From owner-freebsd-amd64@FreeBSD.ORG Tue May 8 12:51:49 2007 Return-Path: X-Original-To: freebsd-amd64@freebsd.org Delivered-To: freebsd-amd64@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C3CD116A407; Tue, 8 May 2007 12:51:49 +0000 (UTC) (envelope-from o.greve@axis.nl) Received: from smtp.interstroom.nl (smtp1.interstroom.nl [80.85.129.3]) by mx1.freebsd.org (Postfix) with ESMTP id 5B3BE13C44B; Tue, 8 May 2007 12:51:49 +0000 (UTC) (envelope-from o.greve@axis.nl) Received: from ip127-180.introweb.nl ([80.65.127.180]:52437 helo=[192.168.1.134]) by smtp.interstroom.nl with esmtpsa (TLS-1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from ) id 1HlPAR-0001I7-62; Tue, 08 May 2007 14:51:47 +0200 In-Reply-To: <20070504111105.GA13599@kzdoos.xs4all.nl> References: <2BEB30C2-C9C5-43AB-9DCA-5C9A1B0AC2C0@axis.nl> <20070504111105.GA13599@kzdoos.xs4all.nl> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <405942B8-7714-4F57-914F-24F12DFB206A@axis.nl> Content-Transfer-Encoding: 7bit From: Olaf Greve Date: Tue, 8 May 2007 14:51:45 +0200 To: Koos van den Hout X-Mailer: Apple Mail (2.752.3) Cc: freebsd-questions@freebsd.org, freebsd-amd64@freebsd.org Subject: Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved] X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 12:51:49 -0000 Hiya all, Well, I promised you guys a follow-up on this, and here's what I have found out (first the situation and solution, and then two small questions).... The situation: Firstly, I took some measures to figure out where the issues came from, and using Apache's "server-status" handler (tnx for that recommendation!), I noticed the script that caused Apache to choke up (i.e. grab an excessive amount of resources), was a PHP script that shows entries of photographic events that I organise from time to time. This didn't happen for all entries, but only for specific ones. I then wondered why, as this script never caused trouble before, and while checking the server status I did already notice that the "store comments" script (allowing visitor's feedback to the entries) was called very often. Too often. I checked out the sizes of the comments files (which normally are very small plain text files, of perhaps some 4Kb size at most), and lo and behold: some of them were as big as 18Mb! The main issue then becoming that when these files were parsed as text by PHP when an entry is shown, this either took a long time to complete, or in the worst case caused even a core dump to be generated by the over-excessive load on the server's resources. Next, when checking the contents of those files, it became apparent that they were completely hammered with all sorts of typical commercial spam, referring to vi*gr* websites, etc. I think this is known as "forum spam" (or so), but my site uses custom scripts, so someone must have found the URL, and made use of it by manually figuring out the parameters and it's functionality. The (partial) "solution": For now, I have configured the webserver so, that ANY call to this "store comments" script is forbidden, and will simply generate a standard server error (hopefully the spammers will signal these server errors, and will stop the hack attempt), while I am looking into a better solution (e.g. by having to type additional text (anti- spam challenges) when posting a comment). But then, as mentioned above, someone went through the trouble of figuring out how to manipulate my code, and hence caused me a LOT of time being wasted, so I want to "reward" them for their trouble, by punishing the responsible people as much as possible. Therefore, I will go through the Apache access log to work out the IP addresses of the machines that were used for this, and I will report them to the proper anti spam authorities, such that they will be blacklisted Internet wide. If anyone knows of good places to do so (the more, the merrier), I welcome hearing about them... The questions: -Can anyone recommend me proper anti spam authorities to whom I can report the IP addresses that caused the issues on my machine? -At present, in Apache I have added: Order deny,allow Deny from all Can anyone tell me of a good way to only ever allow calls to this script coming from the proper previous script, or should this be handled from PHP itself? Perhaps this question isn't very clear, but what I'm looking for is a way to block any and all direct calls to this script, that originate from anywhere but from the photography site itself. Can anyone help me perhaps with those two thingies? Tnx once more, and cheers! Olafo