HS: How to ban some IP's to connect to apache server
Hello
I know it's not really debian related, but: A site call ripe.net is trying all sorts of addresses to go inside my sites, like mysite.com/var/www/documents and so on. About a month ago, I email to the owner of the site, and it stopped, until this WE. So, I would like to ban him (they have about 10 different IP addresses hosted on servers from Netherland to Asia) to log into my server. I known, I can do it using deny from + IP in each virtual host. What I would prefer to do is deny those IP's from the server, not from each host.My server is running etch -> apache2.2.3-4. How can I do that? Thierry -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
HS: How to ban some IP's to connect to apache server
On Monday 21 April 2008 10:08:22 pm Thierry Chatelet wrote:
> Hello > I know it's not really debian related, but: > A site call ripe.net is trying all sorts of addresses to go inside my > sites, like mysite.com/var/www/documents and so on. About a month ago, I > email to the owner of the site, and it stopped, until this WE. So, I would > like to ban him (they have about 10 different IP addresses hosted on > servers from Netherland to Asia) to log into my server. I known, I can do > it using deny from + IP in each virtual host. What I would prefer to do is > deny those IP's from the server, not from each host.My server is running > etch -> > apache2.2.3-4. How can I do that? > Thierry Thierry, You could block the IP address (/range) in iptables, I suppose. That's normally pretty extraneous as a security measure (that's not going to stop anyone who's targeting you), but if there's a bot on that server that's constantly bugging you, that should be a quick way of making it stop filling up your access logs. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
HS: How to ban some IP's to connect to apache server
On Tuesday 22 April 2008 07:27:39 Lee Glidewell wrote:
> On Monday 21 April 2008 10:08:22 pm Thierry Chatelet wrote: > > Hello > > I know it's not really debian related, but: > > A site call ripe.net is trying all sorts of addresses to go inside my > > sites, like mysite.com/var/www/documents and so on. About a month ago, I > > email to the owner of the site, and it stopped, until this WE. So, I > > would like to ban him (they have about 10 different IP addresses hosted > > on servers from Netherland to Asia) to log into my server. I known, I can > > do it using deny from + IP in each virtual host. What I would prefer to > > do is deny those IP's from the server, not from each host.My server is > > running etch -> > > apache2.2.3-4. How can I do that? > > Thierry > > Thierry, > You could block the IP address (/range) in iptables, I suppose. That's > normally pretty extraneous as a security measure (that's not going to stop > anyone who's targeting you), but if there's a bot on that server that's > constantly bugging you, that should be a quick way of making it stop > filling up your access logs. Thanks for the answer. Did not think about iptables!! Could be a way of dealing with the problem. They are not really filling up my access.log but my error.log for sure. Since about 3 month ago, when someone (him?) broke into my site and wiped off all the content of my var/www directory, and the log, I am a bit more ... attentive of what's happening. I formated the drive and reinstalled everything just to be sure nothing bad would happend. Now, I have seen a module called authz.host and I think I can use it to allow or deny host to connect. But I must admit that I could not understand the documentation on how to use it. Thierry -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
HS: How to ban some IP's to connect to apache server
On Tue, Apr 22, 2008 at 07:08:22 +0200, Thierry Chatelet (tchatelet@free.fr) wrote:
> Hello > I know it's not really debian related, but: > A site call ripe.net is trying all sorts of addresses to go inside my sites, > like mysite.com/var/www/documents and so on. That certainly seems like odd behaviour. RIPE is one of the five main Internet registries (like ARIN in the US) and is a 'respected' member of the Internet community. http://ripe.net/info/ncc/index.html As a matter of interest, what do these Apache log entries look like? -- Bob Cox. Stoke Gifford, near Bristol, UK. Registered user #445000 with the Linux Counter - http://counter.li.org/ |
HS: How to ban some IP's to connect to apache server
On Tuesday 22 April 2008 08:14:43 Bob Cox wrote:
> On Tue, Apr 22, 2008 at 07:08:22 +0200, Thierry Chatelet (tchatelet@free.fr) wrote: > > Hello > > I know it's not really debian related, but: > > A site call ripe.net is trying all sorts of addresses to go inside my > > sites, like mysite.com/var/www/documents and so on. > > That certainly seems like odd behaviour. RIPE is one of the five main > Internet registries (like ARIN in the US) and is a 'respected' member of > the Internet community. > > http://ripe.net/info/ncc/index.html > > As a matter of interest, what do these Apache log entries look like? Yes, I was surprise when I went to there site to read about what they are and what I see in my logs. I dont understand, and, maybe I am getting a bit paranoļac!! Here is an extract of the error log: [Sun Apr 20 13:34:51 2008] [error] [client 88.131.106.6] File does not exist: /var/www/documents.txt [Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not exist: /var/www/robots.txt [Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not exist: /var/www/priorites.html [Sun Apr 20 15:55:19 2008] [error] [client 88.131.106.6] File does not exist: /var/www/qqimages.html It is like that every WE. It fills about 200 lines of errors every WE. Thierry |
HS: How to ban some IP's to connect to apache server
On Tue, Apr 22, 2008 at 08:35:17 +0200, Thierry Chatelet (tchatelet@free.fr) wrote:
> On Tuesday 22 April 2008 08:14:43 Bob Cox wrote: > > On Tue, Apr 22, 2008 at 07:08:22 +0200, Thierry Chatelet (tchatelet@free.fr) > wrote: > > > Hello > > > I know it's not really debian related, but: > > > A site call ripe.net is trying all sorts of addresses to go inside my > > > sites, like mysite.com/var/www/documents and so on. > > > > That certainly seems like odd behaviour. RIPE is one of the five main > > Internet registries (like ARIN in the US) and is a 'respected' member of > > the Internet community. > > > > http://ripe.net/info/ncc/index.html > > > > As a matter of interest, what do these Apache log entries look like? > > Yes, I was surprise when I went to there site to read about what they are and > what I see in my logs. I dont understand, and, maybe I am getting a bit > paranoļac!! > > Here is an extract of the error log: > > [Sun Apr 20 13:34:51 2008] [error] [client 88.131.106.6] File does not > exist: /var/www/documents.txt > [Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not > exist: /var/www/robots.txt > [Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not > exist: /var/www/priorites.html > [Sun Apr 20 15:55:19 2008] [error] [client 88.131.106.6] File does not > exist: /var/www/qqimages.html > > It is like that every WE. It fills about 200 lines of errors every WE. > Thierry bob@trantor:~$ host 88.131.106.6 6.106.131.88.in-addr.arpa is an alias for 6.0-26.106.131.88.in-addr.arpa. 6.0-26.106.131.88.in-addr.arpa domain name pointer c06.entireweb.com. A 'whois' on entireweb.com shows it belongs to someone in Sweden. -- Bob Cox. Stoke Gifford, near Bristol, UK. Registered user #445000 with the Linux Counter - http://counter.li.org/ |
HS: How to ban some IP's to connect to apache server
On Tuesday 22 April 2008 08:46:40 Bob Cox wrote:
> On Tue, Apr 22, 2008 at 08:35:17 +0200, Thierry Chatelet (tchatelet@free.fr) wrote: > > bob@trantor:~$ host 88.131.106.6 > 6.106.131.88.in-addr.arpa is an alias for > 6.0-26.106.131.88.in-addr.arpa. > 6.0-26.106.131.88.in-addr.arpa domain name pointer c06.entireweb.com. > > > A 'whois' on entireweb.com shows it belongs to someone in Sweden. This is what I get from networksolutions.com/whois/ 88.131.106.6 Record Type: IP Address OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL ReferralServer: whois://whois.ripe.net:43 NetRange: 88.0.0.0 - 88.255.255.255 CIDR: 88.0.0.0/8 NetName: 88-RIPE NetHandle: NET-88-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: NS3.NIC.FR NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: SUNIC.SUNET.SE NameServer: TINNIE.ARIN.NET NameServer: NS.LACNIC.NET Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 2004-04-01 Updated: 2004-04-06 Ouuupppps! If I go to: ripe.net/whois, I get as you said, some one in Sweden, with an email address: % This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '88.131.106.0 - 88.131.106.63' inetnum: 88.131.106.0 - 88.131.106.63 netname: WORLDLIGHTCOM-NET descr: Wordlight.com AB country: SE admin-c: AL6177-RIPE tech-c: JS4232-RIPE status: ASSIGNED PA "status:" definitions mnt-by: TELE1-SE-MNT source: RIPE # Filtered person: Andreas Lidberg address: Kastanjeallen 1 address: S-302 31 Halmstad phone: +46 35 241 05 04 nic-hdl: AL6177-RIPE abuse-mailbox: abuse@entireweb.com source: RIPE # Filtered person: Jacob Sandin address: Sverige.Net address: Kastanjallen 1 address: SE-30231 Halmstad address: Sweden phone: +46 035-2600020 fax-no: +46 035-2600010 nic-hdl: JS4232-RIPE source: RIPE # Filtered mnt-by: SVERIGENET-SE-MNT % Information related to '88.131.0.0/16AS3292' route: 88.131.0.0/16 descr: TDC Song AB origin: AS3292 remarks: This network is assigned to se.tele1 customers remarks: in Sweden. In case of routing problem, please remarks: contact peering@sn.net, in case of inappropriate remarks: usage or attacks please mail abuse@tdcsong.se mnt-by: TELE1-SE-MNT source: RIPE # Filtered So I am going to write them and see what's happen. Thanks -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
