Hej there,
Xavier Mertens schrieb:
Hi *,
I've a problem with an Apache web server hit by f*cking spammers...
I would like to filter some URLs (unused but still used by the bots) *BEFORE*
they reach the httpd processes. What could be the best method? pf? something
else?
I had the same problem with botnets, attacking a specific URL. Even
sending out 404 errors didn't help at all.
I wouldn't recommend the pf overload feature, as this depends on the
number of tcp connections to your webserver.
Say you have a webpage with 50 images, this would be 50 connections.
Another webpage may only have 2 images, this would lead to only 2
connections.
Here is what I did.
Install mod_security for apache.
Define rules like those:
<IfModule security2_module>
# Maximum request body size we will
# accept for buffering
SecRequestBodyAccess On
#SecRequestBodyLimit 131072
# Store up to 128 KB in memory
#SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyAccess Off
SecResponseBodyLimit 524288
# Debug log
SecDebugLog /var/log/apache/modsec_debug.log
SecDebugLogLevel 0
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
#SecAuditEngine Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
#SecAuditLogParts ABIFHZ
SecAuditLogParts A
SecAuditLogType Serial
# The name of the audit log file
SecAuditLog /var/log/apache/modsec_audit.log
# Default action set
#SecDefaultAction "deny,log,auditlog,status:403"
# Turn on Rule Engine
SecRuleEngine On
# Refuse to accept POST requests that do
# not specify request body length
# SecRule REQUEST_METHOD ^POST$ chain
# SecRule REQUEST_HEADER:Content-Length ^$
#
# Metal District Rules
#SecRule REQUEST_URI "/phpbb2/posting\.php\(.*\)"
"deny,phase:1,exec:/root/bin/fill-blacklist.sh"
#SecRule ARGS /phpbb2/posting.php
"deny,phase:1,exec:/root/bin/fill-blacklist.sh"
SecRule REQUEST_FILENAME /phpbb2/posting.php
"deny,phase:1,exec:/root/bin/fill-blacklist.sh"
SecRule REQUEST_FILENAME /phpBB2/posting.php
"deny,phase:1,exec:/root/bin/fill-blacklist.sh"
</IfModule>
Anytime someone is accessing /phpbb2/posting.php the script
fill-blacklist.sh is run:
([EMAIL PROTECTED] <~> $ cat /root/bin/fill-blacklist.sh
#!/bin/sh
#
sudo pfctl -T add -t www-spammers $(echo ${REMOTE_ADDR})
echo "${REMOTE_ADDR} added to blacklist"
The ip gets added to the table www-spammers.
My pf rules look like that:
# www-spammers table
table <www-spammers> persist file "/etc/www-spammers"
block in quick on $ext_if proto tcp from <www-spammers> to $ext_if port 80
Drawback: I need sudo to use pfctl as the user www (which apache runs
under).
Pro: Every bot can access the url exactly one time, afterwards its
blacklisted.
Use expire-table to free the pf table occassionally and of course make
sure that you don't block yourself - whitelist ip addresses like your
standard gateway, otherwise you may DoS yourself ;)
Of course this is just a hack, but it works in my case.
Any suggestions to improve this setup are welcome :)
best regards,
Marian
