How to Configure Apache 2.4 for a 0 Byte Server Response to Baaad Bots - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

How to Configure Apache 2.4 for a 0 Byte Server Response to Baaad Bots

Need guidance as I thought IP blocking, alone, would produce this outcome

Webwork

6:32 pm on Jun 18, 2016 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

I'm confaddled.

I thought that by blocking IP ranges, at the Apache previrtual include level, that bots arriving from those IP addresses would do something like "bounce off the wall" - that is - would trigger nothing, "just be stopped", be DOA . . whatever. (Wouldn't that be nice?)

Question 1: IS there a way in Apache's configuration to simply have the gnats (bots) "bounce off the windshield" (server) without consuming any resources? (I guess something has to happen @ the server for this to happen.)

Question 2: IF the answer to #1 is "No, the windshield is code and code gotta 'do something" then what is the simplest, most elegant, least resource consuming 'response' - way to treat the gnats like they deserve - and how is that configured? Is it a matter of very lightweight (text) 403 error docs? What is the least a server can do to say, to a bot, "No, not you, not ever!"? (I thought it was simply to block IP addresses but . . there's more.)

People who send referer spam are a special life form that doesn't deserve to eat the excrement of the pond scum that lives at the bottom of the most polluted and lifeless pond . . except, maybe if that was a special version of hades to which the universe sends them upon the unraveling of their mortal coil. (Have I expressed my sentiment with sufficient animus?)

not2easy

7:11 pm on Jun 18, 2016 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

"No, the windshield is code and code gotta 'do something" you are right.

If you are not concerned ever about possibly blocking human visitors by accident you can serve a tiny page:
ErrorDocument 403 "Access Denied"
in place of an actual page you might want in case of humans getting blocked:
ErrorDocument 403 /403page.htm
(or whatever)
and the server will simply serve a page that says "Access Denied" - no actual page required.

This does not mean they will stop trying, but it is less load.

wilderness

7:32 pm on Jun 18, 2016 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Not to confuse matters, believe you may also use headers and not use a 403 page at all,

Seems to me lucy provided some lines at one time or another.

lucy24

9:36 pm on Jun 18, 2016 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

believe you may also use headers and not use a 403 page at all,

Seems to me lucy provided some lines at one time or another.

Oh, dear, one of us is suffering from a garbled memory, but I'm not going to speculate about who it is ;) Quite possibly both.

I currently block only by headers, apart from a single /16 that became so vexatious I added them to the list temporarily. (Will re-check in a month or so if I remember. Absolutely humanoid headers, and changed UA far more often than normal people change their socks,so there wasn't anything else to go on.) Technically it's blacklisting, in the sense that it comes down to "Deny from blahblah". But really it's whitelisting, because known acceptable robots can override the various "bad robot get out of my sight I don't like your face" environmental variables.

I have an extremely generous 403 page whose primary function is to identify wrongly excluded humans. In practice, though, most of them are referer spam from infected Brazilian machines.

:: idly wondering why Russia and Brazil get different types of infections even though none of the underlying agents are local ::

Edit: I thought the whole point of a firewall was that they don't even get in to pester the server in the first place. Like getting intercepted at a security checkpoint before you reach the visitor sign-in book (which you have to sign even if the receptionist then says he's in a meeting for the next three years).