On Sun, Jun 10, 2012 at 1:47 PM, Nick Kew <n...@webthing.com> wrote: > > On 10 Jun 2012, at 17:21, Michael Sersen wrote: > > > Hello fellow Apache friends! > > > > This is my first time posting but I do lurk in the background, listening > in on all of your valuable wisdom! :-) > > Please fix your mailer to send text! >
> #Thanks Nick, I've looked into the matter of my mailer... I think it's the > user, not the machine! > > > I am having troubles with thousands of spam requests (possible hack > attempts) to my server. > > Evidence? Are they requesting nonexistent dynamic-looking contents, or > something? > You can always try logging referers(sic) to see if someone has incorrect > links to you. > > # Evidence toward hacking? I have none, concrete. fwiw, they left their "blackhat trademark" in the first request. Every subsequent requests thereafter did not have the signature, but they originated from the same IP. #They are mostly requesting a mix of existing and nonexistent system files. It looks like they have a general list of nix directories/files, and they are just scripting through every possibility on their list, probably hoping for a breech. I grepped through all of their attempts looking for anything that did not return a 400 code. Fortunately for me, nothing passed. Being that I am still a noob, I consider myself lucky... Even though it wouldn't be the end of the world if somebody did break in, there is nothing sensitive on the server, and I could rebuild it with the click of a button (on Linode). For now it's just my playground/portfolio that sits behind a password. > > My question is; How can I block all requests, with the only exception > being that a referrer may request any resource, just-as-long as they first > request my login page? > > Straight answer: you can't: > - if you try, you'll lock out anyone using privacy settings and not > sending a referer. > - if anyone's really trying to 'hack' you, they can trivially work around > it. > > # Thanks for the straight and skinny. I don't particularly want to waste time attempting something that isn't even feasible to begin with. The fact that it doesn't make sense is probably why I couldn't find anything related on Google search. > > Basically I would like to block all inbound requests, but allow > unfettered requests from any IP which 1st accesses my login page. > > Trying to map IPs to users is a fundamental mistake. The only IP you can > know > with any certainty is the nearest proxy to you (which may or may not > identify itself > as a proxy). Of course not all users come through a proxy, but that's not > up to > the server. > # I wasn't thinking to map IPs to users, rather to accept any (random) IP request, if and only if they first accessed my login page (or some other single page for that matter). My half baked theory was that if it is only me and a select few people accessing the server, I could guarantee that the first request would be for the login page only. Of course, any bots attempting to access other resources, without first accessing the login page would be denied. As a side note, I think it's time I enabled Fail2Ban! I'd imagine it will at lest help. > > > Furthermore, is this a good approach towards keeping spam bots away? > My logic comes from looking at my access logs, and noticing that the > "perps" are unwittingly, not attempting to access my login page. > > There's a recipe for thwarting "image theft" (your images appearing in > other peoples > pages). It'll 'work' subject to the above provisos. I think it's in the > FAQ. > > # I've seen these recipes around the websphere, and these methods are on my to-do list :-) > If you actually have a login page, then you can just use session > management, > such as that provided by mod_session. > > Thanks again! Mike Sersen > -- > Nick Kew > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- *Michael Anthony Sersen Jr. Design Services* 962 Main Street | Pennsburg, PA 18073 Phone: 215.804.9321 Social: https://plus.google.com/107889818752517370475<https://plus.google.com/107889818752517370475/posts>