| Author |
|
bagu
Joined: 06 Jan 2011
Posts: 187
Location: France
|
 Posted: Fri 06 Dec '13 13:01 Post subject: How to avoid bad bot request |
 |
|
Hello,
I have many line in my apache log like this :
| Code: | [Thu Dec 05 22:58:39.948791 2013] [core:error]
[pid 5116:tid 1416] (22)Invalid argument: [client
108.162.215.67:34097] AH00036: access
to /+++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++ Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7
\xee\xe2\xe0\xed\xfb+\xe4\xe0
....
....
....
\xe2\xea\xe8;+\xe2\xee\xe7\xec\xee\xe6\xed\xee,+\xf0
\xe5\xe3\xe8\xf1\xf2\xf0\xe0\xf6\xe8
\xff+\xed\xe5+\xf3\xe4\xe0\xeb\xe0\xf1\xfc+(\xe2
\xfb\xf1\xeb\xe0\xed+\xea\xee\xe4+\xe0\xea\xf2\xe8
\xe2\xe0\xf6\xe8\xe8+/+\xe8\xf1\xef\xee\xeb\xfc\xe7
\xf3\xe5\xf2\xf1\xff+\xe4\xee\xef\xee\xeb\xed\xe8\xf2
\xe5\xeb\xfc\xed\xe0\xff+\xe7\xe0\xf9\xe8\xf2
\xe0+/+\xf1\xe1\xee\xe9+\xe2+\xf0\xe0\xe1\xee\xf2
\xe5+\xf4\xee\xf0\xf3\xec\xe0+/register.php failed
(filesystem path '/hyze/html/forum/++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++ Result:+\xe8\xf1
\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed\xfb+\xe4\xe0
\xed\xed\xfb\xe5+x_fields.txt;+\xe8\xf1
...
...
...\xff+\xed\xe5+\xf3\xe4\xe0\xeb\xe0\xf1\xfc+(\xe2
\xfb\xf1\xeb\xe0\xed+\xea\xee\xe4+\xe0\xea\xf2\xe8
\xe2\xe0\xf6\xe8\xe8+'), referer:
http://forum.hyze.fr/register.php |
I know this is a spam bot, but every time such bot try to suscribe on one of my forum, i get many errors in log.
Is there a way to avoid this king of request using htaccess (mod security is really hard to configure, i can't make it work with roundcube for example) |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Sat 07 Dec '13 11:45 Post subject: |
|
|
| That is a trial of hacking your server, You might use mod_security to filter and block that. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 187
Location: France
|
| Posted: Sat 07 Dec '13 12:00 Post subject: |
|
|
As i write, mod_security is really hard to configure. When i try to use it, roundcude stop working (roundcube is a webmail)
So, except if you can provide me a sample configuration of mod_security, wich allow roundcube working, i can't use it. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 187
Location: France
|
| Posted: Sun 08 Dec '13 0:47 Post subject: |
|
|
After a day, i have a mod_security rules working for roundcube, but attack continue.
Here is my mod_security conf : http://pastebin.com/88v0aD3q
And i stil receive this king of error :
| Code: | [Sat Dec 07 16:54:53.336173 2013] [core:error]
[pid 5264:tid 1396] (20024)The given path is misformatted or
contained invalid characters:
[client 173.245.55.111:61462] AH00036: access
to /modules/news/submit.php+++++++++++++++++++++++Res
ult:+chosen+nickname+"Droppitnendop";+captcha+recogni
zed;+registered;+logged+in;+success;+BB-
code+not+working; failed (filesystem
path '/www/wwwbagubiz/html/www/modules/news/submit.php
+++++++++++++++++++++++Result:+chosen+nickname+"Dropp
itnendop";+captcha+recognized;+registered;+logged+in;
+success;+BB-code+not+working;'), referer:
http://www.bagu.biz/modules/news/submit.php++++++++++
+++++++++++++Result:+chosen+nickname+%22Droppitnendop%
22;+captcha+recognized;+registered;+logged+in;+success
s;+BB-code+not+working; |
I don't know how to avoid it.
Can you help me please ? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sun 08 Dec '13 21:27 Post subject: |
|
|
You can't avoid it, you have a server on the internet and it's going to accept all connections from the internet.
The thing is do you have protections against it (current versions of software, mod_security)?
As long as you have protections in place, they are not going to get very far.
You could block IPs at the firewall, but that would be like a dog chasing it's tail, or just power the server off. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 187
Location: France
|
| Posted: Sun 08 Dec '13 22:10 Post subject: |
|
|
I just have secure rules in mod_security (last version)
Bot protection in using mod_rewrite.
Firewall protection using iptables rules.
Apache protection using very limited right tu users.
DDOS protection using cloudflare.
I thought there was a solution to avoid misformatted url using a rule in mod_security.
If there's no way to do it, i will ignore it, but there are bunch of these lines in logs. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Thu 12 Dec '13 23:13 Post subject: |
|
|
| Since you use iptables you must use a *nix system. There I recommend to use fail2ban. It can read the apache error log and ban IPs on the fly. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 187
Location: France
|
| Posted: Thu 12 Dec '13 23:17 Post subject: |
|
|
Nop, i use an asus rt-n66u as router. But a windows server behind it.
Fail2ban is wonderfull however. But if i can find a way to do the same thing on windows to control the router firewall, i will be happy. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Fri 13 Dec '13 16:38 Post subject: |
|
|
| if you can install a samba client on the router and read the log files on the windows server it might work. |
|
| Back to top |
|
bagu
Joined: 06 Jan 2011
Posts: 187
Location: France
|
| Posted: Fri 13 Dec '13 16:58 Post subject: |
|
|
i will look for this.
Because there is a samba server on the router, so, may be there is also a samba client.
Reading the log will be easy. |
|
| Back to top |
|
