Hi All,
Can anyone please suggest steps to remove vulnerability
OpenSSL "Heartbleed" Vulnerability
in apache.
From: Ramon Casha [mailto:ramon.casha@xxxxxxxxxxxx]
Sent: Wednesday, April 09, 2014 1:57 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] Access control advice needed
To be honest I don't want to end up having to maintain the IP blocks that correspond to the computers that are sending the requests, which is why I tried using the partial domain name. The apache documentation seems to suggest this would
work:
A (partial) domain-name
Example:
Allow from apache.org
Allow from .net example.edu
The server is running Linux so I've got iptables but, again, I want to avoid having to maintain the list of blocked IP addresses.
The thing is, the methods I described would take care of the problems if I could get them to work - blocking all HTTP/1.0 requests to a specific location, and/or blocking everyone from that server.
I am currently working around it by adding a bit of PHP code to the drupal settings.php file but I'd like it to be tackled earlier than that - in apache's access control or iptables for instance.
On Erb, 2014-04-09 at 10:44 +0300, Oren wrote:
Hi Ramon.
Why use apache for the block and not a firewall? its not apache related but i think its a better way of doing that.
You can add those addresses to blocking rules and reduce the load on the apache before they even reach it.
I am not sure which os you use but there are simple ways of doing that even if you dont have dedicated hardware.
Oren
On 04/09/2014 10:32 AM, Jan Vávra wrote:
Hello,
try to use an IP address or subnet instead of .broad.pt.fj.dynamic.163data.com.cn
Jan.
I have a website running drupal which is currently under a continuous
botnet attack, which is causing major performance issues. I'm trying to
use apache's access control mechanism to block these requests.
Two characteristics of the attack requests are that they all use
HTTP/1.0, and a large percentage of them are within one domain.
When I look at my access log, most requests are coming in from:
134.230.153.27.broad.pt.fj.dynamic.163data.com.cn
129.199.159.27.broad.pt.fj.dynamic.163data.com.cn
...etc.
i tried blocking access using Apache's Deny From as follows:
<Directory /opt/drupal-7/>
Options +FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from all
Deny from .broad.pt.fj.dynamic.163data.com.cn
</Directory>
However this did not work - all requests are still being allowed in.
Note that the /opt/drupal-7 directory is a symlink to the actual
directory which has the full version number.
Also, since all the botnet requests are marked as HTTP/1.0, I tried to
restrict access to the user-registration pages using the protocol, as
follows:
SetEnvIf Request_Protocol "^HTTP/1\.0$" Bad_Req
<Location /utenti>
Order Allow,Deny
Deny from env=BadReq
</Location>
However this is blocking everything - HTTP/1.0 or 1.1. "/utenti" is the
prefix to the user registration page, password-reset page etc. I tried
changing around the Order, adding an "Allow from all" but in each case I
either end up blocking everyone or letting all requests through.
I'd appreciate any advice on how to implement the above or resolve this
issue in some other way.
--
Ramon Casha
Note: I have no control over the disclaimer message that will invariably
appear below.
DISCLAIMER
The information transmitted in this message and any attachments is strictly confidential and intended only for the individual or entity to whom it is addressed.
Any form of unauthorised review, transmission, disclosure, publication, reproduction, modification or other use of, or the taking of any action in reliance upon any of the information contained in this e-mail by individuals or entities other than the intended
recipient is strictly prohibited.
If you are not the named addressee or the person responsible for delivering the message to the named addressee and have received this communication in error, you must not disclose the contents of this e-mail to any other person; or make any copies thereof.
If you are not the named recipient please delete/destroy any and all copies that may exist, whether in electronic or hard copy for and notify us immediately on the phone number indicated above and provide us with details about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot guarantee the privacy or confidentiality of any e-mail communications transmitted. All messages sent to and from Megabyte Ltd may be monitored and/or recorded to ensure compliance with internal policies
and procedures. We disclaim all responsibility and liability whatsoever in relation to any errors or omissions that may reveal themselves in this message and in relation to any damage that may result from any such errors or omissions. We disclaim all responsibility
and liability for any damage that may arise from the unauthorised acts of third parties and/or the corruption of any data contained in this message.
Thank you.
|
--
Ramon Casha | Technical Specialist | Software Services
megabyte ltd | e ramon.casha@xxxxxxxxxxxx
t + 356 21421600 | f + 356 21421590 | w www.megabyte.net
Please consider your environmental responsibility before printing this e-mail
|
DISCLAIMER
The information transmitted in this message and any attachments is strictly confidential and intended only for the individual or entity to whom it is addressed.
Any form of unauthorised review, transmission, disclosure, publication, reproduction, modification or other use of, or the taking of any action in reliance upon any of the information contained in this e-mail by individuals
or entities other than the intended recipient is strictly prohibited.
If you are not the named addressee or the person responsible for delivering the message to the named addressee and have received this communication in error, you must not disclose the contents of this e-mail to any
other person; or make any copies thereof. If you are not the named recipient please delete/destroy any and all copies that may exist, whether in electronic or hard copy for and notify us immediately on the phone number indicated above and provide us with details
about the said e-mail received in error.
Since the Internet is not a secure medium Megabyte cannot guarantee the privacy or confidentiality of any e-mail communications transmitted. All messages sent to and from Megabyte Ltd may be monitored and/or recorded
to ensure compliance with internal policies and procedures. We disclaim all responsibility and liability whatsoever in relation to any errors or omissions that may reveal themselves in this message and in relation to any damage that may result from any such
errors or omissions. We disclaim all responsibility and liability for any damage that may arise from the unauthorised acts of third parties and/or the corruption of any data contained in this message.
Thank you.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
|
