Thanks Oscar,
that makes a lot of sense. I'll try to realize your suggestion. Case closed, thanks everyone, you've
all helped to clear things up for me the newbie
/Hans-Georg
Oscar Knorn wrote:
Hi Hans-Georg,
i guess, you will have to alter the Code of the form.
1. check for the referer URI in the action="*" script.
2. establish a session in the form and check for the sessionid in the
action script.
3. use javascript to write additional hidden fields into the form and
check for their contents.
apache webserver is definitely not prepared for such attacks.
cheers oscar
Am 30.09.2014 um 21:18 schrieb Frederik Nosi:
On 09/30/2014 08:55 PM, Hans-Georg Scherneck wrote:
Frederik Nosi wrote:
Hi Hans-Georg,
On 09/30/2014 08:26 PM, Hans-Georg Scherneck wrote:
Rainer M. Canavan wrote:
On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <h...@chalmers.se>
wrote:
My site is bombarded by POST requests from a site identifying
itself like
123.123.123.123.word.word.word.word
A "deny from" instruction with a string trying to match this in
.htaccess does not appear to work (though other abusers with
simple IP's I can get barred this way).
You don't say where that sites identifies itself in such a manner.
You should
not enable reverse lookups (i.e. HostnameLookups should be Off,
possibly some
other settings), then the first column in your access.log should
always be
the actual originating IP address of that request. If they are
real spammers,
they have a botnet with lots of IPs in nearly as many locations
and subnets.
rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Blocking from apache:
<Location />
Order Allow,Deny
Deny from <INSERT IP TO BLOCK HERE>
</Location>
You can block it at the network stack level too, this way apache
does not even see the request, ex on linux using iptables.
bye,
Frederik
I'm trying with <Location /> now.
HostnameLookups Off
has always been set.
My reply to Richard a minute ago included some incriminating
access.log lines. Ever seen an address like this before?
/Hans-Georg
I've never recieved those mails,
But as Rainer said not sure that a simple IP blacklisting if it's
effective in the real world thoughthough, it's easy to change IP.
Maybe you can add a captcha, require authentication for accessing
the form or some automatic blacklisting solution or rate limiting ex:
http://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second
another more "disguised" option, using the mod_rewrite, matching the
IP and then replying "200 ok" with a fake page or such.
As always you have to choose the solution that suits you most.
Bye,
Frederik
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
.
Thanks everyone, I appreciate.
It rather seems the issue is for the Apache developers to solve, e.g.
to extend the scope of the Deny string match. Should be simple.
Such a solution, not engaging any modules, would be convenient. And
the abusers would just believe their POST gets through.
Not sure about the post content match right now, but filtering by IP
and with some mod_rewrite trickery you can do this right now, ex:
<Location />
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST [C]
RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123
RewriteRule /THEFORM /empty_page.html [L]
</Location>
should work. Hope i got it right, but in case hope you got the idea.
Does anyone have the appropriate email address to send the suggestion
to Apache?
I'll also try with the captcha method, hoping they cannot sail around
it.
This is way better
Yet I have my doubts; they already double-cross the form checking
procedure (javascript) that would reject the sending of the html-form
data when the form gets filled with e.g. text instead of specific
numbers.
(They seem to block the sourcing of my javascript, or they might use
a console (-bot) that turns "return false" commands into true. What
they don't know is, that normally no human reads the form mails; it's
a program that serves computation requests.
http://holt.oso.chalmers.se/loading )
Checking client side is trivial to bypass, see wget / curl / phantomjs
if you want to be fancy ecc
Thanks again and bye
/Hans-Georg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
