You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jack Stone <an...@hotmail.com> on 2007/08/25 17:28:43 UTC
[users@httpd] mod_rewrite or mod_access
Am running apache-2.0+
We still use MSFrontPage on certain sites and was wondering how best to
block visitors who use FP in attempts to abuse the sites, BUT, not block our
own valid users?
Figured best to use mod_rewrite or mod_access for this purpose, but unsure
of the syntax to use on those vhost containers where we may have the
conflicts.
Sorry, I have not mastered these mods yet. Any help would be appreciated.
Below are some such intrusive attempts:
59.104.234.123 - - [25/Aug/2007:07:44:31 -0700] "POST
/_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 228 "-" "MSFrontPage/6.0"
59.104.234.123 - - [25/Aug/2007:07:44:32 -0700] "POST
/_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 154 "-" "MSFrontPage/6.0"
59.104.234.123 - - [25/Aug/2007:07:44:33 -0700] "POST
/_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 531 "-" "MSFrontPage/6.0"
59.104.234.123 - - [25/Aug/2007:07:45:18 -0700] "POST
/_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 141 "-" "MSFrontPage/6.0"
59.104.234.123 - - [25/Aug/2007:07:45:21 -0700] "POST
/_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 531 "-" "MSFrontPage/6.0"
59.104.234.123 - - [25/Aug/2007:07:46:23 -0700] "POST
/_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 531 "-" "MSFrontPage/6.0"
All the best,
Jack
_________________________________________________________________
Puzzles, trivia teasers, word scrambles and more. Play for your chance to
win! http://club.live.com/home.aspx?icid=CLUB_hotmailtextlink
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_rewrite or mod_access
Posted by Jeff Peng <je...@gmx.net>.
-------- Original-Nachricht --------
> Datum: Mon, 27 Aug 2007 21:12:32 +0700
> Von: "Vincent Bray" <no...@gmail.com>
>
> Using mod_rewrite
> here is only necessary when you need to see stuff like the query
> string, or other non-uri-ref request attributes.
>
Agree with that.:)
--
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_rewrite or mod_access
Posted by Vincent Bray <no...@gmail.com>.
On 26/08/07, Jack Stone <an...@hotmail.com> wrote:
> >From: "Vincent Bray" <no...@gmail.com>
> >RewriteEngine On
> >RewriteCond %{REMOTE_ADDR} !^trusted.host.pattern$
> >RewriteRule ^/_vti - [F]
> Thanks for those suggestions. Used the mod_rewrite one and seems to be doing
> the trick. The use of Frontpage attempts doesn't happen very often and so
> hard to test, except I see searches now getting 403s (forbidden) and I can
> load up from my trusted IP without any problem.
I should add to this another non-rewrite option (it's a habit to avoid
rewrite whenever possible, not because there's anything wrong with it,
but because there are more specialised options).
<LocationMatch ^/_vti>
Order allow,deny
Allow from trusted.host.com
</LocationMatch>
This does the same thing, and should be quicker. Using mod_rewrite
here is only necessary when you need to see stuff like the query
string, or other non-uri-ref request attributes.
--
noodl
PS. Your hotmail account appears to be full.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_rewrite or mod_access
Posted by Jack Stone <an...@hotmail.com>.
>From: "Vincent Bray" <no...@gmail.com>
>Reply-To: users@httpd.apache.org
>To: users@httpd.apache.org, orvilleg@hotmail.com
>Subject: Re: [users@httpd] mod_rewrite or mod_access
>Date: Sat, 25 Aug 2007 22:38:58 +0700
>
>On 25/08/07, Jack Stone <an...@hotmail.com> wrote:
> > We still use MSFrontPage on certain sites and was wondering how best to
> > block visitors who use FP in attempts to abuse the sites, BUT, not block
>our
> > own valid users?
> >
> > Figured best to use mod_rewrite or mod_access for this purpose, but
>unsure
> > of the syntax to use on those vhost containers where we may have the
> > conflicts.
> >
>
>Either should work. First with mod_access (as it is in 2.0)
>
><Location /_vti_bin/_vti_aut/author.exe>
> Deny from all
></Location>
>
>.. or fancier ..
>
><LocationMatch ^/_vti_bin/_vti_(evil|regex)>
> Deny from all
></LocationMatch>
>
>Or with mod_rewrite:
>
>RewriteEngine On
>RewriteCond %{REMOTE_ADDR} !^trusted.host.pattern$
>RewriteRule ^/_vti - [F]
>
>This basically says, if the address looks like some frontpage nonsense
>and the client isn't coming from a known address, don't change the URL
>(the - part), and forbid [F] the request.
>
>You can probably get fancier still with mod_security, where fancy
>includes stuff like time based abuse escallation, and just about any
>conceivable formula based on the request (including any entity bodies,
>which mod_rewrite can't see).
>
>Good luck.
>
>--
>noodl
>
Noodl, I tried the mod_rewrite suggestion which was working until I
discovered it was killing the FP counter. So, switched to this as a separate
rewrite block by itself since I send the mass downloaders to a special page
explainy why blocked:
RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx$
RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} MSFrontPage [NC]
RewriteRule ^.* - [F,L]
I think this is doing the trick now.
Many thanks!
Jack
_________________________________________________________________
Learn.Laugh.Share. Reallivemoms is right place!
http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_rewrite or mod_access
Posted by Jack Stone <an...@hotmail.com>.
