Re: [users@httpd] Denying access for a complicated bugger address

Tue, 30 Sep 2014 11:39:12 -0700 

Hi Hans-Georg,

On 09/30/2014 08:26 PM, Hans-Georg Scherneck wrote:

Rainer M. Canavan wrote:
On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <h...@chalmers.se> wrote: 


My site is bombarded by POST requests from a site identifying itself 
like

123.123.123.123.word.word.word.word

A "deny from" instruction with a string trying to match this in 
.htaccess does not appear to work (though other abusers with simple 
IP's I can get barred this way).

You don't say where that sites identifies itself in such a manner. 
You should
not enable reverse lookups (i.e. HostnameLookups should be Off, 
possibly some
other settings), then the first column in your access.log should 
always be
the actual originating IP address of that request.  If they are real 
spammers,
they have a botnet with lots of IPs in nearly as many locations and 
subnets.



rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org


Blocking from apache:

<Location />
    Order Allow,Deny
    Deny from <INSERT IP TO BLOCK HERE>
</Location>


You can block it at the network stack level too, this way apache does 
not even see the request, ex on linux using iptables.



bye,

Frederik 


I'm trying with <Location /> now.

HostnameLookups Off

has always been set.

My reply to Richard a minute ago included some incriminating 
access.log lines. Ever seen an address like this before?

/Hans-Georg




I've never recieved those mails,


But as Rainer said not sure that a simple IP blacklisting if it's 
effective in the real world thoughthough, it's easy to change IP.



Maybe you can add a captcha, require authentication for accessing the 
form or some automatic blacklisting solution or rate limiting ex:


http://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second


another more "disguised" option, using the mod_rewrite, matching the IP 
and then replying "200 ok" with a fake page or such.


As always you have to choose the solution that suits you most.


Bye,
Frederik



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org























					Reply via email to