Hi Folks Please help with this tricky problem. I have an Apache webserver, working together with tomcat, serving 3 virtual hosts. In my http.conf it looks something like: ----------------------------------- NameVirtualHost *:80 <VirtualHost *:80> ServerName default.example.com ServerAlias default.example.com DocumentRoot /var/www/html/default_page ServerAdmin admin@example.net ErrorLog logs/default_example_com-error_log CustomLog logs/default_example_com-access_log common </VirtualHost> <VirtualHost *:80> ServerName host1.net ServerAlias host1.net *.host1.net DocumentRoot /mnt/sda1/somepath ServerAdmin admin@host1.net ErrorLog logs/host1.net-error_log CustomLog logs/host1.net-access_log common RewriteEngine on RewriteRule ^(.*\.jsp)$ ajp://localhost:8009/$1 [P,L] </VirtualHost> <VirtualHost *:80> ServerName host2.se ServerAlias host2.se *.host2.se DocumentRoot /mnt/sda1/somepath ServerAdmin admin@host2.net ErrorLog logs/host2.se-error_log CustomLog logs/host2.se-access_log common RewriteEngine on RewriteRule ^(.*\.jsp)$ ajp://localhost:8009/$1 [P,L] </VirtualHost> ----------------------------------- This works fine. However. The default host, that is the first one, is spammed with a lot of junk calls (requests probably addressed to my IP, maybe even randomly!?). Right now, every hour, I scan the log (default_example_com-access_log) and add all the calling IPs to the /etc/sysconfig/iptables, preventing them from spamming me again. However, every hour, 100-200 new IPs spamming me are found, and the iptables grows very fast. I figure more people probably have had this issue? Examples of the junk calls reaching me (default_example_com-access_log): ----------------- 219.133.9.113 - - [18/Oct/2008:10:11:13 +0200] "GET http://www.zk365.us/ HTTP/1.0" 200 28725 60.180.222.50 - - [18/Oct/2008:10:11:18 +0200] "GET http://www.google.com/intl/zh-CN/ HTTP/1.1" 200 5518 219.133.9.113 - - [18/Oct/2008:10:11:36 +0200] "GET http://www.zk365.us/ HTTP/1.0" 200 28725 77.35.28.194 - - [18/Oct/2008:10:11:38 +0200] "GET http://search.yahoo.com/ HTTP/1.0" 200 6157 77.120.67.25 - - [18/Oct/2008:10:11:39 +0200] "GET http://www.nassc.com/pr.php HTTP/1.1" 200 1325 77.35.28.194 - - [18/Oct/2008:10:11:39 +0200] "GET http://images.google.com/ HTTP/1.0" 200 5922 41.233.192.187 - - [18/Oct/2008:10:11:39 +0200] "GET http://images.google.com/ HTTP/1.1" 200 5916 77.35.28.194 - - [18/Oct/2008:10:11:40 +0200] "CONNECT www.microsoft.com:443 HTTP/1.0" 200 - 41.233.192.187 - - [18/Oct/2008:10:11:40 +0200] "GET http://www.aol.com/ HTTP/1.1" 200 68207 41.233.192.187 - - [18/Oct/2008:10:11:42 +0200] "CONNECT www.microsoft.com:443 HTTP/1.0" 200 - 61.140.189.187 - - [18/Oct/2008:10:11:43 +0200] "GET http://web.51.la/go.asp?we=A-Free-Service-for-W.... =1024,768&referrer=http%3A//news.163.com/&vpage=http%3A//www.piaoge.com/ HTTP/1.1" 200 - 92.124.179.63 - - [18/Oct/2008:10:11:42 +0200] "CONNECT 205.188.179.233:443 HTTP/1.0" 200 - 74.32.195.251 - - [18/Oct/2008:10:11:52 +0200] "GET http://n10.login.re3.yahoo.com/config/isp_... 219.133.9.113 - - [18/Oct/2008:10:11:54 +0200] "GET http://www.zk365.us/ HTTP/1.0" 200 28725 ----------------- Observe, non of those calls are actually addressed to my server, maybe someone (robots) tries to relay calls through my server!? I'll attach the access-log. Anyone who've had similar problem and maybe found a smart solution? My current solution seems to take quite some bandwidth (as soon as I switch the server off, I can surf as normal, I have 8 MB uplink and 8 MB downlink). Grateful for any help Cheers karnbo
These are not normal requests. A normal request starts with a slash and not a fully qualified URL: GET /index.php Code (markup): Since they are malformed requests we can detect and reject the request. You can add a rewrite rule that will catch these types of requests and send them a 403 response. Something like this: RewriteCond %{THE_REQUEST} (GET|CONNECT)\ [^/] [NC] RewriteRule .* - [F] Code (markup): You may need to add extra request methods if they are using more than just GET and CONNECT. The advantage of this is that it will use much less CPU time than invoking PHP to generate your normal pages and hopefully significantly less bandwidth because a 403 response is pretty small compared to your normal pages. Another tip might be to check how long each IP address keeps coming back for once it is added to the firewall. If they only keep trying for an hour or two then remove them from the block list after three hours. That should keep your IPTables configuration a bit smaller. Lastly, mak sure you are dropping the connections and not rejecting them. (i.e -j DROP instead of -j REJECT). Dropping the connection doesn't send any kind of response which ties up resources on their end for a period of time which hurts the spammers. Rejecting the connection sends a response which means they can immediately end the connection and start a new one . Making life more difficult for spammers is good.
Another point here is that using DROP instead of REJECT helps to lower the bandwidth used on your end since you aren't replying to the spammer, that's less outgoing packets on your interface. Using DROP vice REJECT is beneficial from that standpoint as well.
Does the NC mean to drop or ?? the connection? Sorry to be a nuisance but can you give an example of how this could be done. One last question. Can I place the above in my httpd.conf so it will work for all the virtual servers I have on my server? Thanks, acl
You can ban an IP in iptables with: iptables -I INPUT -s 25.55.55.55 -j DROP Replacing 25.55.55.55 with the IP you want banned of course
I think that your IP has a loophole and is being used as proxy.. To test this just put your ip and port 80 in browser as proxy and try to visit another site.. If this is the case you need to fix so that it won't act as proxy Regards
I'm trying the above suggestion and also added. Now I have another log file to check RewriteLogLevel 3 RewriteLog /usr/local/apache/domlogs/angelescitylife.com-rewrite Thanks acl
optimizare! Tnx. I tried your trick to see if I had my server configured as proxy, but no success. Today I was just looking through my httpd.conf file - and I saw that Proxy was enabled. I removed it and it solved the problem. This was definatly my main problem!Thanks! This proxy thing cost me a lot of pain...