Patrick's Rants


Fending Off The Bots

Filed under: Geek News and Stuff — site admin @ 8:44 pm

Anyone who runs anything online has had to deal with bots. WordPress has plugins to fight spam of all kinds, bulletin boards and mailing lists have to remain vigilant and firewalls have to be erected on personal computing and company networks. This last week the district closed up shop for two days to get the place cleaned up after a heavy snowfall on Monday. I took the opportunity to do a little reading and to try to fortify my web server. I started out trying to get my Apache logs cleaned up and found to have a nice beginning. I don’t have everything working the way Jeff writes about over there, but let me tell you what I have been able to do. First, I’m using a simple add on to httpd.conf that looks like this:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*(,|;|:|<|>|">|"<|/|\\\.\.\\).* [NC,OR] RewriteCond %{REQUEST_URI} ^.*(\=|\@|\[|\]|\^|\`|\{|\}|\~).* [NC,OR] RewriteCond %{REQUEST_URI} ^.*(\'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC] RewriteRule ^(.*)$ - [F,L]
RedirectMatch 403 \/\/(.*)

To be honest I think the biggest work horse is the double slash redirecting to 403 “Forbidden”. I’m not even sure that the rewrite stuff is even working (I’m going to spend some time on it in the future to crank up the logging on it to see if it truly is working). Now all the danged bots looking for vulnerabilities on my web server hit those 403s. I set up a simple script to look for 403 and 404 failures. It takes those failures and adds a rule to iptables to drop the host if it happens to hit too many times. I screen out the requests for the favicon.ico file, robots.txt and even other image types and I’m left with small list of hosts that try to pound away at my server. I currently have it configured to look at the current Apache server logs for the 403 and 404 errors. It then (hourly) inserts a simple drop rule for that host into iptables, which then logs additional attempts to connect. And by additional attempts I mean on any port. So if somebody’s Windows computer is compromised and they have a bot that tries to compromise my server, I block any future attempts to connect to my server via email, IRC, etc. And those attempts are logged while my server looks like it dropped off the face of the earth to the infected machine. So I won’t be getting spam from those infected hosts either.

Now if infected (or mis-configured – msn search is hitting a lot of 404s – stupid bot) machines try connecting after getting the firewall treatment they will stay blocked for a month. Otherwise hosts that are cleaned up will only be in the block list for a couple of weeks the way it’s all configured. Then they can be back reading my rants. I also added a twist. I have a script that dumps the addresses of the stupid bots where my home firewall can grab the list nightly and add those IPs to a squidGuard blacklist. So if those hosts happen to be running rogue web servers, at least no one here will try to connect to them.

I’m sure there are much better solutions – and I might add hosts that run ssh connection sweeps to a block list – but I’m having fun thinking about all the ways I can make something like this work and cut down on the break-in attempts on the web server.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress
Comments, opinions and drivel © the poster. Satire protected under Fair Use. Opinion protected under First Amendment (see: Constitution of the United States)
Nothing on this site should be construed as tax, legal, or investment advice. If you need any of those things, seek out a professional whom you can pay for such advice. Posters cannot be held liable for your failure to perform your own due diligence.