You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hans-Georg Scherneck <hg...@chalmers.se> on 2014/09/30 19:16:10 UTC
[users@httpd] Denying access for a complicated bugger address
Hi,
I'm new to this, and I'm no specialist in Apache, sorry.
My site is bombarded by POST requests from a site identifying itself like
123.123.123.123.word.word.word.word
A "deny from" instruction with a string trying to match this in .htaccess does not appear to work
(though other abusers with simple IP's I can get barred this way).
The leading IP is always a fake, and it is changed every time they POST new crap. A safe criterion
must focus on the word-part.
Do you have a working string for me? Can you suggest another method?
(I have made a change to the mailto.cgi script that sends the crap into /dev/null, exploiting a
mistake in the form data that they are sending, but soon they'll find out, and I want to be a step
ahead of them).
Thanks in advance
--
Med vänliga hälsningar / With best regards yours -----
Hans-Georg Scherneck / A \
---------------------+----------------------------------- | / \ |
. Telephone & -fax | Chalmers University of Technology \ /
. +46 31 772 5556 | Earth and Space Sciences -----
. +46 31 772 5590 fx | & Onsala Space Observatory | |
. E-Mail: | SE-439 92 Onsala, Sweden / \
. hgs@chalmers.se | http://www.chalmers.se/rss ----------------
. Ocean Loading Serv.| holt.oso.chalmers.se/loading /===\ ,===//===\
. Gravimeter | holt.oso.chalmers.se/hgs/SCG / /`===,/ /
---------------------+---------------------------------\===//===' \===/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Denying access for a complicated bugger address
Posted by Hans-Georg Scherneck <hg...@chalmers.se>.
Thanks Oscar,
that makes a lot of sense. I'll try to realize your suggestion. Case closed, thanks everyone, you've
all helped to clear things up for me the newbie
/Hans-Georg
Oscar Knorn wrote:
> Hi Hans-Georg,
>
> i guess, you will have to alter the Code of the form.
>
> 1. check for the referer URI in the action="*" script.
> 2. establish a session in the form and check for the sessionid in the
> action script.
> 3. use javascript to write additional hidden fields into the form and
> check for their contents.
>
> apache webserver is definitely not prepared for such attacks.
>
> cheers oscar
>
>
> Am 30.09.2014 um 21:18 schrieb Frederik Nosi:
>> On 09/30/2014 08:55 PM, Hans-Georg Scherneck wrote:
>>> Frederik Nosi wrote:
>>>> Hi Hans-Georg,
>>>>
>>>> On 09/30/2014 08:26 PM, Hans-Georg Scherneck wrote:
>>>>> Rainer M. Canavan wrote:
>>>>>> On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <hg...@chalmers.se>
>>>>>> wrote:
>>>>>>
>>>>>>> My site is bombarded by POST requests from a site identifying
>>>>>>> itself like
>>>>>>> 123.123.123.123.word.word.word.word
>>>>>>> A "deny from" instruction with a string trying to match this in
>>>>>>> .htaccess does not appear to work (though other abusers with
>>>>>>> simple IP's I can get barred this way).
>>>>>> You don't say where that sites identifies itself in such a manner.
>>>>>> You should
>>>>>> not enable reverse lookups (i.e. HostnameLookups should be Off,
>>>>>> possibly some
>>>>>> other settings), then the first column in your access.log should
>>>>>> always be
>>>>>> the actual originating IP address of that request. If they are
>>>>>> real spammers,
>>>>>> they have a botnet with lots of IPs in nearly as many locations
>>>>>> and subnets.
>>>>>>
>>>>>>
>>>>>> rainer
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>>
>>>>>> Blocking from apache:
>>>>>>
>>>>>> <Location />
>>>>>> Order Allow,Deny
>>>>>> Deny from <INSERT IP TO BLOCK HERE>
>>>>>> </Location>
>>>>>>
>>>>>> You can block it at the network stack level too, this way apache
>>>>>> does not even see the request, ex on linux using iptables.
