Server :: Block Connections To Apache If Client Doesn't Have Valid Request Headers?
Feb 8, 2011
My server gets ddos attacks. I dig into access logs and I saw that attacker ips doesn't have valid requests headers, like their browser application info or requested url info.I want to close those connections immediately, and if it's possible block those ips for a time period.Can I do that with Apache and iptables?I searched on the internet but couldn't find useful results. Probably couldn't search for the right words.
Using netcat, nc(1), craft a valid http/1.1 request for getting http headers (not the html file itself!) for the main index page of www dot aalto dot fi. What request method did you use? Which headers did you need to send to the server? What was the status code for the request? Which headers did the server return? Explain the purpose of each header.
nc -v www dot aalto dot fi 8080 HEAD / HTML/1.1 host: www dot aalto dot fi And it returns: 200 OK Content-Length: 858 Content-Type: text/html Last-Modified: Thu, 02 Sep 2010 12:46:01 GMT [Code]....
I really don't know what does it mean. Question 2: Using netcat, nc(1), start a bogus web server listening on the loopback interface port 8080. Verify with netstat(, that the server really is listening where it should be. Direct your browser to the bogus server and capture the User-Agent: header "Direct your browser to the bogus server and capture the User-Agent: header" I don't understand this question.
I am new in linux,I installed apache-tomcat on fedora.I can view all web pages on localhost:8080 but when I try to view them by server's url address from another computer, I don't get respond.Can it be a firewall problem or something else?
Ok so, buddy of mine has his ssh server setup and upon checking his logs he sees a ton of failed attempts. Now obviously these are people that are scanning him and trying to brute force him. So is there a way to block them? We know you can block each IP but is there a way to block ALL connections except for certain ones, such as his and mine? Maybe a couple others.
'm running on Ubuntu and I've succesfully setup apache alongside with a working php & mysql configuration - other computers connected to the LAN can access it by typing in my ip: 192.168.0.9however I would like my webserver to be accessible by all internet users...I've got my ports.conf file in the apache setup to listen on ports 80 and 8080 this is my ports.conf:PHP Code:
I need to make a script in which I want to block an ip when its access on a web server exceeds than certain number e.g., 5000 for a particular time period, let's say for 6 hours or 12. If any ip exceeds that limit, it should automatically be blocked. I also want to run this script on regular intervals in 24 hours for atleast 2 times.
I'm having making network/internet connection with my laptop. I have:Toshiba 1415 S173laptop NetGear WG511T pcmcia card using madwifiNetGear WPNT511 pcmcia card using windows driver via ndiswrapperSlackware 12.2In both cases the card is recognized, and I can get a list of access points with iwlist.I can set the card to connect to the desired access point. I can use dhclient to get an ip address from the remote dhcp server. This works, the card is assigned a valid ip address on the desired network.Once I do this, however, I cannot access any network resources, no Internet, and no other devices on the network can see, ping, or access my laptop. It does this with with both cards, using madwifi or the windows driver via ndiswrapper.
Setup a new machine with Apache, identical setup to all the other machines I got, yet this one is logging hostnames instead of IPs.
"HostnameLookups" are "Off" and LogFormat settings are identical to all the other machines:
Code:
Added a new LogFormat directive:
Code:
And told the virtual hosts to use it:
Code:
This solved the problem, though I'm at a loss as to why I've got this behavior on just this one box and none of the others. OS is Debian Lenny, same version of Apache installed via Debian package.
My understanding from Apache doc [url] is that when "HostnameLookups" are "Off, "%h" will yield IP instead of hostname..
Code:
It features support for HTTPS, virtual hosting, CGI, SSI, IPv6, easy scripting and database integration, request/response filtering, many flexible authentication schemes, and more. Homepage: [url]
does anybody have a nice tutorial about creating and installing Apache client certificate (PKCS12) ? I`m looking for some tutorials to CentOS. This what I have found on the internet for some reasons doesnt work. Or maybe somebody could write here how to do it?
I use Ubuntu in my office NIS environment and I can't upgrade the whole network to LDAP right. I upgraded to 10.04 recently and reinstalled the NIS client and associated packages, among other things.
I have set up my /etc/nsswitch.conf file so that passwd, group and shadow all have "files nis", I'm bound to the correct NIS domain and I can do "ypcat -k passwd" or "ypcat -k hosts" just fine.
Problem is that I can't log on or su to any NIS user, I just get "authentication failure". I've tried the same usernames and passwords on Red Hat NIS clients on the same domain and they work fine.
But when I try to check for syntax errors tells me SSLRequire not allowed here I do not want to add SSLRequire on the main httpd.conf because I only want it for one virtual host. The rest of the virtual hosts do not need it.
I wanted to know how can I set a period of time to a tcp connection to wait for request or respond for tcp block read. which system call or function I can use? Does any body know a very simple quick and easy reference on web for socket programing that has lots of socket programing examples in it?
I'm trying hard to run an openvpn server on a openvz VPS, the problem is packets sent from openvpn server process, doesnt reach the client, so connection is never stablished (I run tcpdump on server and wireshark on client to carefully investigate whats wrong), the first guess is that a kind of firewall is blocking traffic (I tried connecting to server through different ISP's but it's possible the national network provider applied some filtering but it cant be on IP,src port or dst port as I'd tried different configuration.
what about deep packet inspection technics, is it possible to block my traffic?) but at exactly the same time I can transmit UDP packets using netcat from server to the guest. there is no firewall enabled in between, I had tried, tcp and udp, tried both open vpn and openvpnAS and tried any thing one can imagine! the VPN is configured as a routed (TUN) type on debian
on my linux server i have many websites but with difrent ips address, is some way to i can block all the ips with many connection (100+) just from my website not from all websites
apache virtual host to limit the concurrent connections of virtual hosts? Taking into account the host of each virtual user's home directory can also have more than one subdirectory, which should be restricted to a subdirectory. Is beyond the control of the operation of these sites in a subdirectory. Best local restrictions or limitations to the overall situation.
I need some suggestions on software. I would like to offer remote desktop support to some of our clients, but some of them are using ISP's that block incoming connections so, VNC is out of the question. I was wondering if there is something similar to logmein for ubuntu?
New User to Ubuntu by the way. I have two computers, both running Ubuntu 10.4 fully updated and I am trying to bring files from one computer to the other with Filezilla ftp client. I was able to do this before, but I ended up having to reformat because of a driver screwup that I couldn't figure out how to fix. Now I am at a loss on how I managed to allow the computer with the files to connect to the one receiving the files. Computer A is the one that has the files that I am trying to send to computer B. Every time I try to send them over I get a "connection was refused" error.
Typed in the right IP, username, password, and port but still wont connect. Are there any things I have to do in terminal to allow access? I installed firestarter and just disabled it so ports should be open. By the way, I am using FTP because it was much simpler then trying to dink around with Samba and this is a pretty safe network. - Enabled firewall, forwarded the ports in the events list then we get "request timed out" - Reformatted> Fresh install >Updated
when I try to access any page even small html pages it stays like 3 seconds in HTTP request sent; waiting for response. state..even when I use Lynx locally on the server..bypassing any possible network issues..logs dont show a thing..the server itself is a high end server with nothing running on it apart from apache which is not serving anny clients now, firewall is disabled and hostnamelookups are set to OFF.
I have noticed interesting problem. I use two browsers - Firefox and Konqueror. Konqueror is configured to use tor, Firefox not. Using Gufw I block all incoming and outgoing traffic and it works while using Firefox, I mean that I can't view any www site and it is ok. But if I use Konqueror I can establish any conection. How to understand this? Should I have different firewall while using tor?
*Am trying to configure on machine ?MyServer.net? apache on port 8586. *Two applications run on same machine on different ports Jenkins on 8081 and Hudson on 8080.*Request coming to 8586 port should redirect to either 8080 or 8081 on one condition. *The request from client machine coming to MyServernet:8586 looks something like this ?MyServer.net/job/<JOBNAME>/build?token=TOKEN?.
Condition If <JOBNAME> is ?naveen? apache should redirect to 8081. If <JOBNAME> is not ?naveenn? apache should redirect to 8080.
I'm having some basic doubt! Consider 5 virtual domains has configured under a same server. I mean 5 different domains under same IP. Eg. mydomain1.com and mydomain2.com have IP 208.27.1.89. So when web browser request for mydomain1.com name server return IP address 208.27.1.89. Then browser contact IP 208.27.1.89 on port 80. Here comes my question how does apache know that the browser is looking for mydomain1.com not mydomain2.com. How apache differentiate the request for it's virtual hosts? By the way, what is a virtualhost ?
Anyone know what this signifies in the Apache logs files:
Code: [Tue May 04 20:56:06 2010] [error] [client *******] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Tue May 04 20:56:06 2010] [error] [client *********] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Tue May 04 21:05:18 2010] [error] [client ********] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) [Tue May 04 21:05:18 2010] [error] [client ********] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
I am still new to ubuntu and I use firestarter as my firewall tool and I was told that its just ufw in a gui. Well anyways I noticed a connection to 174.129.241.144 using https and python, I didn't have any scripts running and my browser was closed, I read the man files for ufw and it said to do something like deny from 174.129.0.0/12 and I want to block all incoming and outgoing connections to this IP range and I was wondering how to do that, I heard of iptables that it would be able to do this but I dont know anything about it. What I should learn so I can handle these kinds of situation in the future and how I can block this ip subnet or also what does the /8, /12, and /16 stand for?
I'm running CentOS 5.3 64bit and from the get go I've had problems with the Apache server.More specifically, on what seems to be a random occurance, the apache server stops to respond.The process is still running, but nothing happens with it, and it is not responding.The /var/logs/httpd/error_log is blank for the occurance and only shows an entry after I give it a restart.So I'm a bit confused about what is going on.With that said, I need to make sure the httpd is working one way or another.I don't want to force a restart service every 10 minutes as this seems a bit too much.However, I do want to have the following:
run a crond every minute to do:If it fails, then do service httpd restart (and log the failure and restart to a file and email me a message).Any pointers on how to do that?It ain't the pretty solution, but it will save me from a very angry user until I'll figure what is the real cause for this failure.