HS: How to ban some IP's to connect to apache server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Thierry Chatelet wrote: > On Tuesday 22 April 2008 08:46:40 Bob Cox wrote: >> On Tue, Apr 22, 2008 at 08:35:17 +0200, Thierry Chatelet (tchatelet@free.fr) > wrote: >> bob@trantor:~$ host 88.131.106.6 >> 6.106.131.88.in-addr.arpa is an alias for >> 6.0-26.106.131.88.in-addr.arpa. >> 6.0-26.106.131.88.in-addr.arpa domain name pointer c06.entireweb.com. >> >> >> A 'whois' on entireweb.com shows it belongs to someone in Sweden. > > > This is what I get from networksolutions.com/whois/ > 88.131.106.6 > Record Type: IP Address > > OrgName: RIPE Network Coordination Centre > OrgID: RIPE > Address: P.O. Box 10096 > City: Amsterdam > StateProv: > PostalCode: 1001EB > Country: NL IIC, this is the registration agency that registers all IP adresses in the European/Asian Region. That means all IPs located in Europe, the Middle East and parts of Central Asia are registered at these servers. 1. http://en.wikipedia.org/wiki/RIPE_NCC > ReferralServer: whois://whois.ripe.net:43 [snip] > remarks: This network is assigned to se.tele1 customers > remarks: in Sweden. In case of routing problem, please > remarks: contact peering@sn.net, in case of inappropriate > remarks: usage or attacks please mail abuse@tdcsong.se > mnt-by: TELE1-SE-MNT > source: RIPE # Filtered Apparently some customer of a swedish ISP is causing these connections (or someone who hijacked a computer of the ISP or a customer). HTH, Johannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIDZN1C1NzPRl9qEURAl/VAJ9bDD6arnOhUgNiBAehrndOPb5W5gCaAy4B zDxWdW7emIZu2zaDI74Ejdg= =rdlk -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
HS: How to ban some IP's to connect to apache server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 04/22/08 01:09, Thierry Chatelet wrote: > On Tuesday 22 April 2008 07:27:39 Lee Glidewell wrote: >> On Monday 21 April 2008 10:08:22 pm Thierry Chatelet wrote: >>> Hello >>> I know it's not really debian related, but: >>> A site call ripe.net is trying all sorts of addresses to go inside my >>> sites, like mysite.com/var/www/documents and so on. About a month ago, I >>> email to the owner of the site, and it stopped, until this WE. So, I >>> would like to ban him (they have about 10 different IP addresses hosted >>> on servers from Netherland to Asia) to log into my server. I known, I can >>> do it using deny from + IP in each virtual host. What I would prefer to >>> do is deny those IP's from the server, not from each host.My server is >>> running etch -> >>> apache2.2.3-4. How can I do that? >>> Thierry >> Thierry, >> You could block the IP address (/range) in iptables, I suppose. That's >> normally pretty extraneous as a security measure (that's not going to stop >> anyone who's targeting you), but if there's a bot on that server that's >> constantly bugging you, that should be a quick way of making it stop >> filling up your access logs. > > Thanks for the answer. Did not think about iptables!! Could be a way of > dealing with the problem. > They are not really filling up my access.log but my error.log for sure. Since There's a package in the repository that well scan your Apache logs and generate appropriate IPtables rules. Sadly, I don't remember the name. - -- Ron Johnson, Jr. Jefferson LA USA We want... a Shrubbery!! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIDaZES9HxQb37XmcRAl9jAJ9lYpmDNPGWiwXrnLPuDc kZEscvWwCghk0Z 5H6zaNQbS1fUmaHzLGPBW7o= =oStg -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
HS: How to ban some IP's to connect to apache server
On Tuesday 22 April 2008 10:48:04 Ron Johnson wrote:
> > There's a package in the repository that well scan your Apache logs > and generate appropriate IPtables rules. Sadly, I don't remember > the name. > > -- > Ron Johnson, Jr. Old age, Ron? Well I guess I too am better to get use to it. Thierry -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
| All times are GMT. The time now is 11:25 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.