homepage Welcome to WebmasterWorld Guest from 54.227.17.116
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Blocking IPs based on incoming URL
rajatgarg




msg:3804030
 6:49 am on Dec 10, 2008 (gmt 0)

Hi,

I have installed APF and Dos Denial on the system. However, I am still not able to block the attacker as he is using multiple IP addresses to send the spam bots with URLs like -

200 73621 "http://media.adrevolver.com/adrevolver/banner?place=31439&cpy=9678696" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"

200 100 "http://media.adrevolver.com/adrevolver/banner?place=31439&cpy=9742292" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"

"http://d3.zedo.com/jsc/d3/ff2.html?n=790;c=843/1;s=785;d=14;w=728;h=90" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"

Is there a way I can set up something like -

in file (used because apache + mongrel setup)->
/usr/local/apache2/conf/extra/httpd-vhosts.conf

# redirect all spam - like urls to a script
RewriteCond %{REQUEST_URI} ^/(zedo¦adrevolver¦trafficmp)(/)?$
RewriteRule ^.* /usr/local/ddos/ddos.sh -d %{REMOTE_ADDR} [PT,L]

However, the lines do not work.

I will really appreciate if you can suggest how to block all/any IP address that are sending a type of request.

Thanks in advance for your help.

Rajat

 

Frank_Rizzo




msg:3804088
 9:14 am on Dec 10, 2008 (gmt 0)

Far better to use something like modsecurity.

Not only will you get comprehensive protection from common attacks but you can also add custom rules:

SecRule REQUEST_URI "media\.adrevolver\.com" "log,exec:/usr/local/ddos/ddos.sh,drop,phase:1"

You can pick up the envars in the script and thus ban, or block the ip if specific words are detected.

wilderness




msg:3804118
 10:31 am on Dec 10, 2008 (gmt 0)

Is there a way I can set up something

block all/any IP address that are sending a type of request

#Turn on Rewrite, if NOT done previously
RewriteEngine on
# If Refer contains any of the terms, anywhere, deny access
RewriteCond %{HTTP_REFERER} (zedo¦adrevolver¦trafficmp)
RewriteRule .* - [F]

Corrections required for the forum breaking of pipe characters before use.

You may also change the second line to other options, such as the script you mentioned, however in the event that your desire is to simply deny access, the two lines will work when the refer is shown in the request.

Frank's explantion may be more inline with what you desire to accomplish, whereas, the method I've provided is SIMPLE.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved