HS: How to ban some IP's to connect to apache server
Hello
I know it's not really debian related, but:
A site call ripe.net is trying all sorts of addresses to go inside my sites,
like mysite.com/var/www/documents and so on. About a month ago, I email to
the owner of the site, and it stopped, until this WE. So, I would like to ban
him (they have about 10 different IP addresses hosted on servers from
Netherland to Asia) to log into my server. I known, I can do it using deny
from + IP in each virtual host. What I would prefer to do is deny those IP's
from the server, not from each host.My server is running etch ->
apache2.2.3-4. How can I do that?
Thierry
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
04-22-2008, 05:27 AM
Lee Glidewell
HS: How to ban some IP's to connect to apache server
On Monday 21 April 2008 10:08:22 pm Thierry Chatelet wrote:
> Hello
> I know it's not really debian related, but:
> A site call ripe.net is trying all sorts of addresses to go inside my
> sites, like mysite.com/var/www/documents and so on. About a month ago, I
> email to the owner of the site, and it stopped, until this WE. So, I would
> like to ban him (they have about 10 different IP addresses hosted on
> servers from Netherland to Asia) to log into my server. I known, I can do
> it using deny from + IP in each virtual host. What I would prefer to do is
> deny those IP's from the server, not from each host.My server is running
> etch ->
> apache2.2.3-4. How can I do that?
> Thierry
Thierry,
You could block the IP address (/range) in iptables, I suppose. That's
normally pretty extraneous as a security measure (that's not going to stop
anyone who's targeting you), but if there's a bot on that server that's
constantly bugging you, that should be a quick way of making it stop filling
up your access logs.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
04-22-2008, 06:09 AM
Thierry Chatelet
HS: How to ban some IP's to connect to apache server
On Tuesday 22 April 2008 07:27:39 Lee Glidewell wrote:
> On Monday 21 April 2008 10:08:22 pm Thierry Chatelet wrote:
> > Hello
> > I know it's not really debian related, but:
> > A site call ripe.net is trying all sorts of addresses to go inside my
> > sites, like mysite.com/var/www/documents and so on. About a month ago, I
> > email to the owner of the site, and it stopped, until this WE. So, I
> > would like to ban him (they have about 10 different IP addresses hosted
> > on servers from Netherland to Asia) to log into my server. I known, I can
> > do it using deny from + IP in each virtual host. What I would prefer to
> > do is deny those IP's from the server, not from each host.My server is
> > running etch ->
> > apache2.2.3-4. How can I do that?
> > Thierry
>
> Thierry,
> You could block the IP address (/range) in iptables, I suppose. That's
> normally pretty extraneous as a security measure (that's not going to stop
> anyone who's targeting you), but if there's a bot on that server that's
> constantly bugging you, that should be a quick way of making it stop
> filling up your access logs.
Thanks for the answer. Did not think about iptables!! Could be a way of
dealing with the problem.
They are not really filling up my access.log but my error.log for sure. Since
about 3 month ago, when someone (him?) broke into my site and wiped off all
the content of my var/www directory, and the log, I am a bit more ...
attentive of what's happening. I formated the drive and reinstalled
everything just to be sure nothing bad would happend.
Now, I have seen a module called authz.host and I think I can use it to allow
or deny host to connect. But I must admit that I could not understand the
documentation on how to use it.
Thierry
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
04-22-2008, 06:14 AM
Bob Cox
HS: How to ban some IP's to connect to apache server
On Tue, Apr 22, 2008 at 07:08:22 +0200, Thierry Chatelet (tchatelet@free.fr) wrote:
> Hello
> I know it's not really debian related, but:
> A site call ripe.net is trying all sorts of addresses to go inside my sites,
> like mysite.com/var/www/documents and so on.
That certainly seems like odd behaviour. RIPE is one of the five main
Internet registries (like ARIN in the US) and is a 'respected' member of
the Internet community.
http://ripe.net/info/ncc/index.html
As a matter of interest, what do these Apache log entries look like?
--
Bob Cox. Stoke Gifford, near Bristol, UK.
Registered user #445000 with the Linux Counter - http://counter.li.org/
04-22-2008, 06:35 AM
Thierry Chatelet
HS: How to ban some IP's to connect to apache server
On Tuesday 22 April 2008 08:14:43 Bob Cox wrote:
> On Tue, Apr 22, 2008 at 07:08:22 +0200, Thierry Chatelet (tchatelet@free.fr)
wrote:
> > Hello
> > I know it's not really debian related, but:
> > A site call ripe.net is trying all sorts of addresses to go inside my
> > sites, like mysite.com/var/www/documents and so on.
