Re: [users@httpd] How to close connection instead of sending 403?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Yes, I see where you're coming from...
Actually, thinking further, you CAN set up mod_security so that it drops the connection - for example, I have this as a default action in my mod_security setup...
SecFilterDefaultAction "deny,log,status:403,system:/usr/local/pft/add_httpd_block %s"
The 'add_httpd_block' script is something I wrote myself to drop the connection and block the IP for a while. I just drop all connections from that IP (because that's what I want), but I'm sure you could work out something that will allow you to drop just this client, thus releasing the connection.
You could also reduce the ip idle timeout at the firewall so that hanging connections get removed quicker; assuminig the client has given up because you're not responding then the connection will be idle - if the client has not given up then short of blocking the ip address (which you say you don't want to do) there's not much you can do about it anyway. 

Rich.



dtufs wrote:


--- Rich <app1@xxxxxxxxxxxx> wrote:



You can configure mod_securiy so that it will not
respond at all - ie - it will just leave the client hanging waiting for a response (which it will never get). Much like a 'silent' firewall. 

As I said, not ideal (the connection is still live),
but at least you can suppress any outgoing data. 


Yes, I read about this possibility in the modsecurity
documentation. However, this does not seem acceptable,
because too many "hanging" connections would very
likely cause DoS in a very short time.

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com 
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


!DSPAM:42b55914167216989284748!



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux