Hi Hans-Georg,
i guess, you will have to alter the Code of the form.
1. check for the referer URI in the action="*" script.
2. establish a session in the form and check for the sessionid in the
action script.
3. use javascript to write additional hidden fields into the form and
check for their contents.
apache webserver is definitely not prepared for such attacks.
cheers oscar
Am 30.09.2014 um 21:18 schrieb Frederik Nosi:
> On 09/30/2014 08:55 PM, Hans-Georg Scherneck wrote:
>> Frederik Nosi wrote:
>>> Hi Hans-Georg,
>>>
>>> On 09/30/2014 08:26 PM, Hans-Georg Scherneck wrote:
>>>> Rainer M. Canavan wrote:
>>>>> On Sep 30, 2014, at 19:16 , Hans-Georg Scherneck <hgs@xxxxxxxxxxx>
>>>>> wrote:
>>>>>
>>>>>> My site is bombarded by POST requests from a site identifying
>>>>>> itself like
>>>>>> 123.123.123.123.word.word.word.word
>>>>>> A "deny from" instruction with a string trying to match this in
>>>>>> .htaccess does not appear to work (though other abusers with
>>>>>> simple IP's I can get barred this way).
>>>>> You don't say where that sites identifies itself in such a manner.
>>>>> You should
>>>>> not enable reverse lookups (i.e. HostnameLookups should be Off,
>>>>> possibly some
>>>>> other settings), then the first column in your access.log should
>>>>> always be
>>>>> the actual originating IP address of that request. If they are
>>>>> real spammers,
>>>>> they have a botnet with lots of IPs in nearly as many locations
>>>>> and subnets.
>>>>>
>>>>>
>>>>> rainer
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>>
>>>>>
>>>>> Blocking from apache:
>>>>>
>>>>> <Location />
>>>>> Order Allow,Deny
>>>>> Deny from <INSERT IP TO BLOCK HERE>
>>>>> </Location>
>>>>>
>>>>> You can block it at the network stack level too, this way apache
>>>>> does not even see the request, ex on linux using iptables.
>>>>>
>>>>>
>>>>> bye,
>>>>> Frederik
>>>>
>>>> I'm trying with <Location /> now.
>>>>
>>>> HostnameLookups Off
>>>>
>>>> has always been set.
>>>> My reply to Richard a minute ago included some incriminating
>>>> access.log lines. Ever seen an address like this before?
>>>> /Hans-Georg
>>>>
>>>
>>>
>>> I've never recieved those mails,
>>>
>>> But as Rainer said not sure that a simple IP blacklisting if it's
>>> effective in the real world thoughthough, it's easy to change IP.
>>>
>>> Maybe you can add a captcha, require authentication for accessing
>>> the form or some automatic blacklisting solution or rate limiting ex:
>>>
>>> http://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second
>>>
>>>
>>> another more "disguised" option, using the mod_rewrite, matching the
>>> IP and then replying "200 ok" with a fake page or such.
>>>
>>> As always you have to choose the solution that suits you most.
>>>
>>>
>>> Bye,
>>> Frederik
>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>
>>> .
>>>
>> Thanks everyone, I appreciate.
>> It rather seems the issue is for the Apache developers to solve, e.g.
>> to extend the scope of the Deny string match. Should be simple.
>> Such a solution, not engaging any modules, would be convenient. And
>> the abusers would just believe their POST gets through.
>
> Not sure about the post content match right now, but filtering by IP
> and with some mod_rewrite trickery you can do this right now, ex:
>
> <Location />
> RewriteEngine on
>
> RewriteCond %{REQUEST_METHOD} POST [C]
> RewriteCond %{REMOTE_ADDR} ^123\.123\.123\.123
> RewriteRule /THEFORM /empty_page.html [L]
>
> </Location>
>
> should work. Hope i got it right, but in case hope you got the idea.
>
>> Does anyone have the appropriate email address to send the suggestion
>> to Apache?
>>
>> I'll also try with the captcha method, hoping they cannot sail around
>> it.
>
> This is way better
>
>> Yet I have my doubts; they already double-cross the form checking
>> procedure (javascript) that would reject the sending of the html-form
>> data when the form gets filled with e.g. text instead of specific
>> numbers.
>> (They seem to block the sourcing of my javascript, or they might use
>> a console (-bot) that turns "return false" commands into true. What
>> they don't know is, that normally no human reads the form mails; it's
>> a program that serves computation requests.
>> http://holt.oso.chalmers.se/loading )
>
> Checking client side is trivial to bypass, see wget / curl / phantomjs
> if you want to be fancy ecc
>
>> Thanks again and bye
>> /Hans-Georg
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|