FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-22-2008, 05:08 AM
Thierry Chatelet
 
Default HS: How to ban some IP's to connect to apache server

Hello
I know it's not really debian related, but:
A site call ripe.net is trying all sorts of addresses to go inside my sites,
like mysite.com/var/www/documents and so on. About a month ago, I email to
the owner of the site, and it stopped, until this WE. So, I would like to ban
him (they have about 10 different IP addresses hosted on servers from
Netherland to Asia) to log into my server. I known, I can do it using deny
from + IP in each virtual host. What I would prefer to do is deny those IP's
from the server, not from each host.My server is running etch ->
apache2.2.3-4. How can I do that?
Thierry


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-22-2008, 05:27 AM
Lee Glidewell
 
Default HS: How to ban some IP's to connect to apache server

On Monday 21 April 2008 10:08:22 pm Thierry Chatelet wrote:
> Hello
> I know it's not really debian related, but:
> A site call ripe.net is trying all sorts of addresses to go inside my
> sites, like mysite.com/var/www/documents and so on. About a month ago, I
> email to the owner of the site, and it stopped, until this WE. So, I would
> like to ban him (they have about 10 different IP addresses hosted on
> servers from Netherland to Asia) to log into my server. I known, I can do
> it using deny from + IP in each virtual host. What I would prefer to do is
> deny those IP's from the server, not from each host.My server is running
> etch ->
> apache2.2.3-4. How can I do that?
> Thierry
Thierry,
You could block the IP address (/range) in iptables, I suppose. That's
normally pretty extraneous as a security measure (that's not going to stop
anyone who's targeting you), but if there's a bot on that server that's
constantly bugging you, that should be a quick way of making it stop filling
up your access logs.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-22-2008, 06:09 AM
Thierry Chatelet
 
Default HS: How to ban some IP's to connect to apache server

On Tuesday 22 April 2008 07:27:39 Lee Glidewell wrote:
> On Monday 21 April 2008 10:08:22 pm Thierry Chatelet wrote:
> > Hello
> > I know it's not really debian related, but:
> > A site call ripe.net is trying all sorts of addresses to go inside my
> > sites, like mysite.com/var/www/documents and so on. About a month ago, I
> > email to the owner of the site, and it stopped, until this WE. So, I
> > would like to ban him (they have about 10 different IP addresses hosted
> > on servers from Netherland to Asia) to log into my server. I known, I can
> > do it using deny from + IP in each virtual host. What I would prefer to
> > do is deny those IP's from the server, not from each host.My server is
> > running etch ->
> > apache2.2.3-4. How can I do that?
> > Thierry
>
> Thierry,
> You could block the IP address (/range) in iptables, I suppose. That's
> normally pretty extraneous as a security measure (that's not going to stop
> anyone who's targeting you), but if there's a bot on that server that's
> constantly bugging you, that should be a quick way of making it stop
> filling up your access logs.

Thanks for the answer. Did not think about iptables!! Could be a way of
dealing with the problem.
They are not really filling up my access.log but my error.log for sure. Since
about 3 month ago, when someone (him?) broke into my site and wiped off all
the content of my var/www directory, and the log, I am a bit more ...
attentive of what's happening. I formated the drive and reinstalled
everything just to be sure nothing bad would happend.
Now, I have seen a module called authz.host and I think I can use it to allow
or deny host to connect. But I must admit that I could not understand the
documentation on how to use it.
Thierry


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-22-2008, 06:14 AM
Bob Cox
 
Default HS: How to ban some IP's to connect to apache server

On Tue, Apr 22, 2008 at 07:08:22 +0200, Thierry Chatelet (tchatelet@free.fr) wrote:

> Hello
> I know it's not really debian related, but:
> A site call ripe.net is trying all sorts of addresses to go inside my sites,
> like mysite.com/var/www/documents and so on.

That certainly seems like odd behaviour. RIPE is one of the five main
Internet registries (like ARIN in the US) and is a 'respected' member of
the Internet community.

http://ripe.net/info/ncc/index.html

As a matter of interest, what do these Apache log entries look like?

--
Bob Cox. Stoke Gifford, near Bristol, UK.
Registered user #445000 with the Linux Counter - http://counter.li.org/
 
Old 04-22-2008, 06:35 AM
Thierry Chatelet
 
Default HS: How to ban some IP's to connect to apache server

On Tuesday 22 April 2008 08:14:43 Bob Cox wrote:
> On Tue, Apr 22, 2008 at 07:08:22 +0200, Thierry Chatelet (tchatelet@free.fr)
wrote:
> > Hello
> > I know it's not really debian related, but:
> > A site call ripe.net is trying all sorts of addresses to go inside my
> > sites, like mysite.com/var/www/documents and so on.
>
> That certainly seems like odd behaviour. RIPE is one of the five main
> Internet registries (like ARIN in the US) and is a 'respected' member of
> the Internet community.
>
> http://ripe.net/info/ncc/index.html
>
> As a matter of interest, what do these Apache log entries look like?

