how to 403 to malicious POST requests

Forum Moderators: phranque

Message Too Old, No Replies

how to 403 to malicious POST requests

kaan

10:03 am on Jan 28, 2005 (gmt 0)

Hi all,

How can I send 403 code to malicious post request.

for example i have index.php, index.html, viewtopic.php etc. pages which no need to POST requests to view it. just GET works fine as i see in the log file. (maybe i am wrong)

an example a log of flood attack to our site.

81.215.70.33 - - [16/Jan/2005:07:52:30 -0600] "POST /index.php
HTTP/1.0" 302 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT

I try to add this lines to htaccess file.
RewriteCOnd %{QUERY_STRING} POST /index.php [OR]
RewriteRule .* - [F]

but i get internal server error.

any idea or have any link for htaccess file example for the phpbb forums flood attack protection?

thanks in advance.

kaan

10:08 am on Jan 28, 2005 (gmt 0)

I don't know how to edit my post.

htaccess lines was like this.
RewriteCOnd %{QUERY_STRING} POST /index.html [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$ [OR]
RewriteCond %{HTTP_REFERER} ^-$
RewriteRule .* - [F]

not like above lines.

Sorry for double post.

Thanks again.

Caterham

2:53 pm on Jan 28, 2005 (gmt 0)

I think you ment the variable the_Request, which contains the Request like

POST /viewtopic.php?t=1 HTTP/1.1

QUERY_STRING contains only the qs, in this case

t=1

RewriteCond %{THE_REQUEST} POST /(index\.(html¦php)¦viewtopic\.php) [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$ [OR]
RewriteCond %{HTTP_REFERER} ^-$
RewriteRule .* - [F]

are all three files in your document root?

kaan

3:00 pm on Jan 28, 2005 (gmt 0)

Thank you very much for your reply.
Yes all my document in root.

Thanks again. I will try your solution.

Let me ask one more question.

what about the files not in root. (i.e. /forum/example.php)

Regards.

Marino

3:09 pm on Jan 28, 2005 (gmt 0)

Hello Kaan,

What upsets me is that your server has replied by a "302 Found". It should have been a "405 Method Not Allowed", no?

kaan

3:18 pm on Jan 28, 2005 (gmt 0)

Hello Marino,

Sorry for mistake. I am very new to this stuff. I meant
"when a malicious post request to not related page I want to save my bandwidth."

Which way you suggest. How can I implement your 405 method?

Thanks again for your reply.

kaan

3:45 pm on Jan 28, 2005 (gmt 0)

Hello, Caterham

Your rewrite condition give internal sever error. Could you please tell me what I'am doing wrong?

RewriteCond %{THE_REQUEST} POST /(index\.(html¦php)¦viewtopic\.php) [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$ [OR]
RewriteCond %{HTTP_REFERER} ^-$
RewriteRule .* - [F]

Edit : I changed the broken pipes with solid ones but I still getting internal server error.

Caterham

4:00 pm on Jan 28, 2005 (gmt 0)

Sorry, I forgot to escape the space

POST\ /


RewriteCond %{THE_REQUEST} POST\ /(index\.(html¦php)¦viewtopic\.php) [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$ [OR]
RewriteCond %{HTTP_REFERER} ^-$
RewriteRule .* - [F]

kevinpate

4:01 pm on Jan 28, 2005 (gmt 0)

Perhaps this will work for you:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^POST [NC]
RewriteRule .* - [F]

kaan

6:47 pm on Jan 28, 2005 (gmt 0)

Thank you very much dear Caterham,
worked like a charm.

Dear kevinpate,
If i use this

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^POST [NC]
RewriteRule .* - [F]

is it also sends Forbidden response for the pages that could accept POST methods?

Thank you for your help.