>>>>>>
>>>>>>
>>>>>> bye,
>>>>>> Frederik
>>>>> I'm trying with <Location /> now.
>>>>>
>>>>> HostnameLookups Off
>>>>>
>>>>> has always been set.
>>>>> My reply to Richard a minute ago included some incriminating
>>>>> access.log lines. Ever seen an address like this before?
>>>>> /Hans-Georg
>>>>>
>>>>
>>>> I've never recieved those mails,
>>>>
>>>> But as Rainer said not sure that a simple IP blacklisting if it's
>>>> effective in the real world thoughthough, it's easy to change IP.
>>>>
>>>> Maybe you can add a captcha, require authentication for accessing
>>>> the form or some automatic blacklisting solution or rate limiting ex:
>>>>
>>>> http://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second
>>>>
>>>>
>>>> another more "disguised" option, using the mod_rewrite, matching the
>>>> IP and then replying "200 ok" with a fake page or such.
>>>>
>>>> As always you have to choose the solution that suits you most.
>>>>
>>>>
>>>> Bye,
>>>> Frederik
>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>> .
>>>>
>>> Thanks everyone, I appreciate.
>>> It rather seems the issue is for the Apache developers to solve, e.g.
>>> to extend the scope of the Deny string match. Should be simple.
>>> Such a solution, not engaging any modules, would be convenient. And
>>> the abusers would just believe their POST gets through.
>> Not sure about the post content match right now, but filtering by IP
>> and with some mod_rewrite trickery you can do this right now, ex:
>>
>> <Location />
>> RewriteEngine on
>>
>> RewriteCond %{REQUEST_METHOD} POST [C]
>> RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123
>> RewriteRule /THEFORM /empty_page.html [L]
>>
>> </Location>
>>
>> should work. Hope i got it right, but in case hope you got the idea.
>>
>>> Does anyone have the appropriate email address to send the suggestion
>>> to Apache?
>>>
>>> I'll also try with the captcha method, hoping they cannot sail around
>>> it.
>> This is way better
>>
>>> Yet I have my doubts; they already double-cross the form checking
>>> procedure (javascript) that would reject the sending of the html-form
>>> data when the form gets filled with e.g. text instead of specific
>>> numbers.
>>> (They seem to block the sourcing of my javascript, or they might use
>>> a console (-bot) that turns "return false" commands into true. What
>>> they don't know is, that normally no human reads the form mails; it's
>>> a program that serves computation requests.
>>> http://holt.oso.chalmers.se/loading )
>> Checking client side is trivial to bypass, see wget / curl / phantomjs
>> if you want to be fancy ecc
>>
>>> Thanks again and bye
>>> /Hans-Georg
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> .
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Denying access for a complicated bugger address
Posted by Oscar Knorn <os...@uni-duisburg-essen.de>.
Hi Hans-Georg,
i guess, you will have to alter the Code of the form.
1. check for the referer URI in the action="*" script.
2. establish a session in the form and check for the sessionid in the
action script.
3. use javascript to write additional hidden fields into the form and
check for their contents.
apache webserver is definitely not prepared for such attacks.
cheers oscar
Am 30.09.2014 um 21:18 schrieb Frederik Nosi:
> On 09/30/2014 08:55 PM, Hans-Georg Scherneck wrote:
>> Frederik Nosi wrote:
>>> Hi Hans-Georg,
>>>
>>> On 09/30/2014 08:26 PM, Hans-Georg Scherneck wrote:
>>>> Rainer M. Canavan wrote:
>>>>> On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <hg...@chalmers.se>
>>>>> wrote:
>>>>>
>>>>>> My site is bombarded by POST requests from a site identifying
>>>>>> itself like
>>>>>> 123.123.123.123.word.word.word.word
>>>>>> A "deny from" instruction with a string trying to match this in
>>>>>> .htaccess does not appear to work (though other abusers with
>>>>>> simple IP's I can get barred this way).
>>>>> You don't say where that sites identifies itself in such a manner.
