Unable to use httpd.conf to block certain IPs

Fix it!!

Postby flowersrj » Wed Jul 08, 2009 9:01 am

richardK,

1) My httpd.conf is looks like this ...

RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 9

# is this required?
Options +FollowSymLinks

#
RewriteCond %{REQUEST_URI} ^.*(,|;|:|<|>|">|"<|/|\\\.\.\\|\\r).*$ [NC,OR]
RewriteCond %{REQUEST_URI} ^.*(\=|\@|\[|\]|\^|\`|\{|\}|\~|\\n).*$ [NC,OR]
RewriteCond %{REQUEST_URI} ^.*(\'|%0A|%0D|%27|%3C|%3E|%00).*$ [NC]
RewriteRule ^(.*)$ - [F]

# these extensions
RewriteCond %{THE_REQUEST} ^.*(bs|php|dll).*$ [NC]
RewriteRule ^(.*)$ http://${REMOTE_ADDR}/ [R]

#
RewriteCond %{THE_REQUEST} ^!(POST\ /|GET\ /).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\xc9\\xc9).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(/mail/|/roundcube/|/user/).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(_vti_bin|w00tw00t|google|proxyfire).*$ [NC]
RewriteRule ^(.*)$ http://${REMOTE_ADDR}/ [R]

# stop these agents
RewriteCond %{HTTP_USER_AGENT} ^.*(Morfeus|Fucking|Toata).*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^\-$ [NC]
RewriteRule ^(.*)$ http://${REMOTE_ADDR}/ [R]

# these referrers
RewriteCond %{HTTP_REFERRER} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_REFERRER} ^http://(www\.)?.*(-|.)?adult(-|.).*$ [NC,OR]
RewriteCond %{HTTP_REFERRER} ^http://(www\.)?.*(-|.)?poker(-|.).*$ [NC,OR]
RewriteCond %{HTTP_REFERRER} ^http://(www\.)?.*(-|.)?SPAM(-|.).*$ [NC]
RewriteRule ^(.*)$ - [F]

# cookie exploits
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0a|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule ^(.*)$ - [F]

# user agents
RewriteCond %{HTTP_USER_AGENT} ^$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(HTTrack|clshttp|archiver|loader|email|nikto|miner|python).*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww\-perl|curl|wget|harvest|scan|grab|extract).*$ [NC]
RewriteRule ^(.*)$ - [F]

RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).*$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\.|\*|;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|insert|cast|set|declare|drop|update).*$ [NC]
RewriteRule ^(.*)$ - [F]

# allow ServerSideIncludes to show date forthe folder only
<Directory /var/www/camera/*>
AllowOverride All
Options Includes
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</Directory>

2. This is what my /etc/apache2/sites-enabled/default site file looks like ...

NameVirtualHost *
<VirtualHost *>
ServerAdmin xxxxxxxxxx@gmail.com

DocumentRoot /var/www/

<Directory />
Options +FollowSymLinks
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride
Order allow,deny
Allow from all
Deny from 61
Deny from 76.120.153.220
# Deny from 192.168.1.1
</Directory>

<Directory /var/www/camera/>
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride none
Order allow,deny
Allow from all
AddType text/html shtml
AddHandler server-parsed shtml
</Directory>

<Directory /var/www/test/>
Options FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined
ServerSignature Off

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

</VirtualHost>

I will change the line 'AllowOverride' above to 'AllowOverride All' in the DEFAULT site file.

Thanks,
Rich




Rich
Last edited by flowersrj on Fri Jul 10, 2009 1:55 pm, edited 1 time in total.
flowersrj
 
Posts: 13
Joined: Tue Jun 30, 2009 5:59 pm

Postby flowersrj » Wed Jul 08, 2009 9:22 am

richardk,

I am now seeing some entries in the rewrite log when I access the site.

Now its time to wait and see what populates it. I also changed the log level to 5 to see the effect.

Thanks,
Rich
flowersrj
 
Posts: 13
Joined: Tue Jun 30, 2009 5:59 pm

Postby richardk » Wed Jul 08, 2009 2:20 pm

1) My httpd.conf is looks like this ...

Does all that mod_rewrite work? Do you get redirected if you visit .php files?

RewriteRule ^(.*)$ - [F]

should be
Code: Select all
RewriteRule .* - [F,L]


RewriteRule ^(.*)$ http://${REMOTE_ADDR}/ [R]

should be
Code: Select all
RewriteRule .* http://%{REMOTE_ADDR}/? [R,L]


Try adding
Code: Select all
RewriteCond %{REMOTE_ADDR} ^128\.147\.28\.2$ [OR]
RewriteCond %{REMOTE_ADDR} ^76\.120\.153\.220$ [OR]
RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.105$ [OR]
RewriteCond %{REMOTE_ADDR} ^61\.
RewriteRule .* - [F,L]

after
Code: Select all
Options +FollowSymLinks

in your httpd.conf.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby flowersrj » Wed Jul 08, 2009 6:16 pm

richardk,

Don't know about the .php file redirection.

I got most of this from tutorials and examples on the web. It initially started when I got tired of the same entries in my log every night originating from China trying funny stuff plus the Toata and Morfeus scans.

I did have the IPs defined like you have written until you mentioned putting them in DENY statements.

Thanks for all your help as I could not of got this to work without your help sir.
Ricch
flowersrj
 
Posts: 13
Joined: Tue Jun 30, 2009 5:59 pm

Postby flowersrj » Thu Jul 09, 2009 7:09 am

richardk,

I spoke too quickly.

