homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

Blocking WebDAV?

 2:32 am on Oct 24, 2003 (gmt 0)

...topic continued from: [webmasterworld.com...]

I'm on an shared Apache server with all mods enabled. I cannot remove mods myself. Is there a way to stop mod_webdav using .htaccess?

- or -

I'm currently blocking: Microsoft-WebDAV-MiniRedir, and have added a generic block for any UA using: WebDAV, but since this UA:

195.xxx.36.33 - - [23/Oct/2003:03:52:39 -0700] "PROPFIND /images/image.gif HTTP/1.1" 405 573 "-"

did not identify using "WebDAV", is there a way to block the method "PROPFIND"?

(I did block the IP)


[edited by: jdMorgan at 3:09 am (utc) on Oct. 24, 2003]
[edit reason] Generalized IP address [/edit]



 3:10 am on Oct 24, 2003 (gmt 0)


You don't need to do anything to block it, because your server responded with 405-Method Not Allowed.

You (or your host) may have a directive such as <Limit> or <LimitExcept> that blocks it, or maybe even a mod_rewrite rule that looks at {HTTP_METHOD} and only allows GET, HEAD, OPTIONS, and POST, but the log line you posted shows PROPFIND is already blocked.



 3:31 am on Oct 24, 2003 (gmt 0)

OK - thanks Jim, guess I'm searching for a means.

This IP came in through a French Google SERP, viewed a couple pages, then pulled out a download method and grabbed 200 image files from disallowed directories. I don't know how PROPFIND fits into the picture, but each time PROPFIND is 405'd, then he changes method and gets the files.

195.xxx.36.33 - - [23/Oct/2003:03:51:54 -0700] "GET / HTTP/1.1" 200 11148 "http://www.google.fr/search?hl=fr&ie=UTF-8&oe=UTF-8&q=SEARCH+TERM&btnG=Recherche+Google&meta="

195.xxx.36.33 - - [23/Oct/2003:03:52:38 -0700] "PROPFIND /images/image1.gif HTTP/1.1" 405 573 "-" "-"

195.xxx.36.33 - - [23/Oct/2003:03:52:38 -0700] "GET /images/image1.gif HTTP/1.1" 200 573 "-" "-"

...this continues for about 200 files.


 4:46 am on Oct 24, 2003 (gmt 0)


I think he's trying to use PROPFIND to make his operation more efficient on MS servers with DAV available. I haven't used DAV before, but maybe he can get the properties of the image (size, type, date, author - all that stuff you see associated with MS-tool-created documents) using PROPFIND, and do it more efficiently than downloading each image individually and 'looking at it'.

If this "theory" holds up, what it means is that they don't want the image, they want information about the image, so my call would be that they're looking for copied copyrighted images.

There has to be a big payoff to this, otherwise using a MS-only method when half the world uses Apache would be a huge waste of time. So, I think they want to know something about the image without downloading the image itself, if possible. So, they try PROPFIND first.

OK, absolutely everything above is a guess based on what you posted. I hope it's a logical guess, though.


For info on PROPFIND, take a look at the link cited in the other thread, and if that doesn't help, maybe use the info learned there to ask in the MS-related forum.



OK, first, your server can't do PROPFIND or won't allow it now. So to fix the real problem (image download and associated bandwidth) regardless of the requesting IP, you could look for that blank referer and blank user agent, but NOT a HEAD request. Maybe restrict the blocking to image files only at first. That will block some bad guys, but still let AOL's custom cache implementation work OK. AOL's cache does a HEAD request with blank referer and blank user-agent instead of a cGET with IF-MODIFIED-SINCE and the time they last cached the page -- they just gotta be different, I guess. Maybe it's an HTTP-version thing.



 7:51 am on Oct 24, 2003 (gmt 0)

Yeah, that makes sense. FrontPage support is listed in my Apache header response, even though I have no FP created docs on my domain and don't even have FP extensions enabled. Reverse IP credits a French company, who may in fact be gathering the type of info you mentioned - anyway, I'm pretty sure my blocks will do the job. Thanks.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved