You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michael Sersen <ms...@gmail.com> on 2012/06/10 18:21:11 UTC
[users@httpd] Blocking all http requests, unless...
Hello fellow Apache friends!
This is my first time posting but I do lurk in the background, listening in
on all of your valuable wisdom! :-)
I am having troubles with thousands of spam requests (possible hack
attempts) to my server. My question is; How can I block all requests, with
the only exception being that a referrer may request any resource,
just-as-long as they first request my login page? Basically I would like
to block all inbound requests, but allow unfettered requests from any IP
which 1st accesses my login page. Furthermore, is this a good approach
towards keeping spam bots away? My logic comes from looking at my access
logs, and noticing that the "perps" are unwittingly, not attempting to
access my login page. The site is personal and will not see a lot of
traffic besides myself, and those I personally share the link with; So I
think my logic makes sense!
Thanks in advance!
--
*Michael Anthony Sersen Jr. Design Services*
962 Main Street | Pennsburg, PA 18073
Phone: 215.804.9321
Social: https://plus.google.com/107889818752517370475<https://plus.google.com/107889818752517370475/posts>
Re: [users@httpd] Blocking all http requests, unless...
Posted by Michael Sersen <ms...@gmail.com>.
On Sun, Jun 10, 2012 at 1:47 PM, Nick Kew <ni...@webthing.com> wrote:
>
> On 10 Jun 2012, at 17:21, Michael Sersen wrote:
>
> > Hello fellow Apache friends!
> >
> > This is my first time posting but I do lurk in the background, listening
> in on all of your valuable wisdom! :-)
>
> Please fix your mailer to send text!
>
> #Thanks Nick, I've looked into the matter of my mailer... I think it's the
> user, not the machine!
>
>
> I am having troubles with thousands of spam requests (possible hack
> attempts) to my server.
>
> Evidence? Are they requesting nonexistent dynamic-looking contents, or
> something?
> You can always try logging referers(sic) to see if someone has incorrect
> links to you.
>
> # Evidence toward hacking? I have none, concrete. fwiw, they left
their "blackhat trademark" in the first request. Every subsequent requests
thereafter did not have the signature, but they originated from the same
IP.
#They are mostly requesting a mix of existing and nonexistent system
files. It looks like they have a general list of nix directories/files,
and they are just scripting through every possibility on their
list, probably hoping for a breech. I grepped through all of their attempts
looking for anything that did not return a 400 code. Fortunately for me,
nothing passed. Being that I am still a noob, I consider myself lucky...
Even though it wouldn't be the end of the world if somebody did break in,
there is nothing sensitive on the server, and I could rebuild it with the
click of a button (on Linode). For now it's just my playground/portfolio
that sits behind a password.
> > My question is; How can I block all requests, with the only exception
> being that a referrer may request any resource, just-as-long as they first
> request my login page?
>
> Straight answer: you can't:
> - if you try, you'll lock out anyone using privacy settings and not
> sending a referer.
> - if anyone's really trying to 'hack' you, they can trivially work around
> it.
>
> # Thanks for the straight and skinny. I don't particularly want to
waste time attempting something that isn't even feasible to begin with. The
fact that it doesn't make sense is probably why I couldn't find anything
related on Google search.
> > Basically I would like to block all inbound requests, but allow
> unfettered requests from any IP which 1st accesses my login page.
>
> Trying to map IPs to users is a fundamental mistake. The only IP you can
> know
> with any certainty is the nearest proxy to you (which may or may not
> identify itself
> as a proxy). Of course not all users come through a proxy, but that's not
> up to
> the server.
>
# I wasn't thinking to map IPs to users, rather to accept any (random)
IP request, if and only if they first accessed my login page (or some other
single page for that matter). My half baked theory was that if it is only
me and a select few people accessing the server, I could guarantee that the
first request would be for the login page only. Of course, any bots
attempting to access other resources, without first accessing the login
page would be denied. As a side note, I think it's time I enabled Fail2Ban!
I'd imagine it will at lest help.
>
> > Furthermore, is this a good approach towards keeping spam bots away?
> My logic comes from looking at my access logs, and noticing that the
> "perps" are unwittingly, not attempting to access my login page.
>
> There's a recipe for thwarting "image theft" (your images appearing in
> other peoples
> pages). It'll 'work' subject to the above provisos. I think it's in the
> FAQ.
>
> # I've seen these recipes around the websphere, and these methods are on
my to-do list :-)
> If you actually have a login page, then you can just use session
> management,
> such as that provided by mod_session.
>
> Thanks again!
Mike Sersen
> --
> Nick Kew
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
*Michael Anthony Sersen Jr. Design Services*
962 Main Street | Pennsburg, PA 18073
Phone: 215.804.9321
Social: https://plus.google.com/107889818752517370475<https://plus.google.com/107889818752517370475/posts>
Re: [users@httpd] Blocking all http requests, unless...
Posted by Nick Kew <ni...@webthing.com>.
On 10 Jun 2012, at 17:21, Michael Sersen wrote:
> Hello fellow Apache friends!
>
> This is my first time posting but I do lurk in the background, listening in on all of your valuable wisdom! :-)
Please fix your mailer to send text!
> I am having troubles with thousands of spam requests (possible hack attempts) to my server.
Evidence? Are they requesting nonexistent dynamic-looking contents, or something?
You can always try logging referers(sic) to see if someone has incorrect links to you.
> My question is; How can I block all requests, with the only exception being that a referrer may request any resource, just-as-long as they first request my login page?
Straight answer: you can't:
- if you try, you'll lock out anyone using privacy settings and not sending a referer.
- if anyone's really trying to 'hack' you, they can trivially work around it.
> Basically I would like to block all inbound requests, but allow unfettered requests from any IP which 1st accesses my login page.
Trying to map IPs to users is a fundamental mistake. The only IP you can know
with any certainty is the nearest proxy to you (which may or may not identify itself
as a proxy). Of course not all users come through a proxy, but that's not up to
the server.
> Furthermore, is this a good approach towards keeping spam bots away? My logic comes from looking at my access logs, and noticing that the "perps" are unwittingly, not attempting to access my login page.
There's a recipe for thwarting "image theft" (your images appearing in other peoples
pages). It'll 'work' subject to the above provisos. I think it's in the FAQ.
If you actually have a login page, then you can just use session management,
such as that provided by mod_session.
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org