Re: <directory> and deny directives

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

BTW, I have solved this little problem by relying on SetEnvIf(NoCase) directives. Perhaps someone else will find this strategy useful: 

# assume spammers doing recon will only perform GETs
SetEnvIfNoCase Request_Method "GET" spammer_recon

# assume spammers always use both empty Referer and U-A
SetEnvIfNoCase Referer ".+" !spammer_recon
SetEnvIfNoCase User-Agent ".+" !spammer_recon

# if the host/IP is any of these, they're spammers regardless
SetEnvIfNoCase Remote_Host "\.barak\-online\.net" spammer_recon
SetEnvIfNoCase Remote_Host "\.barak\.net\.il" spammer_recon
SetEnvIfNoCase Remote_Host "\.cable\.casema\.nl" spammer_recon
SetEnvIfNoCase Remote_Host "\.client\.bresnan\.net" spammer_recon
SetEnvIfNoCase Remote_Host "\.ctinets\.com" spammer_recon
SetEnvIfNoCase Remote_Host "\.dip\.t\-dialin\.net" spammer_recon
SetEnvIfNoCase Remote_Host "\.dsl\.ip\.tiscali\.nl" spammer_recon
SetEnvIfNoCase Remote_Host "\.easyspeedy\.com" spammer_recon
SetEnvIfNoCase Remote_Host "\.goo\.ne\.jp" spammer_recon
SetEnvIfNoCase Remote_Host "\.hostingprod\.com" spammer_recon
SetEnvIfNoCase Remote_Host "\.internetserviceteam\.com" spammer_recon
SetEnvIfNoCase Remote_Host "\.keymachine\.de" spammer_recon
SetEnvIfNoCase Remote_Host "\.knology\.net" spammer_recon
SetEnvIfNoCase Remote_Host "\.lorerweb\.net" spammer_recon
SetEnvIfNoCase Remote_Host "\.onlinehome\-server\.info" spammer_recon
SetEnvIfNoCase Remote_Host "\.pppoe\.mtu-net\.ru" spammer_recon
SetEnvIfNoCase Remote_Host "\.qwerty\.ru" spammer_recon
SetEnvIfNoCase Remote_Host "\.sputnikmedia\.net" spammer_recon
SetEnvIfNoCase Remote_Host "\.static\.theplanet\.com" spammer_recon
SetEnvIfNoCase Remote_Host "\.starnet\.md" spammer_recon
SetEnvIfNoCase Remote_Host "\.starnet\.ru" spammer_recon
SetEnvIfNoCase Remote_Host "\.svservers\.com" spammer_recon
SetEnvIfNoCase Remote_Host "\.dip\.t\-dialin\.net" spammer_recon
SetEnvIfNoCase Remote_Host "\.dip0\.t\-ipconnect\.de" spammer_recon
SetEnvIfNoCase Remote_Host "\-xbox\.dedi\.inhoster\.com" spammer_recon
SetEnvIfNoCase Remote_Host "\.keymachine\.de" spammer_recon
SetEnvIfNoCase Remote_Host "\.static\.reverse\.ltdomains.com" spammer_recon
SetEnvIfNoCase Remote_Host "\.pccwglobal\.net" spammer_recon
SetEnvIfNoCase Remote_Host "garner\.funtaff\.com" spammer_recon
SetEnvIfNoCase Remote_Host "server\.rnd\.pl" spammer_recon
SetEnvIfNoCase Remote_Host "\.ap\.yournet\.ne\.jp" spammer_recon
SetEnvIfNoCase Remote_Host "\-rev\.cernel\.net" spammer_recon

SetEnvIfNoCase Remote_Addr "^210\.240\." spammer_recon
SetEnvIfNoCase Remote_Addr "216\.72\.28\.8" spammer_recon
SetEnvIfNoCase Remote_Addr "222\.240\.212\.29" spammer_recon
SetEnvIfNoCase Remote_Addr "220\.84\.58\.27" spammer_recon
SetEnvIfNoCase Remote_Addr "124\.53\.202\.111" spammer_recon
SetEnvIfNoCase Remote_Addr "121\.35\.254\.97" spammer_recon

SetEnvIfNoCase User-Agent "PlantyNet\_WebRobot.*" spammer_recon
SetEnvIfNoCase User-Agent "WordPress.*" spammer_recon
SetEnvIfNoCase User-Agent "topicblogs.*" spammer_recon

#not really spammer recon but a repeat spam POSTer
SetEnvIfNoCase Remote_Host "softbank[0-9]{12}\.bbtec.net" spammer_recon
SetEnvIfNoCase Remote_Host "\.phx\.gbl" spammer_recon

<Directory document_root>
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    deny from env=spammer_recon
</Directory>


-------- Original Message  --------
Subject: Re:  <directory> and deny directives
From: Joshua Slive <joshua@xxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Date: Friday, September 14, 2007 09:08:30 AM


On 9/14/07, Mark A. Craig <mark.a.craig@xxxxxxxxx> wrote:

 It would sure be
nice if the code didn't pull a non-intuitive stunt like this, though!  If the
DNS lookup resolves to the specified *partial* hostname, it should act on it,
not second-guess it with an rDNS like this.


Yes, it is non-intuitive. But on the other hand, it is much more
common to use hostnames for Allow directives than for Deny directives
(since the hostname is often under the control of the attacker). You
MUST check the forward and reverse for Allow directives, or else they
would be worthless. And then it could potentially cause even more
confusion if the Allow and Deny directives matched differently.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux