To be honest I don't want to end up having to maintain the IP blocks that
correspond to the computers that are sending the requests, which is why I tried
using the partial domain name. The apache documentation seems to suggest this
would work:
A (partial) domain-name
Example:
Allow from apache.org
Allow from .net example.edu
The server is running Linux so I've got iptables but, again, I want to avoid
having to maintain the list of blocked IP addresses.
The thing is, the methods I described would take care of the problems if I
could get them to work - blocking all HTTP/1.0 requests to a specific location,
and/or blocking everyone from that server.
I am currently working around it by adding a bit of PHP code to the drupal
settings.php file but I'd like it to be tackled earlier than that - in apache's
access control or iptables for instance.
On Erb, 2014-04-09 at 10:44 +0300, Oren wrote:
Hi Ramon.
Why use apache for the block and not a firewall? its not apache related
but i think its a better way of doing that.
You can add those addresses to blocking rules and reduce the load on
the apache before they even reach it.
I am not sure which os you use but there are simple ways of doing that
even if you dont have dedicated hardware.
Oren
On 04/09/2014 10:32 AM, Jan Vávra wrote:
Hello,
try to use an IP address or subnet instead of
.broad.pt.fj.dynamic.163data.com.cn
Jan.
I have a website running drupal which is currently
under a continuous
botnet attack, which is causing major performance
issues. I'm trying to
use apache's access control mechanism to block these
requests.
Two characteristics of the attack requests are that
they all use
HTTP/1.0, and a large percentage of them are within one
domain.
When I look at my access log, most requests are coming
in from:
134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
...etc.
i tried blocking access using Apache's Deny From as
follows:
<Directory /opt/drupal-7/>
Options +FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from all
Deny from .broad.pt.fj.dynamic.163data.com.cn
</Directory>
However this did not work - all requests are still
being allowed in.
Note that the /opt/drupal-7 directory is a symlink to
the actual
directory which has the full version number.
Also, since all the botnet requests are marked as
HTTP/1.0, I tried to
restrict access to the user-registration pages using
the protocol, as
follows:
SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
<Location /utenti>
Order Allow,Deny
Deny from env=BadReq
</Location>
However this is blocking everything - HTTP/1.0 or 1.1.
"/utenti" is the
prefix to the user registration page, password-reset
page etc. I tried
changing around the Order, adding an "Allow from all"
but in each case I
either end up blocking everyone or letting all requests
through.
I'd appreciate any advice on how to implement the above
or resolve this
issue in some other way.
--
Ramon Casha
Note: I have no control over the disclaimer message
that will invariably
appear below.
DISCLAIMER
The information transmitted in this message and any
attachments is strictly confidential and intended only for the individual or
entity to whom it is addressed.
Any form of unauthorised review, transmission,
disclosure, publication, reproduction, modification or other use of, or the
taking of any action in reliance upon any of the information contained in this
e-mail by individuals or entities other than the intended recipient is strictly
prohibited.
If you are not the named addressee or the person
responsible for delivering the message to the named addressee and have received
this communication in error, you must not disclose the contents of this e-mail
to any other person; or make any copies thereof. If you are not the named
recipient please delete/destroy any and all copies that may exist, whether in
electronic or hard copy for and notify us immediately on the phone number
indicated above and provide us with details about the said e-mail received in
error.
Since the Internet is not a secure medium Megabyte
cannot guarantee the privacy or confidentiality of any e-mail communications
transmitted. All messages sent to and from Megabyte Ltd may be monitored and/or
recorded to ensure compliance with internal policies and procedures. We
disclaim all responsibility and liability whatsoever in relation to any errors
or omissions that may reveal themselves in this message and in relation to any
damage that may result from any such errors or omissions. We disclaim all
responsibility and liability for any damage that may arise from the
unauthorised acts of third parties and/or the corruption of any data contained
in this message.
Thank you.
--
________________________________
Ramon Casha | Technical Specialist | Software Services
megabyte ltd | e ramon.ca...@megabyte.net
t + 356 21421600 | f + 356 21421590 | w www.megabyte.net
<http://www.megabyte.net/>
________________________________
Please consider your environmental responsibility before printing this e-mail
DISCLAIMER
----------------------
The information transmitted in this message and any attachments is strictly
confidential and intended only for the individual or entity to whom it is
addressed.
Any form of unauthorised review, transmission, disclosure, publication,
reproduction, modification or other use of, or the taking of any action in
reliance upon any of the information contained in this e-mail by individuals or
entities other than the intended recipient is strictly prohibited.
If you are not the named addressee or the person responsible for delivering the
message to the named addressee and have received this communication in error,
you must not disclose the contents of this e-mail to any other person; or make
any copies thereof. If you are not the named recipient please delete/destroy
any and all copies that may exist, whether in electronic or hard copy for and
notify us immediately on the phone number indicated above and provide us with
details about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot guarantee the privacy
or confidentiality of any e-mail communications transmitted. All messages sent
to and from Megabyte Ltd may be monitored and/or recorded to ensure compliance
with internal policies and procedures. We disclaim all responsibility and
liability whatsoever in relation to any errors or omissions that may reveal
themselves in this message and in relation to any damage that may result from
any such errors or omissions. We disclaim all responsibility and liability for
any damage that may arise from the unauthorised acts of third parties and/or
the corruption of any data contained in this message.
Thank you.