>>>>> You should
>>>>> not enable reverse lookups (i.e. HostnameLookups should be Off,
>>>>> possibly some
>>>>> other settings), then the first column in your access.log should
>>>>> always be
>>>>> the actual originating IP address of that request. If they are
>>>>> real spammers,
>>>>> they have a botnet with lots of IPs in nearly as many locations
>>>>> and subnets.
>>>>>
>>>>>
>>>>> rainer
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>> Blocking from apache:
>>>>>
>>>>> <Location />
>>>>> Order Allow,Deny
>>>>> Deny from <INSERT IP TO BLOCK HERE>
>>>>> </Location>
>>>>>
>>>>> You can block it at the network stack level too, this way apache
>>>>> does not even see the request, ex on linux using iptables.
>>>>>
>>>>>
>>>>> bye,
>>>>> Frederik
>>>>
>>>> I'm trying with <Location /> now.
>>>>
>>>> HostnameLookups Off
>>>>
>>>> has always been set.
>>>> My reply to Richard a minute ago included some incriminating
>>>> access.log lines. Ever seen an address like this before?
>>>> /Hans-Georg
>>>>
>>>
>>>
>>> I've never recieved those mails,
>>>
>>> But as Rainer said not sure that a simple IP blacklisting if it's
>>> effective in the real world thoughthough, it's easy to change IP.
>>>
>>> Maybe you can add a captcha, require authentication for accessing
>>> the form or some automatic blacklisting solution or rate limiting ex:
>>>
>>> http://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second
>>>
>>>
>>> another more "disguised" option, using the mod_rewrite, matching the
>>> IP and then replying "200 ok" with a fake page or such.
>>>
>>> As always you have to choose the solution that suits you most.
>>>
>>>
>>> Bye,
>>> Frederik
>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>> .
>>>
>> Thanks everyone, I appreciate.
>> It rather seems the issue is for the Apache developers to solve, e.g.
>> to extend the scope of the Deny string match. Should be simple.
>> Such a solution, not engaging any modules, would be convenient. And
>> the abusers would just believe their POST gets through.
>
> Not sure about the post content match right now, but filtering by IP
> and with some mod_rewrite trickery you can do this right now, ex:
>
> <Location />
> RewriteEngine on
>
> RewriteCond %{REQUEST_METHOD} POST [C]
> RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123
> RewriteRule /THEFORM /empty_page.html [L]
>
> </Location>
>
> should work. Hope i got it right, but in case hope you got the idea.
>
>> Does anyone have the appropriate email address to send the suggestion
>> to Apache?
>>
>> I'll also try with the captcha method, hoping they cannot sail around
>> it.
>
> This is way better
>
>> Yet I have my doubts; they already double-cross the form checking
>> procedure (javascript) that would reject the sending of the html-form
>> data when the form gets filled with e.g. text instead of specific
>> numbers.
>> (They seem to block the sourcing of my javascript, or they might use
>> a console (-bot) that turns "return false" commands into true. What
>> they don't know is, that normally no human reads the form mails; it's
>> a program that serves computation requests.
>> http://holt.oso.chalmers.se/loading )
>
> Checking client side is trivial to bypass, see wget / curl / phantomjs
> if you want to be fancy ecc
>
>> Thanks again and bye
>> /Hans-Georg
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Denying access for a complicated bugger address
Posted by Frederik Nosi <fr...@postecom.it>.
On 09/30/2014 08:55 PM, Hans-Georg Scherneck wrote:
> Frederik Nosi wrote:
>> Hi Hans-Georg,
>>
>> On 09/30/2014 08:26 PM, Hans-Georg Scherneck wrote:
>>> Rainer M. Canavan wrote:
>>>> On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <hg...@chalmers.se>
>>>> wrote:
>>>>
>>>>> My site is bombarded by POST requests from a site identifying
>>>>> itself like
>>>>> 123.123.123.123.word.word.word.word
>>>>> A "deny from" instruction with a string trying to match this in
>>>>> .htaccess does not appear to work (though other abusers with
>>>>> simple IP's I can get barred this way).
