-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 13 Aug 2005, Maxim Vexler wrote: > Sean, thank you for the quick replay. > Don't you think that a complete block on the client's IP is a too rush tactic? > It's a legitimate user, his only fault was that he used this spidering > tool, which had the side effect of DoS on the httpd daemon, I honestly > don't think the client meant this to occur.
iptables -A INPUT -s the_offending_address -p tcp -dport 80 -j REJECT should take the load off of Apache without blocking other traffic. The offender should receive an indication that his access was not welcome. A sharper rebuke can be sent by adding '--reject-with icmp-host-prohibited'. If you prefer to respond with stony silence: iptables -A INPUT -s the_offending_address -p tcp -dport 80 -j DROP should cause the unwanted traffic to be discarded without other action. This should make his spider hang for a noticeable amount of time while it waits for a response (which will never come) to its SYN packet, and if the offender is savvy he'll still figure out that you refuse to talk to the robot. You could also look at iptables --connrate or --limit or even --dstlimit if you just want to slow him down. - -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFDAKTMs/NR4JuTKG8RAtwGAJ4mYADAqzGuUL7CoBNLVl5gxlpP2QCdEwy6 rt9k+haeeFh47jpw2fwewdM= =rX3E -----END PGP SIGNATURE----- --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
