You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by dtufs <dt...@yahoo.com> on 2005/06/19 11:20:46 UTC
[users@httpd] How to close connection instead of sending 403?
We have been trying to cut down our bandwidth usage by
disallowing access for many spammers and malevolent
bots. We are currently doing it via .htaccess and
respond with the "403 Forbidden" code.
However, this still costs us some bandwidth. What we
would like to do is close the connection without even
responding to any bad's visitor request. Bad visitor
is detected by examining the user agent and/or
referrer, or requested URI (never by examining the IP
address).
Is this possible to do on Apache (running on Red Hat)?
Thanks in advance.
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: How to close connection instead of sending 403?
Posted by Joost de Heer <sa...@xs4all.nl>.
dtufs said:
> We have been trying to cut down our bandwidth usage by
> disallowing access for many spammers and malevolent
> bots. We are currently doing it via .htaccess and
> respond with the "403 Forbidden" code.
>
> However, this still costs us some bandwidth. What we
> would like to do is close the connection without even
> responding to any bad's visitor request. Bad visitor
> is detected by examining the user agent and/or
> referrer, or requested URI (never by examining the IP
> address).
What you need is an IPS system.
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by Rich <ap...@rbentley.com>.
dtufs wrote:
>
> --- Rich <ap...@rbentley.com> wrote:
>
>
>>The 'add_httpd_block' script is something I wrote
>>myself to drop the connection and block the IP for
>>a while.
>
>
> But how do you block it? 403 is possible, but not what
> we want. Firewall is possible, but our hosting
> provider doesn't allows us to configure it (VPS).
>
I block it at the firewall. :-/
>
>
>>but I'm sure you could work out something that will
>>allow you to drop just this client, thus releasing
>>the connection.
>
>
> It looks like there is currently no solution avaible.
> We are considering writing an Apache module that would
> allow us to close the connection without sending any
> info (403) back to the bad visitor.
> The question is whether Apache 1.3 modules are allowed
> to close/kill connections like that?
>
>
Shouldn't be too difficult. Good luck.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> !DSPAM:42b5677a196468130824129!
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by dtufs <dt...@yahoo.com>.
--- Rich <ap...@rbentley.com> wrote:
> The 'add_httpd_block' script is something I wrote
> myself to drop the connection and block the IP for
> a while.
But how do you block it? 403 is possible, but not what
we want. Firewall is possible, but our hosting
provider doesn't allows us to configure it (VPS).
> but I'm sure you could work out something that will
> allow you to drop just this client, thus releasing
> the connection.
It looks like there is currently no solution avaible.
We are considering writing an Apache module that would
allow us to close the connection without sending any
info (403) back to the bad visitor.
The question is whether Apache 1.3 modules are allowed
to close/kill connections like that?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by Rich <ap...@rbentley.com>.
Yes, I see where you're coming from...
Actually, thinking further, you CAN set up mod_security so that it drops
the connection - for example, I have this as a default action in my
mod_security setup...
SecFilterDefaultAction
"deny,log,status:403,system:/usr/local/pft/add_httpd_block %s"
The 'add_httpd_block' script is something I wrote myself to drop the
connection and block the IP for a while. I just drop all connections
from that IP (because that's what I want), but I'm sure you could work
out something that will allow you to drop just this client, thus
releasing the connection.
You could also reduce the ip idle timeout at the firewall so that
hanging connections get removed quicker; assuminig the client has given
up because you're not responding then the connection will be idle - if
the client has not given up then short of blocking the ip address (which
you say you don't want to do) there's not much you can do about it anyway.
Rich.
dtufs wrote:
>
> --- Rich <ap...@rbentley.com> wrote:
>
>
>>You can configure mod_securiy so that it will not
>>respond at all - ie -
>>it will just leave the client hanging waiting for a
>>response (which it
>>will never get). Much like a 'silent' firewall.
>>
>>As I said, not ideal (the connection is still live),
>>but at least you
>>can suppress any outgoing data.
>
>
> Yes, I read about this possibility in the modsecurity
> documentation. However, this does not seem acceptable,
> because too many "hanging" connections would very
> likely cause DoS in a very short time.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> !DSPAM:42b55914167216989284748!
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by dtufs <dt...@yahoo.com>.
--- Rich <ap...@rbentley.com> wrote:
> You can configure mod_securiy so that it will not
> respond at all - ie -
> it will just leave the client hanging waiting for a
> response (which it
> will never get). Much like a 'silent' firewall.
>
> As I said, not ideal (the connection is still live),
> but at least you
> can suppress any outgoing data.
Yes, I read about this possibility in the modsecurity
documentation. However, this does not seem acceptable,
because too many "hanging" connections would very
likely cause DoS in a very short time.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by Rich <ap...@rbentley.com>.
Ah but !!!....
You can configure mod_securiy so that it will not respond at all - ie -
it will just leave the client hanging waiting for a response (which it
will never get). Much like a 'silent' firewall.
As I said, not ideal (the connection is still live), but at least you
can suppress any outgoing data.
Note:
If you are using apache 2 then you can use mod_security to scan both
incomming and outgoing data. The outgoing scan is really useful because
you can stop information leaks in the event that someone DOES manage to
get to something they shouldn't.