>>>> You don't say where that sites identifies itself in such a manner.
>>>> You should
>>>> not enable reverse lookups (i.e. HostnameLookups should be Off,
>>>> possibly some
>>>> other settings), then the first column in your access.log should
>>>> always be
>>>> the actual originating IP address of that request. If they are
>>>> real spammers,
>>>> they have a botnet with lots of IPs in nearly as many locations and
>>>> subnets.
>>>>
>>>>
>>>> rainer
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>> Blocking from apache:
>>>>
>>>> <Location />
>>>> Order Allow,Deny
>>>> Deny from <INSERT IP TO BLOCK HERE>
>>>> </Location>
>>>>
>>>> You can block it at the network stack level too, this way apache
>>>> does not even see the request, ex on linux using iptables.
>>>>
>>>>
>>>> bye,
>>>> Frederik
>>>
>>> I'm trying with <Location /> now.
>>>
>>> HostnameLookups Off
>>>
>>> has always been set.
>>> My reply to Richard a minute ago included some incriminating
>>> access.log lines. Ever seen an address like this before?
>>> /Hans-Georg
>>>
>>
>>
>> I've never recieved those mails,
>>
>> But as Rainer said not sure that a simple IP blacklisting if it's
>> effective in the real world thoughthough, it's easy to change IP.
>>
>> Maybe you can add a captcha, require authentication for accessing the
>> form or some automatic blacklisting solution or rate limiting ex:
>>
>> http://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second
>>
>>
>> another more "disguised" option, using the mod_rewrite, matching the
>> IP and then replying "200 ok" with a fake page or such.
>>
>> As always you have to choose the solution that suits you most.
>>
>>
>> Bye,
>> Frederik
>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>> .
>>
> Thanks everyone, I appreciate.
> It rather seems the issue is for the Apache developers to solve, e.g.
> to extend the scope of the Deny string match. Should be simple.
> Such a solution, not engaging any modules, would be convenient. And
> the abusers would just believe their POST gets through.
Not sure about the post content match right now, but filtering by IP and
with some mod_rewrite trickery you can do this right now, ex:
<Location />
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST [C]
RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123
RewriteRule /THEFORM /empty_page.html [L]
</Location>
should work. Hope i got it right, but in case hope you got the idea.
> Does anyone have the appropriate email address to send the suggestion
> to Apache?
>
> I'll also try with the captcha method, hoping they cannot sail around it.
This is way better
> Yet I have my doubts; they already double-cross the form checking
> procedure (javascript) that would reject the sending of the html-form
> data when the form gets filled with e.g. text instead of specific
> numbers.
> (They seem to block the sourcing of my javascript, or they might use a
> console (-bot) that turns "return false" commands into true. What they
> don't know is, that normally no human reads the form mails; it's a
> program that serves computation requests.
> http://holt.oso.chalmers.se/loading )
Checking client side is trivial to bypass, see wget / curl / phantomjs
if you want to be fancy ecc
> Thanks again and bye
> /Hans-Georg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Denying access for a complicated bugger address
Posted by Eric Covener <co...@gmail.com>.
On Tue, Sep 30, 2014 at 2:55 PM, Hans-Georg Scherneck <hg...@chalmers.se>
wrote:
> It rather seems the issue is for the Apache developers to solve, e.g. to
> extend the scope of the Deny string match. Should be simple.
It's not clear what you're trying to match. A string in the request body?
Maybe try mod_security.
Re: [users@httpd] Denying access for a complicated bugger address
Posted by Hans-Georg Scherneck <hg...@chalmers.se>.
Frederik Nosi wrote:
> Hi Hans-Georg,
>
> On 09/30/2014 08:26 PM, Hans-Georg Scherneck wrote:
>> Rainer M. Canavan wrote:
>>> On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <hg...@chalmers.se> wrote:
>>>
>>>> My site is bombarded by POST requests from a site identifying itself like
>>>> 123.123.123.123.word.word.word.word
>>>> A "deny from" instruction with a string trying to match this in .htaccess does not appear to
>>>> work (though other abusers with simple IP's I can get barred this way).
>>> You don't say where that sites identifies itself in such a manner. You should
>>> not enable reverse lookups (i.e. HostnameLookups should be Off, possibly some
>>> other settings), then the first column in your access.log should always be
>>> the actual originating IP address of that request. If they are real spammers,
>>> they have a botnet with lots of IPs in nearly as many locations and subnets.
>>>
>>>
>>> rainer
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>> Blocking from apache:
>>>
>>> <Location />
>>> Order Allow,Deny
>>> Deny from <INSERT IP TO BLOCK HERE>
>>> </Location>
>>>
>>> You can block it at the network stack level too, this way apache does not even see the request,
>>> ex on linux using iptables.
>>>
>>>
>>> bye,
>>> Frederik
>>
>> I'm trying with <Location /> now.
>>
>> HostnameLookups Off
>>
>> has always been set.
>> My reply to Richard a minute ago included some incriminating access.log lines. Ever seen an
>> address like this before?
>> /Hans-Georg
>>
>
>
> I've never recieved those mails,
>
> But as Rainer said not sure that a simple IP blacklisting if it's effective in the real world
> thoughthough, it's easy to change IP.
>
> Maybe you can add a captcha, require authentication for accessing the form or some automatic
> blacklisting solution or rate limiting ex:
>
> http://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second
>
>
> another more "disguised" option, using the mod_rewrite, matching the IP and then replying "200 ok"
> with a fake page or such.
>
> As always you have to choose the solution that suits you most.
>
>
> Bye,
> Frederik
>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> .
>
Thanks everyone, I appreciate.
It rather seems the issue is for the Apache developers to solve, e.g. to extend the scope of the
Deny string match. Should be simple.
Such a solution, not engaging any modules, would be convenient. And the abusers would just believe
their POST gets through.
Does anyone have the appropriate email address to send the suggestion to Apache?
I'll also try with the captcha method, hoping they cannot sail around it.
Yet I have my doubts; they already double-cross the form checking procedure (javascript) that would
reject the sending of the html-form data when the form gets filled with e.g. text instead of
specific numbers.
(They seem to block the sourcing of my javascript, or they might use a console (-bot) that turns
"return false" commands into true. What they don't know is, that normally no human reads the form
mails; it's a program that serves computation requests. http://holt.oso.chalmers.se/loading )
Thanks again and bye
/Hans-Georg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Denying access for a complicated bugger address
Posted by Frederik Nosi <fr...@postecom.it>.
Hi Hans-Georg,
On 09/30/2014 08:26 PM, Hans-Georg Scherneck wrote:
> Rainer M. Canavan wrote:
>> On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <hg...@chalmers.se>
>> wrote:
>>
>>> My site is bombarded by POST requests from a site identifying itself
>>> like
>>> 123.123.123.123.word.word.word.word
>>> A "deny from" instruction with a string trying to match this in
>>> .htaccess does not appear to work (though other abusers with simple
>>> IP's I can get barred this way).
>> You don't say where that sites identifies itself in such a manner.
>> You should
>> not enable reverse lookups (i.e. HostnameLookups should be Off,
>> possibly some
>> other settings), then the first column in your access.log should
>> always be
>> the actual originating IP address of that request. If they are real
>> spammers,
>> they have a botnet with lots of IPs in nearly as many locations and
>> subnets.
>>
>>
>> rainer
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>> Blocking from apache:
>>
>> <Location />
>> Order Allow,Deny
>> Deny from <INSERT IP TO BLOCK HERE>
>> </Location>
>>
>> You can block it at the network stack level too, this way apache does
>> not even see the request, ex on linux using iptables.
>>
>>
>> bye,
>> Frederik
>
> I'm trying with <Location /> now.
>
> HostnameLookups Off
>
> has always been set.
> My reply to Richard a minute ago included some incriminating
> access.log lines. Ever seen an address like this before?
> /Hans-Georg
>
I've never recieved those mails,
But as Rainer said not sure that a simple IP blacklisting if it's
effective in the real world thoughthough, it's easy to change IP.