Even though I get log entries in my RewriteLog, entries in the httpd.conf seem to be ignored. As a test, I added my own IP from work into it and it is allows me access I was using your example from above.

RewriteCond %{REMOTE_ADDR} ^128\.147\.28\.2$
RewriteRule .* - [F,L]


-rich
flowersrj
 
Posts: 13
Joined: Tue Jun 30, 2009 5:59 pm

Postby richardk » Thu Jul 09, 2009 10:27 am

Add
Code: Select all
RewriteOptions Inherit

to all <VirtualHost>s (that the httpd.conf file rules should apply to).
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby flowersrj » Thu Jul 09, 2009 10:49 am

richardk,

Only have one virtual host entry

<VirtualHost *>

and I added it after the DocumentRoot entry and before the <Directory /> entry. No change after doing a

'sudo apache2ctl restart'

it should of blocked me from work.

Rich
flowersrj
 
Posts: 13
Joined: Tue Jun 30, 2009 5:59 pm

Postby richardk » Fri Jul 10, 2009 9:33 am

Try putting the mod_rewrite in the <VirtualHost> instead.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby flowersrj » Fri Jul 10, 2009 10:37 am

richardk,

No change, after the restart. Moved everthingto /etc/apache2/sites-available/default which now looks like this:

NameVirtualHost *
<VirtualHost *>
ServerAdmin xxxxxxxxx@gmail.com

DocumentRoot /var/www/

RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 9

RewriteCond %{REMOTE_ADDR} ^128\.147\.28\.2$
RewriteRule .* - [F,L]

<Directory />
Options +FollowSymLinks
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
Deny from 61
Deny from 76.120.153.220
</Directory>

<Directory /var/www/camera/>
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride All
Order allow,deny
Allow from all
AddType text/html shtml
AddHandler server-parsed shtml
</Directory>

<Directory /var/www/test/>
Options FollowSymLinks
AllowOverride All
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 128.147.28.2
</Directory>

and /etc/apache2/httpd.conf is now empty

When I try to access from 192.168.1.205 using my registered host name I see this in the rewrite log. It thinks my laptop's address is my NAT router.

192.168.1.1 - - [10/Jul/2009:20:04:15 --0400] [mysite.com/sid#81e73b0][rid#833bdc0/initial] (2) init rewrite engine with requested uri /
192.168.1.1 - - [10/Jul/2009:20:04:15 --0400] [mysite.com/sid#81e73b0][rid#833bdc0/initial] (3) applying pattern '.*' to uri '/'
192.168.1.1 - - [10/Jul/2009:20:04:15 --0400] [mysite.com/sid#81e73b0][rid#833bdc0/initial] (4) RewriteCond: input='192.168.1.1' pattern='^128\.147\.28\.2$' => not-matched
192.168.1.1 - - [10/Jul/2009:20:04:15 --0400] [mysite.com/sid#81e73b0][rid#833bdc0/initial] (4) RewriteCond: input='192.168.1.1' pattern='^192\.168\.1\.105$' => not-matched
192.168.1.1 - - [10/Jul/2009:20:04:15 --0400] [mysite.com/sid#81e73b0][rid#833bdc0/initial] (2) forcing responsecode 403 for /

When I access it locally I see

192.168.1.105 - - [10/Jul/2009:20:18:16 --0400] [192.168.1.200/sid#81e73b0][rid#833bdc0/initial] (2) init rewrite engine with requested uri /flowers/flowers.jpg
192.168.1.105 - - [10/Jul/2009:20:18:16 --0400] [192.168.1.200/sid#81e73b0][rid#833bdc0/initial] (3) applying pattern '.*' to uri '/flowers/flowers.jpg'
192.168.1.105 - - [10/Jul/2009:20:18:16 --0400] [192.168.1.200/sid#81e73b0][rid#833bdc0/initial] (4) RewriteCond: input='192.168.1.105' pattern='^128\.147\.28\.2$' => not-matched
192.168.1.105 - - [10/Jul/2009:20:18:16 --0400] [192.168.1.200/sid#81e73b0][rid#833bdc0/initial] (4) RewriteCond: input='192.168.1.105' pattern='^192\.168\.1\.105$' => matched
192.168.1.105 - - [10/Jul/2009:20:18:16 --0400] [192.168.1.200/sid#81e73b0][rid#833bdc0/initial] (2) forcing responsecode 403 for /flowers/flowers.jpg

I should mention the PC with apache2 installed is behind a NAT router that is portforwarding 80 to 192.168.1.200.

Thanks,
Rich
flowersrj
 
Posts: 13
Joined: Tue Jun 30, 2009 5:59 pm

Postby richardk » Sun Jul 12, 2009 2:44 pm

I should mention the PC with apache2 installed is behind a NAT router that is portforwarding 80 to 192.168.1.200.

Then i don't think you can get the original source IP address.
http://en.wikipedia.org/wiki/Port_forwarding wrote:Some common caveats with port forwarding include:

* The need to forward the packets that come to the router's forwarded port as well as the need to rewrite them so that the machine to which the port is forwarded can reply to the original source address, which in turn leads to the inability of the destination (private) machine to see the actual originator of the forwarded packets, and instead see them as if originating from the router


You might be able to block the requests at the router.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

PreviousNext

Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: Google [Bot] and 2 guests

cron