>
> That certainly seems like odd behaviour. RIPE is one of the five main
> Internet registries (like ARIN in the US) and is a 'respected' member of
> the Internet community.
>
> http://ripe.net/info/ncc/index.html
>
> As a matter of interest, what do these Apache log entries look like?
Yes, I was surprise when I went to there site to read about what they are and
what I see in my logs. I dont understand, and, maybe I am getting a bit
paranoļac!!
Here is an extract of the error log:
[Sun Apr 20 13:34:51 2008] [error] [client 88.131.106.6] File does not
exist: /var/www/documents.txt
[Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not
exist: /var/www/robots.txt
[Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not
exist: /var/www/priorites.html
[Sun Apr 20 15:55:19 2008] [error] [client 88.131.106.6] File does not
exist: /var/www/qqimages.html
It is like that every WE. It fills about 200 lines of errors every WE.
Thierry
04-22-2008, 06:46 AM
Bob Cox
HS: How to ban some IP's to connect to apache server
On Tue, Apr 22, 2008 at 08:35:17 +0200, Thierry Chatelet (tchatelet@free.fr) wrote:
> On Tuesday 22 April 2008 08:14:43 Bob Cox wrote:
> > On Tue, Apr 22, 2008 at 07:08:22 +0200, Thierry Chatelet (tchatelet@free.fr)
> wrote:
> > > Hello
> > > I know it's not really debian related, but:
> > > A site call ripe.net is trying all sorts of addresses to go inside my
> > > sites, like mysite.com/var/www/documents and so on.
> >
> > That certainly seems like odd behaviour. RIPE is one of the five main
> > Internet registries (like ARIN in the US) and is a 'respected' member of
> > the Internet community.
> >
> > http://ripe.net/info/ncc/index.html
> >
> > As a matter of interest, what do these Apache log entries look like?
>
> Yes, I was surprise when I went to there site to read about what they are and
> what I see in my logs. I dont understand, and, maybe I am getting a bit
> paranoļac!!
>
> Here is an extract of the error log:
>
> [Sun Apr 20 13:34:51 2008] [error] [client 88.131.106.6] File does not
> exist: /var/www/documents.txt
> [Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not
> exist: /var/www/robots.txt
> [Sun Apr 20 15:53:35 2008] [error] [client 88.131.106.6] File does not
> exist: /var/www/priorites.html
> [Sun Apr 20 15:55:19 2008] [error] [client 88.131.106.6] File does not
> exist: /var/www/qqimages.html
>
> It is like that every WE. It fills about 200 lines of errors every WE.
> Thierry
bob@trantor:~$ host 88.131.106.6
6.106.131.88.in-addr.arpa is an alias for
6.0-26.106.131.88.in-addr.arpa.
6.0-26.106.131.88.in-addr.arpa domain name pointer c06.entireweb.com.
A 'whois' on entireweb.com shows it belongs to someone in Sweden.
--
Bob Cox. Stoke Gifford, near Bristol, UK.
Registered user #445000 with the Linux Counter - http://counter.li.org/
04-22-2008, 07:10 AM
Thierry Chatelet
HS: How to ban some IP's to connect to apache server
On Tuesday 22 April 2008 08:46:40 Bob Cox wrote:
> On Tue, Apr 22, 2008 at 08:35:17 +0200, Thierry Chatelet (tchatelet@free.fr)
wrote:
>
> bob@trantor:~$ host 88.131.106.6
> 6.106.131.88.in-addr.arpa is an alias for
> 6.0-26.106.131.88.in-addr.arpa.
> 6.0-26.106.131.88.in-addr.arpa domain name pointer c06.entireweb.com.
>
>
> A 'whois' on entireweb.com shows it belongs to someone in Sweden.
This is what I get from networksolutions.com/whois/
88.131.106.6
Record Type: IP Address
NetRange: 88.0.0.0 - 88.255.255.255
CIDR: 88.0.0.0/8
NetName: 88-RIPE
NetHandle: NET-88-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2004-04-01
Updated: 2004-04-06
Ouuupppps! If I go to: ripe.net/whois, I get as you said, some one in Sweden,
with an email address:
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '88.131.106.0 - 88.131.106.63'
inetnum: 88.131.106.0 - 88.131.106.63
netname: WORLDLIGHTCOM-NET
descr: Wordlight.com AB
country: SE
admin-c: AL6177-RIPE
tech-c: JS4232-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: TELE1-SE-MNT
source: RIPE # Filtered
route: 88.131.0.0/16
descr: TDC Song AB
origin: AS3292
remarks: This network is assigned to se.tele1 customers
remarks: in Sweden. In case of routing problem, please
remarks: contact peering@sn.net, in case of inappropriate
remarks: usage or attacks please mail abuse@tdcsong.se
mnt-by: TELE1-SE-MNT
source: RIPE # Filtered
So I am going to write them and see what's happen.