Maybe you can add a captcha, require authentication for accessing the
form or some automatic blacklisting solution or rate limiting ex:
http://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second
another more "disguised" option, using the mod_rewrite, matching the IP
and then replying "200 ok" with a fake page or such.
As always you have to choose the solution that suits you most.
Bye,
Frederik
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Denying access for a complicated bugger address
Posted by Hans-Georg Scherneck <hg...@chalmers.se>.
Rainer M. Canavan wrote:
> On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <hg...@chalmers.se> wrote:
>
>> My site is bombarded by POST requests from a site identifying itself like
>> 123.123.123.123.word.word.word.word
>> A "deny from" instruction with a string trying to match this in .htaccess does not appear to work (though other abusers with simple IP's I can get barred this way).
> You don't say where that sites identifies itself in such a manner. You should
> not enable reverse lookups (i.e. HostnameLookups should be Off, possibly some
> other settings), then the first column in your access.log should always be
> the actual originating IP address of that request. If they are real spammers,
> they have a botnet with lots of IPs in nearly as many locations and subnets.
>
>
> rainer
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> Blocking from apache:
>
> <Location />
> Order Allow,Deny
> Deny from <INSERT IP TO BLOCK HERE>
> </Location>
>
> You can block it at the network stack level too, this way apache does not even see the request, ex
> on linux using iptables.
>
>
> bye,
> Frederik
I'm trying with <Location /> now.
HostnameLookups Off
has always been set.
My reply to Richard a minute ago included some incriminating access.log lines. Ever seen an address
like this before?
/Hans-Georg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Denying access for a complicated bugger address
Posted by "Rainer M. Canavan" <ra...@sevenval.com>.
On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <hg...@chalmers.se> wrote:
> My site is bombarded by POST requests from a site identifying itself like
> 123.123.123.123.word.word.word.word
> A "deny from" instruction with a string trying to match this in .htaccess does not appear to work (though other abusers with simple IP's I can get barred this way).
You don't say where that sites identifies itself in such a manner. You should
not enable reverse lookups (i.e. HostnameLookups should be Off, possibly some
other settings), then the first column in your access.log should always be
the actual originating IP address of that request. If they are real spammers,
they have a botnet with lots of IPs in nearly as many locations and subnets.
rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Denying access for a complicated bugger address
Posted by Frederik Nosi <fr...@postecom.it>.
Blocking from apache:
<Location />
Order Allow,Deny
Deny from <INSERT IP TO BLOCK HERE>
</Location>
You can block it at the network stack level too, this way apache does
not even see the request, ex on linux using iptables.
bye,
Frederik
On 09/30/2014 07:16 PM, Hans-Georg Scherneck wrote:
> Hi,
> I'm new to this, and I'm no specialist in Apache, sorry.
> My site is bombarded by POST requests from a site identifying itself like
> 123.123.123.123.word.word.word.word
> A "deny from" instruction with a string trying to match this in
> .htaccess does not appear to work (though other abusers with simple
> IP's I can get barred this way).
> The leading IP is always a fake, and it is changed every time they
> POST new crap. A safe criterion must focus on the word-part.
> Do you have a working string for me? Can you suggest another method?
>
> (I have made a change to the mailto.cgi script that sends the crap
> into /dev/null, exploiting a mistake in the form data that they are
> sending, but soon they'll find out, and I want to be a step ahead of
> them).
> Thanks in advance
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Denying access for a complicated bugger address
Posted by Nick Kew <ni...@webthing.com>.
On 30 Sep 2014, at 18:16, Hans-Georg Scherneck wrote:
> a site identifying itself like
> 123.123.123.123.word.word.word.word
What do you mean by "identifying itself like"?
Requests don't come from a site. The information you have
about where they do come from is usually no more than an
IP address, which may itself be a proxy. You've already
been told how to block an IP address. But what you posted
isn't an IP address, so you need to tell us what it is if you
want suggestions to be helpful.
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org