Re: apache config question - China IP's

[Michael Schurter <michael@synthesyssolutions.com>]

Kevin Coyner wrote:
> On Mon, Feb 20, 2006 at 09:41:42PM -0600, Jacob S wrote......
>
> > > 221.226.124.109 - - [20/Feb/2006:16:17:10 -0500] "GET
> > > http://1-shops.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b HTTP/1.1"
> > > 404 288 "http://www.google.com/intl/en-us/"; "Mozilla/4.0
> > > (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser 1.0.5)"
> > >
> > > So what is this?  They are not requesting pages that exist on my
> > > server, but pages on other domains.  My server gives the proper
> > > error code back - 404.
> > They're looking for open proxies. People that are lazy in
> > loading/configuring mod_proxy in apache can easily turn a
> > webserver into an open proxy. So they scan for one, similar to the
> > way we've all seen attempts at finding open smtp gateways or
> > easily crackable ssh passwords.
>
>
> So aside from setting up some iptables 'drop' rules, is there any
> other way from keeping this from occuring?  It's messing up my web
> stats since these guys are requesting more non-existent pages that I
> have real pages on the website.

You could exploit the fact that they're trying to access nonexistent 
domain names on your system by setting up your default virtual host to 
redirect them elsewhere (such as http://blackhole-1.iana.org/ or 
http://localhost/).

Or if they're really using a crawler called "Crazy Bowser" you could 
pretty easily block them with BrowserMatch in Apache.  Sorry I don't 
remember what the exact line should be, but spending a few minutes at 
http://httpd.apache.org/docs/ should help.

Using your firewall is probably the best way of blocking such traffic, 
but as a fellow sysadmin I understand that blocking entire IP ranges 
isn't really appealing.

Michael Schurter