Re: apache config question - China IP's

To: debian-user@lists.debian.org
Subject: Re: apache config question - China IP's
From: Jacob S <stormspotter@6Texans.net>
Date: Tue, 21 Feb 2006 13:13:42 -0600
Message-id: <[🔎] 20060221131342.36b0d7f4@jacob.6texans.net>
In-reply-to: <[🔎] 43FB55FB.5090207@synthesyssolutions.com>
References: <[🔎] 20060220212820.GH26622@rustybear.com> <[🔎] 20060220214142.4f01f011@jacob.6texans.net> <[🔎] 20060221170009.GL26622@rustybear.com> <[🔎] 43FB55FB.5090207@synthesyssolutions.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 21 Feb 2006 12:03:39 -0600
Michael Schurter <michael@synthesyssolutions.com> wrote:

> Kevin Coyner wrote:
> > 
> > On Mon, Feb 20, 2006 at 09:41:42PM -0600, Jacob S wrote......
> > 
> >>> 221.226.124.109 - - [20/Feb/2006:16:17:10 -0500] "GET
> >>> http://1-shops.com/prx.php?p=q1w2e3r4t5y6u7i8o9p0*a-b HTTP/1.1"
> >>> 404 288 "http://www.google.com/intl/en-us/"; "Mozilla/4.0
> >>> (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser 1.0.5)"
> >>>
> >>> So what is this?  They are not requesting pages that exist on my
> >>> server, but pages on other domains.  My server gives the proper
> >>> error code back - 404.
> >> They're looking for open proxies. People that are lazy in
> >> loading/configuring mod_proxy in apache can easily turn a
> >> webserver into an open proxy. So they scan for one, similar to the
> >> way we've all seen attempts at finding open smtp gateways or
> >> easily crackable ssh passwords.
> > 
> > 
> > So aside from setting up some iptables 'drop' rules, is there any
> > other way from keeping this from occuring?  It's messing up my web
> > stats since these guys are requesting more non-existent pages that I
> > have real pages on the website.
> 
> You could exploit the fact that they're trying to access nonexistent 
> domain names on your system by setting up your default virtual host
> to redirect them elsewhere (such as http://blackhole-1.iana.org/ or 
> http://localhost/).
> 
> Or if they're really using a crawler called "Crazy Bowser" you could 
> pretty easily block them with BrowserMatch in Apache.  Sorry I don't 
> remember what the exact line should be, but spending a few minutes at 
> http://httpd.apache.org/docs/ should help.
> 
> Using your firewall is probably the best way of blocking such
> traffic, but as a fellow sysadmin I understand that blocking entire
> IP ranges isn't really appealing.

Crazy Browser is a legitimate browser built on top of Internet
Exploder. Hence why the name Crazy fits it so well. :-) Then again, if
they're not smart enough to use Firefox or something other than IE,
maybe he would want to block them. 

If it's only the stats you're worried about, you could always use a
different stats/modify your current stats program so that it only shows
valid requests. I believe awstats puts 404s in a different section, if
you configure it properly. 

HTH,
Jacob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD+2ZqkpJ43hY3cTURAq1rAJ9wYjgeunjgDoHdwRd+Z0KhyK+C7gCbB0lt
tmPEhSnmNlngvZUhAV8n8Hk=
=5PgH
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: apache config question - China IP's
  - From: Kevin Coyner <kevin@rustybear.com>

References:
- apache config question - China IP's
  - From: Kevin Coyner <kevin@rustybear.com>
- Re: apache config question - China IP's
  - From: Jacob S <stormspotter@6Texans.net>
- Re: apache config question - China IP's
  - From: Kevin Coyner <kevin@rustybear.com>
- Re: apache config question - China IP's
  - From: Michael Schurter <michael@synthesyssolutions.com>

Prev by Date: Installing lmule
Next by Date: Building Linux Audit Tool (Syscall auditing)
Previous by thread: Re: apache config question - China IP's
Next by thread: Re: apache config question - China IP's
Index(es):
- Date
- Thread