.word.word.word.word
>>>>> A "deny from" instruction with a string trying to match this in 
>>>>> .htaccess does not appear to work (though other abusers with 
>>>>> simple IP's I can get barred this way).
>>>> You don't say where that sites identifies itself in such a manner. 
>>>> You should
>>>> not enable reverse lookups (i.e. HostnameLookups should be Off, 
>>>> possibly some
>>>> other settings), then the first column in your access.log should 
>>>> always be
>>>> the actual originating IP address of that request.  If they are 
>>>> real spammers,
>>>> they have a botnet with lots of IPs in nearly as many locations and 
>>>> subnets.
>>>>
>>>>
>>>> rainer
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>> Blocking from apache:
>>>>
>>>> <Location />
>>>>     Order Allow,Deny
>>>>     Deny from <INSERT IP TO BLOCK HERE>
>>>> </Location>
>>>>
>>>> You can block it at the network stack level too, this way apache 
>>>> does not even see the request, ex on linux using iptables.
>>>>
>>>>
>>>> bye,
>>>> Frederik 
>>>
>>> I'm trying with <Location /> now.
>>>
>>> HostnameLookups Off
>>>
>>> has always been set.
>>> My reply to Richard a minute ago included some incriminating 
>>> access.log lines. Ever seen an address like this before?
>>> /Hans-Georg
>>>
>>
>>
>> I've never recieved those mails,
>>
>> But as Rainer said not sure that a simple IP blacklisting if it's 
>> effective in the real world thoughthough, it's easy to change IP.
>>
>> Maybe you can add a captcha, require authentication for accessing the 
>> form or some automatic blacklisting solution or rate limiting ex:
>>
>> http://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second

>>
>>
>> another more "disguised" option, using the mod_rewrite, matching the 
>> IP and then replying "200 ok" with a fake page or such.
>>
>> As always you have to choose the solution that suits you most.
>>
>>
>> Bye,
>> Frederik
>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>> .
>>
> Thanks everyone, I appreciate.
> It rather seems the issue is for the Apache developers to solve, e.g. 
> to extend the scope of the Deny string match. Should be simple.
> Such a solution, not engaging any modules, would be convenient. And 
> the abusers would just believe their POST gets through.

Not sure about the post content match right now, but filtering by IP and 
with some mod_rewrite trickery you can do this right now, ex:

<Location />
     RewriteEngine on

     RewriteCond %{REQUEST_METHOD} POST [C]
     RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123
     RewriteRule /THEFORM /empty_page.html [L]

</Location>

should work. Hope i got it right, but in case hope you got the idea.

> Does anyone have the appropriate email address to send the suggestion 
> to Apache?
>
> I'll also try with the captcha method, hoping they cannot sail around it.

This is way better

> Yet I have my doubts; they already double-cross the form checking 
> procedure (javascript) that would reject the sending of the html-form 
> data when the form gets filled with e.g. text instead of specific 
> numbers.
> (They seem to block the sourcing of my javascript, or they might use a 
> console (-bot) that turns "return false" commands into true. What they 
> don't know is, that normally no human reads the form mails; it's a 
> program that serves computation requests. 
> http://holt.oso.chalmers.se/loading )

Checking client side is trivial to bypass, see wget / curl / phantomjs 
if you want to be fancy ecc

> Thanks again and bye
> /Hans-Georg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message