You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Anders Widman <an...@tnonline.net> on 2002/08/22 16:07:55 UTC
Re[2]: Blocking requests..
So, if I use "deny from all", what happens then? Will Apache silently
drop the request, or respond to the client?
- Anders
> Use deny from?
> -----Original Message-----
> From: Anders Widman [mailto:andewid@tnonline.net]
> Sent: 22 August 2002 14:46
> To: users@httpd.apache.org
> Subject: Blocking requests..
> Hello...
> Is there any way I can block (drop) all requests from an IP if a
> request match a specific URL?
> There are some sorts of viruses running around here and they eat up
> my bandwidth and resources by requesting URLs like these:
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1
> ...
> I want Apache to drop and not respond to these requests, and
> perhaps all requests from that IP. Is that possible?
> Thanks,
> Anders
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re[4]: Blocking requests..
Posted by Jacob Coby <jc...@listingbook.com>.
> > Another option, albiet a more complicated one, is to use
ipchains/iptables
> > and add a rule to just drop TCP packets from a specific IP address to
your
> > webserver.
>
> Sounds like a better idea :). Now I only need to figure out such a
> script.... Any ideas there?
Just so happens that I have a script to grab the ip addresses from an
error_log :)
Usage: cat error_log | getclientip | sort | uniq
You'll have to make your own rules on what should be blacklisted.
-- begin getclientip --
#!/usr/bin/perl
# getclientip
# gets a client's ip address from an Apache error_log
while(<STDIN>)
{
chomp $_;
if(!grep(/client/, $_)) {
next;
}
#$_ =~ s/.*\[client.*(.*)\].*$/\1/;
$_ =~ s/.*client\s(\d+\.\d+\.\d+\.\d+).*/\1/;
print "$_\n";
}
-- end --
Because a single IP address can trigger several different blockable
offenses, something has to be done to prevent the same IP address from
getting blacklisted multiple times.
I would append the blocked ip addresses to a file, and then sort | uniq
itself back out to make sure it only contains unique addresses. Then you
can flush your blacklisted ipchains rule(s) and recreate it(them) using the
blacklisted file.
You may also want to ignore dialup addresses, until they appear 3 or more
times. Wouldn't want to blacklist someone because the previous user had a
worm :)
-Jacob
http://www.listingbook.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re[4]: Blocking requests..
Posted by Anders Widman <an...@tnonline.net>.
> Deny From will give a 403 Forbidden.
Not really what I want....
> Another option, albiet a more complicated one, is to use ipchains/iptables
> and add a rule to just drop TCP packets from a specific IP address to your
> webserver.
Sounds like a better idea :). Now I only need to figure out such a
script.... Any ideas there?
> You can have a script that sits there and watches the logfile, matching
> those requests. Once it finds some, it tells ipchains/tables to deny or
> drop all TCP requests from the blacklisted IP addr. If you want to get
> really fancy, you can make it modify the ipchains/tables conf so that when
> you restart the server, it will remember who is blacklisted.
> That will stop all TCP traffic from those IP addresses from ever reaching
> your webservers. If you tell it to drop the packets, it also prevents them
> from even knowing your website exists, since to them, there is no route to
> the host.
> Could be frustrating if they are real users trying to get into your website.
> -Jacob
> http://www.listingbook.com
> ----- Original Message -----
> From: "Anders Widman" <an...@tnonline.net>
> To: "Julian Grunnell" <us...@httpd.apache.org>
> Sent: Thursday, August 22, 2002 10:07 AM
> Subject: Re[2]: Blocking requests..
>> So, if I use "deny from all", what happens then? Will Apache silently
>> drop the request, or respond to the client?
>>
>> - Anders
>>
>> > Use deny from?
>>
>> > -----Original Message-----
>> > From: Anders Widman [mailto:andewid@tnonline.net]
>> > Sent: 22 August 2002 14:46
>> > To: users@httpd.apache.org
>> > Subject: Blocking requests..
>>
>>
>>
>> > Hello...
>>
>> > Is there any way I can block (drop) all requests from an IP if a
>> > request match a specific URL?
>>
>> > There are some sorts of viruses running around here and they eat up
>> > my bandwidth and resources by requesting URLs like these:
>>
>> > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>> > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1
>> > ...
>>
>> > I want Apache to drop and not respond to these requests, and
>> > perhaps all requests from that IP. Is that possible?
>>
>> > Thanks,
>> > Anders
>>
>>
>> > ---------------------------------------------------------------------
>> > The official User-To-User support forum of the Apache HTTP Server
>> > Project.
>> > See <URL:http://httpd.apache.org/userslist.html> for more info.
>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> > " from the digest: users-digest-unsubscribe@httpd.apache.org
>> > For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>> > ---------------------------------------------------------------------
>> > The official User-To-User support forum of the Apache HTTP Server
> Project.
>> > See <URL:http://httpd.apache.org/userslist.html> for more info.
>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> > " from the digest: users-digest-unsubscribe@httpd.apache.org
>> > For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re[2]: Blocking requests..
Posted by Jacob Coby <jc...@listingbook.com>.
Deny From will give a 403 Forbidden.
Another option, albiet a more complicated one, is to use ipchains/iptables
and add a rule to just drop TCP packets from a specific IP address to your
webserver.
You can have a script that sits there and watches the logfile, matching
those requests. Once it finds some, it tells ipchains/tables to deny or
drop all TCP requests from the blacklisted IP addr. If you want to get
really fancy, you can make it modify the ipchains/tables conf so that when
you restart the server, it will remember who is blacklisted.
That will stop all TCP traffic from those IP addresses from ever reaching
your webservers. If you tell it to drop the packets, it also prevents them
from even knowing your website exists, since to them, there is no route to
the host.
Could be frustrating if they are real users trying to get into your website.
-Jacob
http://www.listingbook.com
----- Original Message -----
From: "Anders Widman" <an...@tnonline.net>
To: "Julian Grunnell" <us...@httpd.apache.org>
Sent: Thursday, August 22, 2002 10:07 AM
Subject: Re[2]: Blocking requests..
> So, if I use "deny from all", what happens then? Will Apache silently
> drop the request, or respond to the client?
>
> - Anders
>
> > Use deny from?
>
> > -----Original Message-----
> > From: Anders Widman [mailto:andewid@tnonline.net]
> > Sent: 22 August 2002 14:46
> > To: users@httpd.apache.org
> > Subject: Blocking requests..
>
>
>
> > Hello...
>
> > Is there any way I can block (drop) all requests from an IP if a
> > request match a specific URL?
>
> > There are some sorts of viruses running around here and they eat up
> > my bandwidth and resources by requesting URLs like these:
>
> > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1
> > ...
>
> > I want Apache to drop and not respond to these requests, and
> > perhaps all requests from that IP. Is that possible?
>
> > Thanks,
> > Anders
>
>
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org