Yes, I was surprise when I went to there site to read about what they are and
what I see in my logs. I dont understand, and, maybe I am getting a bit
paranoļac!!

Here is an extract of the error log:

[Sun Apr 20 13:34:51 2008] [error] [client 88.131.106.6] File does not
exist: /var/www/documents.txt
[Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not
exist: /var/www/robots.txt
[Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not
exist: /var/www/priorites.html
[Sun Apr 20 15:55:19 2008] [error] [client 88.131.106.6] File does not
exist: /var/www/qqimages.html

It is like that every WE. It fills about 200 lines of errors every WE.
Thierry
 
Old 04-22-2008, 06:46 AM
Bob Cox
 
Default HS: How to ban some IP's to connect to apache server

On Tue, Apr 22, 2008 at 08:35:17 +0200, Thierry Chatelet (tchatelet@free.fr) wrote:

> On Tuesday 22 April 2008 08:14:43 Bob Cox wrote:
> > On Tue, Apr 22, 2008 at 07:08:22 +0200, Thierry Chatelet (tchatelet@free.fr)
> wrote:
> > > Hello
> > > I know it's not really debian related, but:
> > > A site call ripe.net is trying all sorts of addresses to go inside my
> > > sites, like mysite.com/var/www/documents and so on.
> >
> > That certainly seems like odd behaviour. RIPE is one of the five main
> > Internet registries (like ARIN in the US) and is a 'respected' member of
> > the Internet community.
> >
> > http://ripe.net/info/ncc/index.html
> >
> > As a matter of interest, what do these Apache log entries look like?
>
> Yes, I was surprise when I went to there site to read about what they are and
> what I see in my logs. I dont understand, and, maybe I am getting a bit
> paranoļac!!
>
> Here is an extract of the error log:
>
> [Sun Apr 20 13:34:51 2008] [error] [client 88.131.106.6] File does not
> exist: /var/www/documents.txt
> [Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not
> exist: /var/www/robots.txt
> [Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not
> exist: /var/www/priorites.html
> [Sun Apr 20 15:55:19 2008] [error] [client 88.131.106.6] File does not
> exist: /var/www/qqimages.html
>
> It is like that every WE. It fills about 200 lines of errors every WE.
> Thierry


bob@trantor:~$ host 88.131.106.6
6.106.131.88.in-addr.arpa is an alias for
6.0-26.106.131.88.in-addr.arpa.
6.0-26.106.131.88.in-addr.arpa domain name pointer c06.entireweb.com.


A 'whois' on entireweb.com shows it belongs to someone in Sweden.

--
Bob Cox. Stoke Gifford, near Bristol, UK.
Registered user #445000 with the Linux Counter - http://counter.li.org/
 
Old 04-22-2008, 07:10 AM
Thierry Chatelet
 
Default HS: How to ban some IP's to connect to apache server

On Tuesday 22 April 2008 08:46:40 Bob Cox wrote:
> On Tue, Apr 22, 2008 at 08:35:17 +0200, Thierry Chatelet (tchatelet@free.fr)
wrote:
>
> bob@trantor:~$ host 88.131.106.6
> 6.106.131.88.in-addr.arpa is an alias for
> 6.0-26.106.131.88.in-addr.arpa.
> 6.0-26.106.131.88.in-addr.arpa domain name pointer c06.entireweb.com.
>
>
> A 'whois' on entireweb.com shows it belongs to someone in Sweden.


This is what I get from networksolutions.com/whois/
88.131.106.6
Record Type: IP Address

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 88.0.0.0 - 88.255.255.255
CIDR: 88.0.0.0/8
NetName: 88-RIPE
NetHandle: NET-88-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2004-04-01
Updated: 2004-04-06

Ouuupppps! If I go to: ripe.net/whois, I get as you said, some one in Sweden,
with an email address:

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '88.131.106.0 - 88.131.106.63'

inetnum: 88.131.106.0 - 88.131.106.63
netname: WORLDLIGHTCOM-NET
descr: Wordlight.com AB
country: SE
admin-c: AL6177-RIPE
tech-c: JS4232-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: TELE1-SE-MNT
source: RIPE # Filtered

person: Andreas Lidberg
address: Kastanjeallen 1
address: S-302 31 Halmstad
phone: +46 35 241 05 04
nic-hdl: AL6177-RIPE
abuse-mailbox: abuse@entireweb.com
source: RIPE # Filtered

person: Jacob Sandin
address: Sverige.Net
address: Kastanjallen 1
address: SE-30231 Halmstad
address: Sweden
phone: +46 035-2600020
fax-no: +46 035-2600010
nic-hdl: JS4232-RIPE
source: RIPE # Filtered
mnt-by: SVERIGENET-SE-MNT