If you are using apache 1.3, the output scanning is not available (it's
a limitation of the way 1.3 works). However, you can still block the
client on the incomming stream so that request never reaches apche
propper, and you can affctively ignore the request.
Rich.
dtufs wrote:
>>Once it you know this, you can configure it to
>>prevent further communication with the client
>>(not actually killing the connection, but the
>>affect will be the same - the client will give up).
>
>
> Unfortunately, the "client" will not give up. The
> result will be that our (very expensive) bandwidth
> will be wasted on sending 403 responses (that's about
> 300 bytes per request).
>
> Imagine a bot requesting a page twice per second. And
> then imagine thousands of such bots, which ignore your
> 403 responses, using different IP addresses. Worms,
> DDoS bots, etc. Something must be done.
>
>
>
>
> __________________________________
> Yahoo! Mail
> Stay connected, organized, and protected. Take the tour:
> http://tour.mail.yahoo.com/mailtour.html
>
>
> !DSPAM:42b551aa275869908512351!
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by dtufs <dt...@yahoo.com>.
> Once it you know this, you can configure it to
> prevent further communication with the client
> (not actually killing the connection, but the
> affect will be the same - the client will give up).
Unfortunately, the "client" will not give up. The
result will be that our (very expensive) bandwidth
will be wasted on sending 403 responses (that's about
300 bytes per request).
Imagine a bot requesting a page twice per second. And
then imagine thousands of such bots, which ignore your
403 responses, using different IP addresses. Worms,
DDoS bots, etc. Something must be done.
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by Rich <ap...@rbentley.com>.
No, it won't let you kill the connection, but it probably WILL allow you
to detect the conditions that would lead you to want to kill the
connection. Once it you know this, you can configure it to prevent
further communication with the client (not actually killing the
connection, but the affect will be the same - the client will give up).
Rich.
dtufs wrote:
> --- Rich <ap...@rbentley.com> wrote:
>
>
>>Have you tried mod_security? -
>>http://www.modsecurity.org/
>
>
> Thanks Rich. It certainly is an interesting module,
> however, it does not seem to be capable of closing a
> connection (it only supports the 'deny' action, which
> normally is just 403).
>
>
>
> ____________________________________________________
> Yahoo! Sports
> Rekindle the Rivalries. Sign up for Fantasy Football
> http://football.fantasysports.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> !DSPAM:42b54bd6309382007112533!
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by dtufs <dt...@yahoo.com>.
--- Rich <ap...@rbentley.com> wrote:
> Have you tried mod_security? -
> http://www.modsecurity.org/
Thanks Rich. It certainly is an interesting module,
however, it does not seem to be capable of closing a
connection (it only supports the 'deny' action, which
normally is just 403).
____________________________________________________
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
http://football.fantasysports.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by Rich <ap...@rbentley.com>.
Have you tried mod_security? - http://www.modsecurity.org/
I've not tried to do anything like this before with it, but it might
help. Worth a look...
regards
Rich.
dtufs wrote:
>>I'm not sure apache can do that but I have one linux
>>box setup as firewall,
>>patched with patch-o-matic and I do this what you
>>want with iptables.
>
>
> Thanks for the reply. I'm not sure I understand it
> correctly, but this sounds like you are using the IP
> addresses as the basis for the ban. However, as I
> mentioned, we do not (and cannot) ban IP addresses. We
> determine bad visitors by examining only the user
> agent, referrer and requested URI.
>
>
>
> ____________________________________________________
> Yahoo! Sports
> Rekindle the Rivalries. Sign up for Fantasy Football
> http://football.fantasysports.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> !DSPAM:42b53fa2278571543214051!
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by dtufs <dt...@yahoo.com>.
> I'm not sure apache can do that but I have one linux
> box setup as firewall,
> patched with patch-o-matic and I do this what you
> want with iptables.
Thanks for the reply. I'm not sure I understand it
correctly, but this sounds like you are using the IP
addresses as the basis for the ban. However, as I
mentioned, we do not (and cannot) ban IP addresses. We
determine bad visitors by examining only the user
agent, referrer and requested URI.
____________________________________________________
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
http://football.fantasysports.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to close connection instead of sending 403?
Posted by Marian Marinov <ha...@hydra.azilian.net>.
I'm not sure apache can do that but I have one linux box setup as firewall,
patched with patch-o-matic and I do this what you want with iptables.
На 19.6.2005 12:20 dtufs написа:
> We have been trying to cut down our bandwidth usage by
> disallowing access for many spammers and malevolent
> bots. We are currently doing it via .htaccess and
> respond with the "403 Forbidden" code.
>
> However, this still costs us some bandwidth. What we
> would like to do is close the connection without even
> responding to any bad's visitor request. Bad visitor
> is detected by examining the user agent and/or
> referrer, or requested URI (never by examining the IP
> address).
>
> Is this possible to do on Apache (running on Red Hat)?
> Thanks in advance.
>
>
>
> __________________________________
> Yahoo! Mail
> Stay connected, organized, and protected. Take the tour:
> http://tour.mail.yahoo.com/mailtour.html
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
------------------------------
One Planet, One Internet.
We Are All Connected.
------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org