Re: [users@httpd] How to close connection instead of sending 403?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok, as I have said before what you want to do can be easily done using 
Patch-o-matic. When you have patched your kernel with this patch you can use 
firewall rule which will open and examine the packets before it transmit it 
to the applications. This way I have setup a hosting machine and have dropped 
all connections that match certain	things. But No you can't use this on VPS 
and I really recommend a dedicated server for your Web server if he is so 
heavily loaded.

Regards
	M.Marinov

На 20.6.2005 11:12 Boyle Owen написа:
> > -----Original Message-----
> > From: dtufs [mailto:dtufs@xxxxxxxxx]
> > Sent: Sonntag, 19. Juni 2005 11:21
> > To: users@xxxxxxxxxxxxxxxx
> > Subject: [users@httpd] How to close connection instead of sending 403?
> >
> >
> > We have been trying to cut down our bandwidth usage by
> > disallowing access for many spammers and malevolent
> > bots. We are currently doing it via .htaccess and
> > respond with the "403 Forbidden" code.
> >
> > However, this still costs us some bandwidth. What we
> > would like to do is close the connection without even
> > responding to any bad's visitor request. Bad visitor
> > is detected by examining the user agent and/or
> > referrer, or requested URI (never by examining the IP
> > address).
>
> The point to understand is that the internet is a layered communication
> system. There are actually seven layers in the model (see
> http://www.webopedia.com/quick_ref/OSI_Layers.asp) but for this discussion
> the only two that are important are the TCP/IP layer (network/transport)
> and the HTTP layer (application).
>
> As annoying as the requests might be to you, they are valid TCP/IP packets
> so the network/transport layer is required to deliver them. Only when you
> get to the HTTP layer (and see the contents) can you decide you don't want
> them. Apache is an application and can only block at the HTTP layer - it
> can't interfere with TCP/IP. Similarly, anything that works at the TCP/IP
> layer (bridge, FW, router) *cannot* interfere with the contents of the
> packets.
>
> It's like you say to your secretary, "I don't want to see any more letters
> from Fred Bloggs". You secretary (apache) can open your letters for you and
> bin any from Fred Bloggs but she can't stop the postman delivering them.
> Also, you can't ask the postman not to deliver letters from certain people
> since he's not allowed to open the mail before he delivers it to you.
>
> So the bottom line is that you can't do it like you want...
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
> > Is this possible to do on Apache (running on Red Hat)?
> > Thanks in advance.
> >
> >
> >
> > __________________________________
> > Yahoo! Mail
> > Stay connected, organized, and protected. Take the tour:
> > http://tour.mail.yahoo.com/mailtour.html
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission. If
> you receive this message in error, please notify the sender urgently and
> then immediately delete the message and any copies of it from your system.
> Please also immediately destroy any hardcopies of the message. You must
> not, directly or indirectly, use, disclose, distribute, print, or copy any
> part of this message if you are not the intended recipient. The sender's
> company reserves the right to monitor all e-mail communications through
> their networks. Any views expressed in this message are those of the
> individual sender, except where the message states otherwise and the sender
> is authorised to state them to be the views of the sender's company.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

-- 
------------------------------
  One Planet, One Internet.
  We Are All Connected.
------------------------------

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux