logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: How to avoid bad bot request
Author
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Fri 06 Dec '13 13:01    Post subject: How to avoid bad bot request Reply with quote

Hello,

I have many line in my apache log like this :
Code:
[Thu Dec 05 22:58:39.948791 2013] [core:error]
[pid 5116:tid 1416] (22)Invalid argument: [client
108.162.215.67:34097] AH00036: access
to /+++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++ Result:+\xe8\xf1\xef\xee\xeb\xfc\xe7
\xee\xe2\xe0\xed\xfb+\xe4\xe0
....
....
....
\xe2\xea\xe8;+\xe2\xee\xe7\xec\xee\xe6\xed\xee,+\xf0
\xe5\xe3\xe8\xf1\xf2\xf0\xe0\xf6\xe8
\xff+\xed\xe5+\xf3\xe4\xe0\xeb\xe0\xf1\xfc+(\xe2
\xfb\xf1\xeb\xe0\xed+\xea\xee\xe4+\xe0\xea\xf2\xe8
\xe2\xe0\xf6\xe8\xe8+/+\xe8\xf1\xef\xee\xeb\xfc\xe7
\xf3\xe5\xf2\xf1\xff+\xe4\xee\xef\xee\xeb\xed\xe8\xf2
\xe5\xeb\xfc\xed\xe0\xff+\xe7\xe0\xf9\xe8\xf2
\xe0+/+\xf1\xe1\xee\xe9+\xe2+\xf0\xe0\xe1\xee\xf2
\xe5+\xf4\xee\xf0\xf3\xec\xe0+/register.php failed
 (filesystem path '/hyze/html/forum/++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++ Result:+\xe8\xf1
\xef\xee\xeb\xfc\xe7\xee\xe2\xe0\xed\xfb+\xe4\xe0
\xed\xed\xfb\xe5+x_fields.txt;+\xe8\xf1

...
...
...\xff+\xed\xe5+\xf3\xe4\xe0\xeb\xe0\xf1\xfc+(\xe2
\xfb\xf1\xeb\xe0\xed+\xea\xee\xe4+\xe0\xea\xf2\xe8
\xe2\xe0\xf6\xe8\xe8+'), referer:
http://forum.hyze.fr/register.php


I know this is a spam bot, but every time such bot try to suscribe on one of my forum, i get many errors in log.

Is there a way to avoid this king of request using htaccess (mod security is really hard to configure, i can't make it work with roundcube for example)
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Sat 07 Dec '13 11:45    Post subject: Reply with quote

That is a trial of hacking your server, You might use mod_security to filter and block that.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Sat 07 Dec '13 12:00    Post subject: Reply with quote

As i write, mod_security is really hard to configure. When i try to use it, roundcude stop working (roundcube is a webmail)

So, except if you can provide me a sample configuration of mod_security, wich allow roundcube working, i can't use it.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Sun 08 Dec '13 0:47    Post subject: Reply with quote

After a day, i have a mod_security rules working for roundcube, but attack continue.

Here is my mod_security conf : http://pastebin.com/88v0aD3q

And i stil receive this king of error :

Code:
[Sat Dec 07 16:54:53.336173 2013] [core:error]
[pid 5264:tid 1396] (20024)The given path is misformatted or
contained invalid characters:
[client 173.245.55.111:61462] AH00036: access
to /modules/news/submit.php+++++++++++++++++++++++Res
ult:+chosen+nickname+"Droppitnendop";+captcha+recogni
zed;+registered;+logged+in;+success;+BB-
code+not+working; failed (filesystem
path '/www/wwwbagubiz/html/www/modules/news/submit.php
+++++++++++++++++++++++Result:+chosen+nickname+"Dropp
itnendop";+captcha+recognized;+registered;+logged+in;
+success;+BB-code+not+working;'), referer:
http://www.bagu.biz/modules/news/submit.php++++++++++
+++++++++++++Result:+chosen+nickname+%22Droppitnendop%
22;+captcha+recognized;+registered;+logged+in;+success
s;+BB-code+not+working;


I don't know how to avoid it.
Can you help me please ?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sun 08 Dec '13 21:27    Post subject: Reply with quote

You can't avoid it, you have a server on the internet and it's going to accept all connections from the internet.

The thing is do you have protections against it (current versions of software, mod_security)?
As long as you have protections in place, they are not going to get very far.

You could block IPs at the firewall, but that would be like a dog chasing it's tail, or just power the server off.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Sun 08 Dec '13 22:10    Post subject: Reply with quote

I just have secure rules in mod_security (last version)
Bot protection in using mod_rewrite.
Firewall protection using iptables rules.
Apache protection using very limited right tu users.
DDOS protection using cloudflare.

I thought there was a solution to avoid misformatted url using a rule in mod_security.

If there's no way to do it, i will ignore it, but there are bunch of these lines in logs.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 12 Dec '13 23:13    Post subject: Reply with quote

Since you use iptables you must use a *nix system. There I recommend to use fail2ban. It can read the apache error log and ban IPs on the fly.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Thu 12 Dec '13 23:17    Post subject: Reply with quote

Nop, i use an asus rt-n66u as router. But a windows server behind it.

Fail2ban is wonderfull however. But if i can find a way to do the same thing on windows to control the router firewall, i will be happy.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 13 Dec '13 16:38    Post subject: Reply with quote

if you can install a samba client on the router and read the log files on the windows server it might work.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France

PostPosted: Fri 13 Dec '13 16:58    Post subject: Reply with quote

i will look for this.
Because there is a samba server on the router, so, may be there is also a samba client.
Reading the log will be easy.
Back to top


Reply to topic   Topic: How to avoid bad bot request View previous topic :: View next topic
Post new topic   Forum Index -> Apache