Date: Tue, 08 May 2007 09:00:04 -0700 From: Howard MITCHell Feldman <hfeldman@earthlink.net> To: Olaf Greve <o.greve@axis.nl> Cc: freebsd-questions@freebsd.org, freebsd-amd64@freebsd.org, Koos van den Hout <koos@kzdoos.xs4all.nl> Subject: Re: How to make Apache (2.2.4) less greedy, or Sendmail less polite? [semi-solved] Message-ID: <46409E84.3000806@earthlink.net> In-Reply-To: <405942B8-7714-4F57-914F-24F12DFB206A@axis.nl> References: <2BEB30C2-C9C5-43AB-9DCA-5C9A1B0AC2C0@axis.nl> <20070504111105.GA13599@kzdoos.xs4all.nl> <405942B8-7714-4F57-914F-24F12DFB206A@axis.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Here's what I do with spammers and others I want to keep out of my server... I make an IP entry into my /etc/hosts.deny file of those I want to deny access to my server. Then I make an entry in my /etc/hosts.allow file that denies access to all in my hosts.deny file. That entry is the first non-commented entry in the hosts.allow file and looks like: ALL: /etc/hosts.deny: deny ...howard Olaf Greve wrote: > Hiya all, > > Well, I promised you guys a follow-up on this, and here's what I have > found out (first the situation and solution, and then two small > questions).... > > The situation: > Firstly, I took some measures to figure out where the issues came > from, and using Apache's "server-status" handler (tnx for that > recommendation!), I noticed the script that caused Apache to choke up > (i.e. grab an excessive amount of resources), was a PHP script that > shows entries of photographic events that I organise from time to > time. This didn't happen for all entries, but only for specific ones. > I then wondered why, as this script never caused trouble before, and > while checking the server status I did already notice that the "store > comments" script (allowing visitor's feedback to the entries) was > called very often. Too often. I checked out the sizes of the comments > files (which normally are very small plain text files, of perhaps some > 4Kb size at most), and lo and behold: some of them were as big as > 18Mb! The main issue then becoming that when these files were parsed as > text by PHP when an entry is shown, this either took a long time to > complete, or in the worst case caused even a core dump to be generated > by the over-excessive load on the server's resources. > Next, when checking the contents of those files, it became apparent > that they were completely hammered with all sorts of typical > commercial spam, referring to vi*gr* websites, etc. I think this is > known as "forum spam" (or so), but my site uses custom scripts, so > someone must have found the URL, and made use of it by manually > figuring out the parameters and it's functionality. > > The (partial) "solution": > For now, I have configured the webserver so, that ANY call to this > "store comments" script is forbidden, and will simply generate a > standard server error (hopefully the spammers will signal these server > errors, and will stop the hack attempt), while I am looking into a > better solution (e.g. by having to type additional text (anti-spam > challenges) when posting a comment). But then, as mentioned above, > someone went through the trouble of figuring out how to manipulate my > code, and hence caused me a LOT of time being wasted, so I want to > "reward" them for their trouble, by punishing the responsible people > as much as possible. Therefore, I will go through the Apache access > log to work out the IP addresses of > the machines that were used for this, and I will report them to the > proper anti spam authorities, such that they will be blacklisted > Internet wide. If anyone knows of good places to do so (the more, the > merrier), I welcome hearing about them... > > The questions: > -Can anyone recommend me proper anti spam authorities to whom I can > report the IP addresses that caused the issues on my machine? > -At present, in Apache I have added: > <Location ~ "store_comments_script.php"> > Order deny,allow > Deny from all > </Location> > Can anyone tell me of a good way to only ever allow calls to this > script coming from the proper previous script, or should this be > handled from PHP itself? > Perhaps this question isn't very clear, but what I'm looking for is a > way to block any and all direct calls to this script, that originate > from anywhere but from the photography site itself. > > Can anyone help me perhaps with those two thingies? > > Tnx once more, and cheers! > Olafo > _______________________________________________ > freebsd-amd64@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-amd64 > To unsubscribe, send any mail to "freebsd-amd64-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46409E84.3000806>