>From: "Vincent Bray" <no...@gmail.com>
>Reply-To: users@httpd.apache.org
>To: users@httpd.apache.org, orvilleg@hotmail.com
>Subject: Re: [users@httpd] mod_rewrite or mod_access
>Date: Sat, 25 Aug 2007 22:38:58 +0700
>
>On 25/08/07, Jack Stone <an...@hotmail.com> wrote:
> > We still use MSFrontPage on certain sites and was wondering how best to
> > block visitors who use FP in attempts to abuse the sites, BUT, not block
>our
> > own valid users?
> >
> > Figured best to use mod_rewrite or mod_access for this purpose, but
>unsure
> > of the syntax to use on those vhost containers where we may have the
> > conflicts.
> >
> > Sorry, I have not mastered these mods yet. Any help would be
>appreciated.
> >
> > Below are some such intrusive attempts:
> >
> > 59.104.234.123 - - [25/Aug/2007:07:44:31 -0700] "POST
> > /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 228 "-" "MSFrontPage/6.0"
> > 59.104.234.123 - - [25/Aug/2007:07:44:32 -0700] "POST
> > /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 154 "-" "MSFrontPage/6.0"
> > 59.104.234.123 - - [25/Aug/2007:07:44:33 -0700] "POST
> > /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 531 "-" "MSFrontPage/6.0"
> > 59.104.234.123 - - [25/Aug/2007:07:45:18 -0700] "POST
> > /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 141 "-" "MSFrontPage/6.0"
> > 59.104.234.123 - - [25/Aug/2007:07:45:21 -0700] "POST
> > /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 531 "-" "MSFrontPage/6.0"
> > 59.104.234.123 - - [25/Aug/2007:07:46:23 -0700] "POST
> > /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 531 "-" "MSFrontPage/6.0"
>
>Either should work. First with mod_access (as it is in 2.0)
>
><Location /_vti_bin/_vti_aut/author.exe>
> Deny from all
></Location>
>
>.. or fancier ..
>
><LocationMatch ^/_vti_bin/_vti_(evil|regex)>
> Deny from all
></LocationMatch>
>
>Or with mod_rewrite:
>
>RewriteEngine On
>RewriteCond %{REMOTE_ADDR} !^trusted.host.pattern$
>RewriteRule ^/_vti - [F]
>
>This basically says, if the address looks like some frontpage nonsense
>and the client isn't coming from a known address, don't change the URL
>(the - part), and forbid [F] the request.
>
>You can probably get fancier still with mod_security, where fancy
>includes stuff like time based abuse escallation, and just about any
>conceivable formula based on the request (including any entity bodies,
>which mod_rewrite can't see).
>
>Good luck.
>
>--
>noodl
>
Noodl:
Thanks for those suggestions. Used the mod_rewrite one and seems to be doing
the trick. The use of Frontpage attempts doesn't happen very often and so
hard to test, except I see searches now getting 403s (forbidden) and I can
load up from my trusted IP without any problem.
Jack
_________________________________________________________________
Puzzles, trivia teasers, word scrambles and more. Play for your chance to
win! http://club.live.com/home.aspx?icid=CLUB_hotmailtextlink
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_rewrite or mod_access
Posted by Vincent Bray <no...@gmail.com>.
On 25/08/07, Jack Stone <an...@hotmail.com> wrote:
> We still use MSFrontPage on certain sites and was wondering how best to
> block visitors who use FP in attempts to abuse the sites, BUT, not block our
> own valid users?
>
> Figured best to use mod_rewrite or mod_access for this purpose, but unsure
> of the syntax to use on those vhost containers where we may have the
> conflicts.
>
> Sorry, I have not mastered these mods yet. Any help would be appreciated.
>
> Below are some such intrusive attempts:
>
> 59.104.234.123 - - [25/Aug/2007:07:44:31 -0700] "POST
> /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 228 "-" "MSFrontPage/6.0"
> 59.104.234.123 - - [25/Aug/2007:07:44:32 -0700] "POST
> /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 154 "-" "MSFrontPage/6.0"
> 59.104.234.123 - - [25/Aug/2007:07:44:33 -0700] "POST
> /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 531 "-" "MSFrontPage/6.0"
> 59.104.234.123 - - [25/Aug/2007:07:45:18 -0700] "POST
> /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 200 141 "-" "MSFrontPage/6.0"
> 59.104.234.123 - - [25/Aug/2007:07:45:21 -0700] "POST
> /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 531 "-" "MSFrontPage/6.0"
> 59.104.234.123 - - [25/Aug/2007:07:46:23 -0700] "POST
> /_vti_bin/_vti_aut/author.exe HTTP/1.1" 401 531 "-" "MSFrontPage/6.0"
Either should work. First with mod_access (as it is in 2.0)
<Location /_vti_bin/_vti_aut/author.exe>
Deny from all
</Location>
.. or fancier ..
<LocationMatch ^/_vti_bin/_vti_(evil|regex)>
Deny from all
</LocationMatch>
Or with mod_rewrite:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^trusted.host.pattern$
RewriteRule ^/_vti - [F]
This basically says, if the address looks like some frontpage nonsense
and the client isn't coming from a known address, don't change the URL
(the - part), and forbid [F] the request.
You can probably get fancier still with mod_security, where fancy
includes stuff like time based abuse escallation, and just about any
conceivable formula based on the request (including any entity bodies,
which mod_rewrite can't see).
Good luck.
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org