On 10 Jun 2012, at 17:21, Michael Sersen wrote: > Hello fellow Apache friends! > > This is my first time posting but I do lurk in the background, listening in > on all of your valuable wisdom! :-)
Please fix your mailer to send text! > I am having troubles with thousands of spam requests (possible hack attempts) > to my server. Evidence? Are they requesting nonexistent dynamic-looking contents, or something? You can always try logging referers(sic) to see if someone has incorrect links to you. > My question is; How can I block all requests, with the only exception being > that a referrer may request any resource, just-as-long as they first request > my login page? Straight answer: you can't: - if you try, you'll lock out anyone using privacy settings and not sending a referer. - if anyone's really trying to 'hack' you, they can trivially work around it. > Basically I would like to block all inbound requests, but allow unfettered > requests from any IP which 1st accesses my login page. Trying to map IPs to users is a fundamental mistake. The only IP you can know with any certainty is the nearest proxy to you (which may or may not identify itself as a proxy). Of course not all users come through a proxy, but that's not up to the server. > Furthermore, is this a good approach towards keeping spam bots away? My > logic comes from looking at my access logs, and noticing that the "perps" are > unwittingly, not attempting to access my login page. There's a recipe for thwarting "image theft" (your images appearing in other peoples pages). It'll 'work' subject to the above provisos. I think it's in the FAQ. If you actually have a login page, then you can just use session management, such as that provided by mod_session. -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org