Thanks
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
04-22-2008, 07:27 AM
Johannes Wiedersich
HS: How to ban some IP's to connect to apache server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thierry Chatelet wrote:
> On Tuesday 22 April 2008 08:46:40 Bob Cox wrote:
>> On Tue, Apr 22, 2008 at 08:35:17 +0200, Thierry Chatelet (tchatelet@free.fr)
> wrote:
>> bob@trantor:~$ host 88.131.106.6
>> 6.106.131.88.in-addr.arpa is an alias for
>> 6.0-26.106.131.88.in-addr.arpa.
>> 6.0-26.106.131.88.in-addr.arpa domain name pointer c06.entireweb.com.
>>
>>
>> A 'whois' on entireweb.com shows it belongs to someone in Sweden.
>
>
> This is what I get from networksolutions.com/whois/
> 88.131.106.6
> Record Type: IP Address
>
> OrgName: RIPE Network Coordination Centre
> OrgID: RIPE
> Address: P.O. Box 10096
> City: Amsterdam
> StateProv:
> PostalCode: 1001EB
> Country: NL
IIC, this is the registration agency that registers all IP adresses in
the European/Asian Region. That means all IPs located in Europe, the
Middle East and parts of Central Asia are registered at these servers.
1. http://en.wikipedia.org/wiki/RIPE_NCC
> ReferralServer: whois://whois.ripe.net:43
[snip]
> remarks: This network is assigned to se.tele1 customers
> remarks: in Sweden. In case of routing problem, please
> remarks: contact peering@sn.net, in case of inappropriate
> remarks: usage or attacks please mail abuse@tdcsong.se
> mnt-by: TELE1-SE-MNT
> source: RIPE # Filtered
Apparently some customer of a swedish ISP is causing these connections
(or someone who hijacked a computer of the ISP or a customer).
HTH,
Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
04-22-2008, 08:48 AM
Ron Johnson
HS: How to ban some IP's to connect to apache server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/22/08 01:09, Thierry Chatelet wrote:
> On Tuesday 22 April 2008 07:27:39 Lee Glidewell wrote:
>> On Monday 21 April 2008 10:08:22 pm Thierry Chatelet wrote:
>>> Hello
>>> I know it's not really debian related, but:
>>> A site call ripe.net is trying all sorts of addresses to go inside my
>>> sites, like mysite.com/var/www/documents and so on. About a month ago, I
>>> email to the owner of the site, and it stopped, until this WE. So, I
>>> would like to ban him (they have about 10 different IP addresses hosted
>>> on servers from Netherland to Asia) to log into my server. I known, I can
>>> do it using deny from + IP in each virtual host. What I would prefer to
>>> do is deny those IP's from the server, not from each host.My server is
>>> running etch ->
>>> apache2.2.3-4. How can I do that?
>>> Thierry
>> Thierry,
>> You could block the IP address (/range) in iptables, I suppose. That's
>> normally pretty extraneous as a security measure (that's not going to stop
>> anyone who's targeting you), but if there's a bot on that server that's
>> constantly bugging you, that should be a quick way of making it stop
>> filling up your access logs.
>
> Thanks for the answer. Did not think about iptables!! Could be a way of
> dealing with the problem.
> They are not really filling up my access.log but my error.log for sure. Since
There's a package in the repository that well scan your Apache logs
and generate appropriate IPtables rules. Sadly, I don't remember
the name.
- --
Ron Johnson, Jr.
Jefferson LA USA
We want... a Shrubbery!!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
04-22-2008, 08:54 AM
Thierry Chatelet
HS: How to ban some IP's to connect to apache server
On Tuesday 22 April 2008 10:48:04 Ron Johnson wrote:
>
> There's a package in the repository that well scan your Apache logs
> and generate appropriate IPtables rules. Sadly, I don't remember
> the name.
>
> --
> Ron Johnson, Jr.
Old age, Ron? Well I guess I too am better to get use to it.
Thierry
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
HS: How to ban some IP's to connect to apache server