% Information related to '88.131.0.0/16AS3292'

route: 88.131.0.0/16
descr: TDC Song AB
origin: AS3292
remarks: This network is assigned to se.tele1 customers
remarks: in Sweden. In case of routing problem, please
remarks: contact peering@sn.net, in case of inappropriate
remarks: usage or attacks please mail abuse@tdcsong.se
mnt-by: TELE1-SE-MNT
source: RIPE # Filtered


So I am going to write them and see what's happen.
Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-22-2008, 07:27 AM
Johannes Wiedersich
 
Default HS: How to ban some IP's to connect to apache server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thierry Chatelet wrote:
> On Tuesday 22 April 2008 08:46:40 Bob Cox wrote:
>> On Tue, Apr 22, 2008 at 08:35:17 +0200, Thierry Chatelet (tchatelet@free.fr)
> wrote:
>> bob@trantor:~$ host 88.131.106.6
>> 6.106.131.88.in-addr.arpa is an alias for
>> 6.0-26.106.131.88.in-addr.arpa.
>> 6.0-26.106.131.88.in-addr.arpa domain name pointer c06.entireweb.com.
>>
>>
>> A 'whois' on entireweb.com shows it belongs to someone in Sweden.
>
>
> This is what I get from networksolutions.com/whois/
> 88.131.106.6
> Record Type: IP Address
>
> OrgName: RIPE Network Coordination Centre
> OrgID: RIPE
> Address: P.O. Box 10096
> City: Amsterdam
> StateProv:
> PostalCode: 1001EB
> Country: NL

IIC, this is the registration agency that registers all IP adresses in
the European/Asian Region. That means all IPs located in Europe, the
Middle East and parts of Central Asia are registered at these servers.

1. http://en.wikipedia.org/wiki/RIPE_NCC

> ReferralServer: whois://whois.ripe.net:43

[snip]

> remarks: This network is assigned to se.tele1 customers
> remarks: in Sweden. In case of routing problem, please
> remarks: contact peering@sn.net, in case of inappropriate
> remarks: usage or attacks please mail abuse@tdcsong.se
> mnt-by: TELE1-SE-MNT
> source: RIPE # Filtered

Apparently some customer of a swedish ISP is causing these connections
(or someone who hijacked a computer of the ISP or a customer).

HTH,

Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIDZN1C1NzPRl9qEURAl/VAJ9bDD6arnOhUgNiBAehrndOPb5W5gCaAy4B
zDxWdW7emIZu2zaDI74Ejdg=
=rdlk
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-22-2008, 08:48 AM
Ron Johnson
 
Default HS: How to ban some IP's to connect to apache server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/22/08 01:09, Thierry Chatelet wrote:
> On Tuesday 22 April 2008 07:27:39 Lee Glidewell wrote:
>> On Monday 21 April 2008 10:08:22 pm Thierry Chatelet wrote:
>>> Hello
>>> I know it's not really debian related, but:
>>> A site call ripe.net is trying all sorts of addresses to go inside my
>>> sites, like mysite.com/var/www/documents and so on. About a month ago, I
>>> email to the owner of the site, and it stopped, until this WE. So, I
>>> would like to ban him (they have about 10 different IP addresses hosted
>>> on servers from Netherland to Asia) to log into my server. I known, I can
>>> do it using deny from + IP in each virtual host. What I would prefer to
>>> do is deny those IP's from the server, not from each host.My server is
>>> running etch ->
>>> apache2.2.3-4. How can I do that?
>>> Thierry
>> Thierry,
>> You could block the IP address (/range) in iptables, I suppose. That's
>> normally pretty extraneous as a security measure (that's not going to stop
>> anyone who's targeting you), but if there's a bot on that server that's
>> constantly bugging you, that should be a quick way of making it stop
>> filling up your access logs.
>
> Thanks for the answer. Did not think about iptables!! Could be a way of
> dealing with the problem.
> They are not really filling up my access.log but my error.log for sure. Since

There's a package in the repository that well scan your Apache logs
and generate appropriate IPtables rules. Sadly, I don't remember
the name.

- --
Ron Johnson, Jr.
Jefferson LA USA

We want... a Shrubbery!!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIDaZES9HxQb37XmcRAl9jAJ9lYpmDNPGWiwXrnLPuDc kZEscvWwCghk0Z
5H6zaNQbS1fUmaHzLGPBW7o=
=oStg
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-22-2008, 08:54 AM
Thierry Chatelet
 
Default HS: How to ban some IP's to connect to apache server

On Tuesday 22 April 2008 10:48:04 Ron Johnson wrote:
>
> There's a package in the repository that well scan your Apache logs
> and generate appropriate IPtables rules. Sadly, I don't remember
> the name.
>
> --
> Ron Johnson, Jr.

Old age, Ron? Well I guess I too am better to get use to it.
Thierry


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 05:00 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org